SoftToken

This section controls the soft token policy.

The current password policy (PinMinLen, PinMaxLen and PinType) used when soft token is created will be stored within the soft token, so will not be able change after creation.

Events

This entry is used to add events handling to soft tokens. Soft tokens may be removed when removed from other processes and will also generate an insert event when the soft token is updated, to allow applications to detect updates.

0

No special event handling

1

Events are checked each time a calling application check for events

2

Events are checked each time a calling application check for slots

3

Events are checked each time a calling application check for events and/or slots

Default value is 0; no special event handling.

FileExtension

This entry is used to specify the file type used by soft tokens. The internal soft token format ".tkn" is the only supported value for Windows/Linux. macOS may use the internal format or Apple ".keychain".

Default value is none; internal soft token format.

FileExtension=.tkn

PinExpire

This entry is used to enable/disable password expire policy. The password may be configured to require a change after X number of days.

0

Password expire policy disabled

X

Password will expire after X days

Default value is 0; no password expire policy.

PinFailure

This entry is used to specify how password failures will be handled for soft tokens, i.e. if a user gives the wrong password when trying to use the soft token.

PinFailure=0xAABBCCDD

AA

Number of milliseconds of delay between failures to give the correct password. Will be multiplied with the number of failed tries.

BB

not used

CC

Number of minutes that the password will be blocked.

DD

Number of tries until the password is blocked.

Default value is none; no handling of password failures for soft tokens.

[SoftToken]
PinFailure=0x64000A0A
AA=64

100 ms of delay between tries, i.e. the delay after first try is 100ms, after second try 200ms, and so on.

CC=0A

The password will be blocked for 10 minutes until it is possible to try again.

DD=0A

The password will be blocked after 10 failed tries.

If no blocking period is configured, that is, CC is set to 00, a restart of the application is necessary to be able make new tries. If a blocking period is configured a restart will make no difference since it is stored in the object, that is, you will have to wait until the blocking period ends to get DD new tries.

PinHistory

This entry is used to enable/disable password history checking. When enabled the old password will be stored as a private object and compared with a new password.

0

Password history disabled

X

Password will compare X last passwords

Default value is 0; no password history checking.

PinMaxLen

This entry is used for maximum password length policy.

0

No maximum password length

X

Maxmimum X bytes password length

Default value is 64; maximum 64 bytes password.

PinMinLen

This entry is used for minimum password length policy.

0

No minimum password length

X

Minimum X bytes password length

Default value is 2; minimum 2 bytes password.

PinPolicy

This entry is used for the password policy, 0xaAbBcCdD:

  • aA → min/max for number of digits

  • bB → min/max for number of lower characters

  • cC → min/max for number of upper characters

  • dD → min/max for number of special characters

Default value is 0; no password policy.

PinType

This entry is used for password type policy, the requirements are below:

0

all characters (case sensitive)

1

all characters (case insensitive)

2

all characters (min 2 digits and max 2 in row or in sequence)

3

all characters (min 2 digits and max 2 in row)

4

only digits

Default value is 0; all characters allowed and case sensitive.