GrIDsure
You can enable GrIDsure authentication, so that users can enroll a GrIDsure token in a similar way as SafeNet MobilePASS+ to secure your organization’s resources without constraining users to specific devices.
The GrIDsure method presents a matrix of characters to the user during authentication. The user’s passcode is determined by overlaying their personal identification pattern (PIP) on the matrix and entering the corresponding characters in the order in which the PIP was created. The red circles in the following image demonstrate the concept of a PIP and a resulting passcode (40DHM), assuming that the PIP was created by entering the characters in order from left to right.
Alternatively, if the user created the PIP from right to left, the passcode would be MHD04. There is no restriction on the order in which a pattern is created. In addition, cells in a pattern may be used more than once. For example, assume a left to right PIP, repeating every second cell would create a passcode of 400DHHM.
All GrIDsure authentications and errors are logged in the access logs.
Enable GrIDsure authentication and self-provisioning
To enable groups to self-provision GrIDsure tokens, see Self-provisioning rules for groups.
Configure GrIDsure options
-
On the STA Token Management console, select Policy > Token Policies > Third-Party Authentication Options.
-
In the Third-Party Token Type list, select GrIDsure and then click Edit.
-
Configure the GrIDsure options as required:
-
Allow trivial PIPs—(Not recommended) If enabled, the user can select a straight line (horizontal, vertical, diagonal), or the four corners of a square within the grid as their PIP.
-
Use numbers, Use uppercase letters, Use lowercase letters, Use special/symbolic characters —Grids display characters from the enabled options. Note that the grid size is set in Token Templates, as is the requirement for a PIN and the passcode that corresponds to the PIP.
-
Minimum PIP Length—Specify the minimum number of characters for a PIP. The default is 4.
-
-
Select Apply.
Manage GrIDsure authenticators
To manage GrIDsure authenticators for specific users, follow the instructions in View users on the STA Access Management console.
Self-provision with GrIDsure
To test your setup and ensure that it works as intended, you can follow the self-provisioning steps that your users will follow.
-
Go to the logon page for the application (for example, User Portal).
-
Select Start.
-
Depending on the settings for your account, you may be prompted to enter your username and select Login.
-
Depending on the settings for your account, you may be prompted to enter your passcode and select Login.
-
Depending on the tokens configured for your account:
- If you already have a token, select Add Additional Authenticator.
-
If you don't already have a token, select Add Authenticator.
-
Depending on whether you have a synchronized password:
-
If your password is already validated, skip this step.
-
If you have a synchronized password, enter your password and select Submit.
-
If you do not have a synchronized password, STA sends you a verification code by email. Enter the code in the field provided and select Continue.
-
-
Select Grid Pattern and then select Submit.
The grid pattern option is not available if: 1. Self-provisioning is not enabled (see Enable GrIDsure authentication and self-provisioning). 2. Server-side PIN policy is enabled (see Token Templates), or the maximum token limit is reached (see Token allocations).
An animation displays how GrIDsure works.
-
When you are ready to enter your grid pattern, select Continue.
-
To add the GrIDsure authenticator, enter your grid pattern and then select Submit.
Valid grid patterns are based on the settings described in Configure GrIDsure options. In addition, a grid pattern must not contain invalid characters or three or more duplicate characters (for example, 5550).
-
If the PIN type is configured as Server-side User Select, enter a PIN of your own and then select Submit. The following images show the range of PIN requirements that may be configured, from fewest (on the left) to most (on the right).
-
If the PIN type is Server-side Server Select or Server-side Fixed, memorize the PIN that is provided and then select Continue.
For information about configuring PIN requirements, see PIN policy parameters.
You are prompted to confirm that you memorized your PIN.
-
To continue, select My PIN is memorized.
-
To review your PIN, select Go back.
-
-
-
To use the GrIDsure authenticator, enter your grid pattern and PIN (if required), and then select LOGIN.
If configured, STA will prompt you to enter a PIN before or after your grid pattern.
The following image shows a prompt for PIN and passcode.
After successfully authenticating, the application (for example, User Portal) displays.