TokenVSC
[TokenVSC]
CheckExpire=60
Events=4
:LoginTimeout=0
PinExpire=0
PinFailMode=0x01000A05
:PinHistory=0
PinMaxLen=32
PinMinLen=2
:PinPolicy=
PinType=0
SingleSignOn=1
The parameters PinMaxLen, PinMinLen, and PinType are stored in the soft token when created. The values can change during creation, so they should be considered as default values if nothing else is specified. |
Events
The Events parameter tells when to validate the soft token for updates. The value is a bitmask so it can be checked at several places.
#define VALIDATE_TOKEN_OFF 0
#define VALIDATE_TOKEN_EVENT 1
#define VALIDATE_TOKEN_LIST_SLOT 2
#define VALIDATE_TOKEN_DETECT_RUN 4
[TokenVSC]
Events=4
LoginTimeout
LoginTimeout specifies the number of seconds the login procedure can be inactive. The counter resets when the PIN is used.
Resets the counter:
-
Login
-
Login (when already logged in)
-
Key usage (sign/verify/encrypt/decrypt/etc.)
-
Card update (create/delete/etc.)
Does not reset the counter:
-
Search for object
-
Reading object
-
Login status check
#define PIN1 0x01
#define PIN2 0x02
#define PIN3 0x04
[TokenVSC]
LoginTimeout=<seconds>,<pin-bit-mask>
PinExpire
Soft tokens always supports time stamps for PIN change, so you can also include an automatic PIN expiration functionality. This means that the end-user will be forced to change PIN at regular intervals. The PinExpire parameter tells the number of days until a change is required.
[TokenVSC]
PinExpire=90
PinFailMode
Soft tokens do usually not support blocking of PIN, since it cannot handle the unlock functionality. Still, Net iD Client support blocking for a specified time (in minutes), and you may also specify a time delay between PIN attempts (milliseconds). This functionality requires that PIN unlock is activated for PIN type (bitmask 0x40):
#define VSC_PIN_FAIL_MODE_ATTEMPTS(a) (a & 0xFF)
#define VSC_PIN_FAIL_MODE_BLOCK_TIME(a) ((a >> 8) & 0xFF)
#define VSC_PIN_FAIL_MODE_DELAY(a) ((a >> 24) & 0xFF)
#define VSC_PIN_FAIL_MODE_DEFAULT 0x01000A05
[TokenVSC]
PinFailMode=0x01000A05
PinType=0x40
The blocking functionality is not a security feature since it is possible to bypass the blocking feature. This is an alternative to allow the end-user to get the same type of experience as when using a smart card.
PinHistory
This parameter gives the number of old PINs that are kept in a history list, to stop end users from reusing the same PIN.
PinMaxLen
PIN policy should be stored in the smart card profile. But the configuration can add more requirements. The PinMaxLen parameter tells the maximum number of characters in the PIN.
[TokenVSC]
PinMaxLen=6
PinMinLen
PIN policy should be stored in the smart card profile But the configuration can add more requirements. The PinMinLen parameter tells the minimum number of characters in the PIN.
[TokenVSC]
PinMinLen=6
PinPolicy
PinPolicy specifies the default PIN policy to use when creating a new VSC token. Normally, PinPolicy is specified during creation.
PinType
This parameter will tell if a specific PIN policy is required.
// Password type:
// 0 -> all chars (case sensitive)
// 1 -> all chars (case insensitive)
// 2 -> all chars (max 2 in row or normal/keyboard sequence)
// 3 -> all chars (max 2 in row or normal sequence)
// 4 -> all chars (max 2 in row)
// 5 -> only digits
//
// Normal sequence:
// a-z, z-a, 0-9, 9-0
// Keyboard sequence:
// qwertyuiop, poiuytrewq
// asdfghjkl, lkjhgfdsa,
// zxcvbnm, mnbvcxz,
// qaz, zaq, wsx, xsw, ...
#define VSC_PIN_TYPE_LOGOUT_AFTER_SIGN 0x80
#define VSC_PIN_TYPE_MAY_BLOCK_PIN 0x40
#define VSC_PIN_TYPE_VALUE(a) (a & 0x0F)
[TokenVSC]
PinType=5