View Security Strings How To Guide
Contents
Overview
PINsafe has a number of alternative methods to allow authentication should difficulties arise. This document outlines how to use the View Strings function for troubleshooting and as a backup authentication method.
Prerequisites
PINsafe 3.7 onwards
View Security Strings Guide
To view a users security string that they have been sent by email or SMS, on the PINsafe Administration Console, select User Administration, then click on the required user (search or filter as necessary to find the required user), then click on View Strings.
Single Channel Options Show, generates a single Channel authentication, valid for 2 minutes by default. Note generating a Single Channel image will prevent use of other authentication methods in the default time period until the expected single channel authentication is made. A new unique string is generated each tie the image is refreshed, rendering the previous image invalid.
Dual Channel Shows the last dual channel security string sent to the user and any string index where multiple security strings are used, to tell the user which security string to use. If no Dual Channel message has been sent to the user then the following message is displayed No Dual Channel strings available
Note: On the PINsafe Administration console it is viewed as a single channel image, but for the user it will be sent by their transport method.
Token Shows the token/mobile Phone Client security expected any string index where multiple security strings are used, to tell the user which security string to use. If no Dual Channel message has been sent to the user then the following message is displayed No Token strings available
Note: On the PINsafe Administration console it is viewed as a single channel image, but for the user it will be sent by their transport method.
Oath Token (from v4.0.5 onwards) Shows the current OATH TOTP Token, to tell the user which security string to use.
Using View Strings as a Backup Authentication
If a user loses their mobile device and needs authenticating before a replacement can be provisioned, cannot receive an SMS message, or view the single Channel TURing image, then the View Strings can be used to provide the user with a valid security string.
Other alternatives are:
- Use mobile Phone Client where no SMS is being received
- SMS where security strings cannot be downloaded to the mobile phone Client
- Enable Single Channel TURing authentication for the user
Security Note: It may not be appropriate to use Single Channel backup authentications where two factor authentication is mandatory.
The View Strings Backup authentication process is given below.
User calls helpdesk by landline
User Provide Username
Helpdesk View Strings for user
Helpdesk provide the required security string for the user
Call ends
User calculates OTC using their own PIN
User Authenticates
If further user authentication is required to determine the user please contact your Swivel Secure Sales representative to discuss additional options.
Testing
Known Issues
PINsafe 3.8.4256 has an error whereby On demand authentication security strings do not match those in the View Security strings. An authentication attempt will produce the error messages:
RADIUS: <0> Access-Request(1) LEN=192.168.0.1:1001 Access Request by username Failed: AccessRejectException: AGENT_ERROR_NO_SECURITY_STRINGS
and
Login failed for user:username, error: The user does not have any security strings suitable for the authentication.