Managing an Individual OneSpan (VASCO) OTP Token

Changing Token Status

Every OneSpan OTP token must have one of three statuses:

Available — Tokens are valid, licensed, and ready for use, but not yet assigned to any user. Available tokens cannot be used to authenticate to Enterprise Access Management.
Assigned to a user — Tokens are assigned to an authorized user. These tokens cannot be deleted from Enterprise Access Management until their status is changed to Available or Lost.
Lost — Tokens are no longer in the custody of an authorized person, and may be in the possession of an unauthorized person. This is a potential security breach, so tokens with Lost status are disabled. Lost tokens cannot be used to authenticate to Imprivata OneSign.

You can change the status of any token at any time, as described in the following "Assigning" sections.

Assigning VASCO OTP Tokens

NOTE: Providers who are identity proofed by Norton Secure Login cannot be assigned VASCO OTP tokens or use VASCO OTP tokens to e-prescribe controlled substances.

To assign an available VASCO OTP token to a user:

On the VASCO OTP tokens page, click the serial number of the VASCO OTP token to be assigned. The VASCO OTP token properties page opens.
In the Assignment Status section, select Assigned to.
Enter the username and domain information of the user.
Click Save.

NOTE: If you assign a second token to a user, the first token is automatically unassigned.

Changing a Static PIN

Some VASCO OTP tokens support a static PIN feature. A static PIN is a personal code of preset length that is used in conjunction with the VASCO OTP token passcode to permit higher security.

Because the VASCO OTP token passcode is dynamic (so it cannot be memorized) and the user’s PIN is static but (under normal circumstances) is never written down, a VASCO OTP token that comes into the hands of an unauthorized user cannot be used to authenticate to your network. In the same way, an intruder who learns a user’s static PIN cannot access the network without having the physical token as well.

If the VASCO OTP token supports the VACMAN static PIN feature, then there are three conditions that come pre-configured on the token:

User may never change static PIN — Forbidding the user from changing the PIN ensures the PIN is always known to the Administrator.
This is more a matter of policy than of usability. There is a separate reset function for use when a user changes the PIN and then forgets it or if a token is reassigned. See Resetting and Changing a Static PIN.
These settings are determined by the DPX file contents set by the manufacturer based on parameters chosen by the VASCO OTP token purchaser.
User must change PIN immediately and may change later — VASCO OTP tokens on which the user is required to change the PIN ensures the PIN is known only to the user. The Administrator cannot know the PIN after it has been changed.
If a user changes the PIN and then forgets it, or if a token is reassigned, see Resetting and Changing a Static PIN.
User may change PIN at any time — VASCO OTP tokens on which the user is permitted but never required to change the PIN makes it possible for the PIN to be known to both the user and to the Administrator only until the user changes the PIN. Users are more likely to remember PINs they set themselves.
If a user changes the PIN and then forgets it, or if a token is reassigned, see Resetting and Changing a Static PIN.

These settings have different security values, so it is important to understand which configurations best suit your users.

There is an additional tool for the Administrator, as described in the following section.

Resetting and Changing a Static PIN

If a user changes the static PIN and then forgets it, or if a token is reassigned, you can reset the PIN to nothing at all, a string value of zero length. Not all VASCO OTP tokens support the static PIN feature.

When the PIN has been reset in this manner, the Administrator can assign a new PIN by entering and confirming it in the Change Static PIN fields.

Changing a Static PIN

To change the static PIN:

Open the token record and scroll down to the Static PIN section.
Enter the new PIN in the New PIN: field. Confirm the new PIN in the Confirm PIN: field. There is no need to enter the old PIN.

NOTE: Do not click the Reset PIN button.

Click Change PIN.

Users Changing the Static PIN

Users can change a PIN in the Imprivata ID token login screen in the PIN + Passcode field: enter the old PIN, the passcode, and the new PIN in the following format, with no spaces: OldPINpasscodeNewPINNewPIN

If the old PIN was reset (now is of zero length), then enter only: PasscodeNewPINNewPIN

Using Virtual Tokens

Virtual tokens are useful when an authorized user forgets or loses a VASCO OTP token and needs access to the network.

NOTE: Not all VASCO OTP tokens support the Virtual Token feature. The Virtual Token feature comes programmed into the token; you cannot assign the Virtual Token feature from Enterprise Access Management.

To create a one-time password:

Open the token record and scroll down to the Virtual Token section.
Click Generate to create a new one-time password. The One-Time Password appears to the right of the button. The one-time password can be used just like the passcode generated by the VASCO OTP token.

NOTE: Do NOT test the new one-time password in the Test One-Time Password field. The Test One-Time Password field is for troubleshooting tokens.

Other Operations

At the bottom of the VASCO OTP token record is a token-sensitive set of other operations. Not all of these operations will display; their availability depends upon whether the token supports them:

If you are testing one-time password functionality on a token, see Testing a Token’s One-Time Password.
A VASCO OTP token can become disabled after passing the inactive days setting (see Reviewing VASCO Kernel Parameters) or as a result of an accumulation of minor errors over time. If a user’s VASCO OTP token has become disabled, the easiest solution is to try resetting it. See Resetting a Disabled VASCO OTP Token.
If a VASCO OTP token shows a lock code on its screen, then you can unlock it with the procedure in Unlocking a VASCO OTP Token.

Testing a Token’s One-Time Password

When you reassign a token to another user, it is a good idea to test the token first. You cam test the token by using it to authenticate against the Test One-Time Password field. There are two types of one-time password functions, depending on the type of token you are testing:

Testing a Response-Only VASCO OTP Token
Testing a Challenge-Response VASCO OTP Token

The token type is listed on the token information section of the token record.

Testing a Response-Only VASCO OTP Token

It is a good practice to test a VASCO OTP token before assigning it to a user. To test a response-only VASCO OTP token:

Open the token record for the VASCO OTP token to be tested.
In the Test One-Time Password field, enter the token PIN and a passcode generated by the token.
Click Test. A message indicating that the test was successful is displayed.

Testing a Challenge-Response VASCO OTP Token

It is a good practice to test a VASCO OTP token before assigning it to a user.

To test a challenge-response VASCO OTP token:

Open the token record for the VASCO OTP token to be tested.
In the Test One-Time Password line, click Generate Challenge Code. A challenge code is displayed.
Using the VASCO OTP token keypad, enter the challenge code into the VASCO OTP token. The VASCO OTP token generates a one-time password.
Enter the one-time password from the VASCO OTP token in the test field.
Click Test.

Generating and Viewing a Token Activity Report

You can generate a report that shows VASCO OTP token activity for this token for a period of time that you set before running the report.

Click View Token Report at the top right of the VASCO OTP tokens properties page; you are brought to an Add New Report page where you can name the report (if you plan to save it), and specify a date range.

See Using Reporting Tools.