Skip to main content

Manage General settings

After you create a user, you must assign one or more authenticators to that user. The General settings control how authenticators work and whether the system automatically assigns authenticators when you create a user account.

You can change the General settings at any time, but you might want to configure them before you create new users or assign additional authenticators. For example, you can set the system to automatically assign an Entrust Soft Token or a Google token, or to automatically create a password for the user.

note

If you are configuring IDaaS to synchronize users from Active Directory (AD), configure the Lockout Count and Lockout Lifetime settings to match the values used in your AD configuration.

Configure the General settings

  1. Click > Policies > General. The General page appears.

  2. Configure the Lockout Settings, do the following:

    1. Set Lockout Count to the number of times a user can fail an authentication challenge before being locked out of their account.
    2. Select the Lockout Mode from the drop-down list.
      1. Select Authenticator to lock only the authenticator after multiple failed authentication attempts.
      2. Select User to lock the user after any failed authentication.
    3. Enter the Lockout Lifetime. This value determines how long the account remains locked. After the lockout expires, the user can try to authenticate again. If you set the value to 0, the account stays locked until an administrator unlocks it.

  3. In the Authentication Settings do the following:

    1. Enter the Standard User Authentication Session Idle Timeout to specify how long a user session stays active before the session expires and requires the user to reauthenticate. The default value is 900 seconds. The maximum value is 28,800 seconds (8 hours).

    2. Enter the Admin User Authentication Session Lifetime to set the amount of time an administrative user session remains active before it automatically expires and the administrator needs to reauthenticate. The value must not be larger than the standard user session idle timeout value.

    3. Enter the Push Authentication Lifetime to set the time limit a user has to respond to a soft token authentication challenge by selecting Confirm, or Cancel on the mobile soft token or the mobile smart credential app.

    4. Enter the Push Transaction Lifetime to set the time limit a user has to respond to a mobile soft token push transaction or mobile smart credential push transaction on the mobile soft token or mobile smart credential app.

    5. Enter the Maximum Number of Transactions Queued on the mobile soft token app. This is the number of transactions that can be in the queue at one time for a mobile soft token push transaction.

      • This setting enables push transaction queuing, which allows a mobile soft token app to store multiple push transactions at a time, for example, multiple bank transfers.

      • With this feature configured, IDaaS can deliver multiple transactions to a user's mobile soft token app and the user can address them within a configured amount of time. When the queue size is set to 1 (the default), then only one transaction delivered to a soft token identity is active at a time (a new one overwrites an older one), and, typically, transactions expire after a short time.

      • When the number of transactions waiting for the user response is equal to the setting specified here, the queue is full for that soft token identity.

      • Entrust strongly recommends that you set the queue size large enough that the queue never becomes full. If the queue does become full, however, and a new transaction arrives, IDaaS removes expired transactions from the queue. If that does not free a space for the new transaction (none are expired), IDaaS discards the oldest transaction in the queue.

      • The default value is 1. When set to 1, transaction queuing is disabled and new transactions overwrite the previous transactions.

        info

        A user can use the same mobile soft token for both responding to an authentication challenge (for example, issuing a token code to access an application and responding to banking transactions).

        In addition, Entrust recommends that you set the Maximum Number of Transactions Queued Transactions based on the rate at which your organization creates transactions during peak loads, then consider doubling this value. The aim is to set a value that can accommodate an unusually high volume but is rarely, if ever, reached. This helps to ensure that transaction notifications are not removed from the queue before a user has had time to respond to them.

        warning

        The Mobile smart credential app does not support transaction queuing.

    6. Enter the Dynamic Linking Transaction Lifetime to set the time limit a user has to complete a dynamic linking transaction. (See Integrate IDaaS for PSD2 compliance for more information).

    7. Select Enable Enhanced Authentication Details to include additional details about the authentication response.

  4. In the Authenticator Settings do the following:

    1. Set Maximum Grids Per User to the maximum number of Grid Cards each user can have. The maximum value is 10.
    2. Set Maximum Tokens Per User to the maximum number of tokens a user can have. The maximum value is 10.
    3. Set Maximum Passkey/FIDO2 Tokens Per User to the maximum number of Passkey/FIDO2 tokens a user can have. The maximum value is 10.
    4. Set Max. Smart Credentials Per User to the maximum number of mobile smart credentials a user can have. The maximum value is 10.
    5. Set the Maximum Face Biometrics Per User to the maximum number of face biometrics authenticators a user can have. The maximum value is 10 for mobile devices and 1 for Web.

  5. In the Inactivity Settings do the following:

    1. Select Manage Inactive Users to block inactive users from being able to authenticate.
    2. Set the User Inactivity Threshold to define how long a user can remain inactive before the account is locked.

      Enter a numeric value, then select the time unit (milliseconds, seconds, minutes, hours, or days) from the drop-down list. The default is 30 days.

    3. Set the Inactivity Grace Period to define how long an administrator allows a user to reactivate their account.

      Enter a numeric value, then select the time unit (milliseconds, seconds, minutes, hours, or days) from the drop-down list. The default is 1 hour.

  6. Click Save to confirm your changes.