Manage General settings

After you create a user, you must assign user authenticators to the user. The General settings set the conditions for authenticators and whether a user is automatically assigned certain authenticators when their account is created. While you can modify the General settings at any time, you may want to configure the settings before you create new users or assign users additional authenticators. For example, you can set the General settings to automatically assign an Entrust Soft Token or Google token to a user or automatically create a password for the user.

Note: If you are configuring Identity as a Service to synchronize users from Active Directory (AD), configure the Lockout Count and Lockout Lifetime settings to match the values used in your AD configuration.

1. Click > Policies > General. The General page appears.

2. In the Lockout Settings, do the following:

a. Set Lockout Count to the number of times a user can fail an authentication challenge before being locked out of their account.

b. Select the Lockout Mode from the drop-down list.

– Select Authenticator to lock only the authenticator after multiple failed authentication attempts.

– Select User to lock the user after any failed authentication.

c. Enter the Lockout Lifetime to the set number of seconds before the lockout expires. After the Lockout Lifetime expires, a user can attempt to authenticate again. A value of 0 means the account remains locked until unlocked by an administrator.

3. In the Authentication Settings, do the following:

a. Enter the Authentication Session Lifetime to set the time limit before an authenticated user needs to reauthenticate. The maximum value is 3600 (1 hour). The default is 900 seconds.

b. Enter the Push Authentication Lifetime to set the time limit a user has to respond to a soft token authentication challenge by selecting Confirm, or Cancel on the mobile soft token or the mobile smart credential app.

c. Enter the Push Transaction Lifetime to set the time limit a user has to respond to a mobile soft token push transaction or mobile smart credential push transaction on the mobile soft token or mobile smart credential app.

d. Enter the Maximum Number of Transactions Queued on the mobile soft token app. This is the number of transactions that can be in the queue at one time for a mobile soft token push transaction.

This setting enables push transaction queuing, which allows a mobile soft token app to store multiple push transactions at a time, for example, multiple bank transfers. With this feature configured, Identity as a Service can deliver multiple transactions to a user's mobile soft token app and the user can address them within a configured amount of time. When the queue size is set to 1 (the default), then only one transaction delivered to a soft token identity is active at a time (a new one overwrites an older one), and, typically, transactions expire after a short time.

When the number of transactions waiting for the user response is equal to the setting specified here, the queue is full for that soft token identity. Entrust strongly recommends that you set the queue size large enough that the queue never becomes full. If the queue does become full, however, and a new transaction arrives, Identity as a Service removes expired transactions from the queue. If that does not free a space for the new transaction (none are expired), Identity as a Service discards the oldest transaction in the queue.

The default value is 1. When set to 1, transaction queuing is disabled and new transactions overwrite the previous transactions.

Note: A user can use the same mobile soft token for both responding to an authentication challenge (for example, issuing a token code to access an application and responding to banking transactions)
In addition, Entrust recommends that you set the Maximum Number of Transactions Queued Transactions based on the rate at which your organization creates transactions during peak loads, then consider doubling this value. The aim is to set a value that can accommodate an unusually high volume but is rarely, if ever, reached. This helps to ensure that transaction notifications are not removed from the queue before a user has had time to respond to them.

Note: The Mobile smart credential app does not support transaction queuing.

e. Enter the Dynamic Linking Transaction Lifetime to set the time limit a user has to complete a dynamic linking transaction. (See Integrate Identity as a Service for PSD2 compliance for more information).

f. Select Enable Enhanced Authentication Details to include additional details about the authentication response.

4. In the Authenticator Settings, do the following:

a. Set Maximum Grids Per User to the maximum number of Grid Cards each user can have. The maximum value is 10.

b. Set Maximum Tokens Per User to the maximum number of tokens a user can have. The maximum value is 10.

c. Set Maximum Passkey/FIDO2 Tokens Per User to the maximum number of Passkey/FIDO2 tokens a user can have. The maximum value is 10.

d. Set Max. Smart Credentials Per User to the maximum number of mobile smart credentials a user can have. The maximum value is 10.

e. Set the Maximum Face Biometrics Per User to the maximum number of face biometrics authenticators a user can have. The maximum value is 10 for mobile devices and 1 for web.

5. In the Inactivity Settings, do the following:

a. Select Manage Inactive Users to block inactive users from being able to authenticate.

b. Set the User Inactivity Threshold to the amount of time a user can be inactive before their account is locked. Enter the numeric value on the field and select the time value (milliseconds, seconds, minutes, hours, or days) from the drop-down list. The default is 30 days.

c. Set the Inactivity Grace Period to the amount of time an administrator grants to a user to reactivate their account. Enter the numeric value on the field and select the time value (milliseconds, seconds, minutes, hours, or days) from the drop-down list. The default is 1 hour.

6. Click Save to confirm your changes.