IBM Security Access Manager for Enterprise Single Sign-On, Version 8.2

Authentication policies

Know the different authentication policies for both user and machine scopes, where to find and set these policies, their descriptions, and their default values.

image of machinepid_second_factors_supported_list
IMS Entry Authentication second factors supported
Location AccessAdmin > Machine Policy Templates > New template > Create new machine policy template > Authentication Policies
Description The second factors supported on this machine. This policy also controls the Wallet registration policy and imposes a constraint on the Wallet locks available for logon.
Note:
  1. If there is a GINA or Credential Provider installed, this policy is only updated on machine restart.
  2. If there is no GINA or Credential Provider installed, this policy is only updated when a new Windows session is created. For example, when the user logs on to Windows and not when the user unlocks a Windows session.
  3. Modifying this policy requires a machine restart to implement the changes.
Registry  
Type String list

MULTI_SZ
Values
  • RFID
  • ARFID
  • Smart card
  • Hybrid smart card
  • Fingerprint
Scope Machine
Note
  • Currently, only single value is accepted, except for simultaneous Fingerprint and RFID support.
  • Refreshed on startup.
image of user pid_wallet_authentication_option
IMS Entry Wallet authentication policy
Location AccessAdmin > User Policy Templates > New template > Create new policy template > Authentication Policies
Description Authentication policy that enforces the combinations of authentication factors that can be used for logon.
Note:
  1. This policy does not enforce the authentication factors used for sign-up. The sign-up policy is enforced by pid_second_factors_supported_list and pid_second_factor_for_sign_up_required.
  2. RFID includes active proximity badges or ARFID. Smart card includes hybrid smart cards.
  3. If AccessAgent is deployed without ESSO GINA but with ESSO Network Provider enabled, this policy is ignored.
Registry  
Type Positive integer list
Values
  • Password
  • Password + RFID
  • Fingerprint
  • Smart card
Scope User
Note
  • You can select multiple values.
  • All values are supported for 32-bit AccessAgent.
  • Only password and password+RFID are supported for 64-bit AccessAgent.
  • Refreshed on log on or unlock by different user, if online.
  • Refreshed on sync.
image of userpid_mac_auth_enabled
IMS Entry Enable Mobile ActiveCode authentication?
Location AccessAdmin > User Policy Templates > New template > Create new policy template > Authentication Policies
Description Whether Mobile ActiveCode authentication is enabled for the user.
Registry  
Type Boolean
Values
  • Yes
  • No (default value)
Scope User
Note

Refreshed on use.
Parent topic: Policies for Authentication Factors

Feedback