Primus HSM - Authentication Mode
Primus HSM devices support two authentication mode levels:
- 2-Factor Authentication (2FA), using physical smart cards and PIN (possession and knowledge)
- 1-Factor Authentication (1FA), using virtual cards with name and PIN (knowledge)
Default authentication modes for different devices:
- X2/X/S2/S-Series default to 2FA and are delivered with physical cards
- E2/E-Series default to 1FA due to lack of card slots, but can support 2FA if operated via the Decanus Terminal
For optimal security, the use of 2-factor authentication with physical cards is strongly recommended. Operating in 1FA mode offers a lower level of security compared to 2FA with physical cards.
View the Role and Access Overview for a list of roles which can use physical cards for authentication.
Changing Authentication Mode
The change from 1FA to 2FA or from 2FA to 1FA can be executed either in factory state (requires Genesis activation) or after the device is set up (requires SO and Genesis activation). Changing the authentication mode does not affect the HSM Users and User keys.
Changing the authentication mode of the Master device in a cluster, generates new authentication tokens (e.g. SO cards). These are automatically replicated within the HA cluster. However manual Clones require a re-cloning to replicate the new Master SO tokens, otherwise some functionality will fail.
Clustered devices and future clones must use the same authentication mode.
For more details and to change the authentication mode follow the steps provided in the Primus HSM User Guide chapter Authentication Mode.