Software-Based MFA

Overview of NacID

  • Developed by Known Access
  • It is a Multi-Factor Authentication (MFA) Device
  • It is a software based technolog
  • Users must register NacID on their PC
  • It is a one-time password generation technology
  • It works with Known Access Security System
  • NacID generates a unique token every minute
  • Each token consists of 7 numeric or alpha-numeric characters
  • Each token is displayed only for one minute unless cleared before that
  • Users can use the NacID token only once to authenticate
  • Any attempt to reuse a token will fail
  • Each authentication attempt is audited
  • Any attempt to authenticate using a token that is outside the acceptable window (configurable) will fail.
  • Users are suspended when successive invalid attempts are detected

NacID Assignment and Registration

  • Administrators can assign a particular NacID Serial number to a user
  • Users must have NacID software loaded on their PC
  • Security administrators or Helpdesk can generate a NacID Registration Credentials
  • Software is provided to generate the Registration credentials
  • Registration credentials must be distributed to the end-users
  • During registration process, each NacID is tied down to a particular PC
  • After installation of NacID software double-click on the icon
  • Enter your UserID, Registration Key and Temporary Codeword
  • Once the above step is successful then a passphrase is picked
  • Users must remember the passphrase (8-24 characters) for using NacID
  •  Use of passphrase is required to generate a token
  • NacID tokens are used with codeword for authentication

Reassignment of NacID

  • Each NacID  software is associated with a serial number
  • Whenever a NacID is unassigned, the registration key is wiped out
  •  Earlier registered NacID on a PC is no longer valid
  • Now this particular NacID can be reassigned
  • User interface to reassign the NacID is provided
  • Registration process has to be followed once again
  • The assigned user using the NacID for the first time is detected
  • First time use requires the user to change his/her codeword

How to Enable, Disable & Manage Stolen NacIDs

  • Administrators can very easily unassign a NacID from a user
  • A NacID can be disabled
  • A disabled NacID can be enabled
  • A NacID can be re-assigned 
  • An unassigned NacID can be re-assigned to a different user
  • When a NacID Serial Number is unassigned, any token generated after that will fail
  • No need to delete any NacIDs from the system
  • Lifecycle of NacID management is handled by CSAC
  • Reports can be generated for the NacID users

How to Authenticate using NacID

  • After successful authentication on NacID, you will see Token screen
  • Every time you enter your codeword, it generates a unique one-time password (OTP)
  • At the time of initial user configuration a temporary codeword is issued to the user that must be used with the NacID OTP
  • The NacID user must login using the assigned UserID & passcode (temporary codeword followed by NacID OTP)
  • If the authentication is successful, the user is asked to change the temporary codeword
  • A user authenticating with a disabled NacID will not be successful
  • NacID OTPs are time based and the clock on the user’s PC could be off. Administrators are informed when detected
  • Any NacIDs generated earlier than the recently used one will fail

Different States of NacID

  • New – Never Assigned
  • Unassigned – It was assigned earlier to someone
  • Reserved – Saved for a particular user
  • Assigned – It is already assigned to someone
  • Disabled – An Administrator can disable any YubiKey
  • Expired   – Not valid anymore


  • If you get an unrecognizable NacID token then make sure the user is using the right codeword
  •  Make sure that the user’s PC clock is not off
  • Make sure the user is using the NacID that is assigned to him/her.
  • Use of disabled NacID will result in authentication failure
  • Use of NacID OTP without codeword will result in failure
  •  Use of wrong codeword with correct NacID OTP will result in failure
  • Use of right NacID OTP with wrong codeword will result in failure