Excalibur utilizes a user’s smartphone to act as a secure hardware token for any and all authentication and authorization needs inside of an enterprise. It utilizes the user's smartphone to verify authentication factors such as Location, PIN, Fingerprint, Face scan, etc. according to a security policy of a company or given user / users group (the security policy). Thus, Excalibur enables seamless, multi-factor and passwordless authentication.
Info
For more information on how Excalibur works from a user perspective and how to use it, please refer to the Excalibur User Manual.
To discuss Excalibur errors, 3 basic aspects of Excalibur need to be briefly introduced: Components Excalibur consists of, User roles involved in interaction with these components and Actions users can take in Excalibur.
Server- Provides a persistent network and storage central point, and therefore must be accessible to all components. It also provides a web-based management interface - the Dashboard, as well as WebSDK, which takes care of communication and operations with integration components. The server is usually deployed on-premise.
Token- The Excalibur mobile application utilizes the user’s mobile phone as a hardware security token - therefore in Excalibur, we call the mobile phone the token. It is primarily used to interact with the user - input of authentication factors, viewing of sessions and their history as well as providing remote locking / logout of sessions. Token uses the biometric sensor if available and HW secure element if supported by the phone.
Client- In the context of Excalibur, the client is usually a PC. The client component provides the Excalibur login screen that is displayed on top of the default Operating System login screen / lock screen. This is achieved by utilizing the Excalibur Credential Provider (CP).
Facade- is the component that interacts with the Active Directory (AD) and thus must be installed on at least one AD server. It runs as a system service and interacts with the AD utilizing the Remote Protocol Directory Replication Service (DRS) resp. LDAP as a backup option.
CA- Excalibur Certificate Authority (CA) issues certificates to other Excalibur components. For security reasons, Excalibur provides cloud-based CA as-a-service - so that even if the customer infrastructure is fully compromised the attacker will not gain control over provisioning of new user tokens.
And lastly Company - referring to an organization, in which all the components (Server, Token, Client, Facade) are deployed.
User- is a person, an end-user who uses Excalibur to Authenticate and Authorize against Company’s Client(s) and integrations, utilizing his/hers personal Token, and if available on a given Client, manage his/hers sessions. User might also Verify his/hers colleagues (if allowed and required), Reset his/hers own authentication factors, as well as expired password on a Client (if applicable). Every user can also log into the Dashboard, where a regular User only sees own account details, Actions and Sessions.
Manager- additionally to User privileges, Manager can see additional data in the Dashboard related to his/hers account and data of Users he/she manages resp. supervises, and also has a right to remotely terminate their sessions. Manager cannot change security policies (only view them), and also doesn’t have an access to various parts of the Dashboard such as Groups, Roles, Security policies or Audit. Manager is the role which usually verifies more sensitive actions or actions with incidents of his/hers subordinates.
Administrator- additionally to Manager privileges, Administrator has an access to all data available in the Dashboard, as well as a right to change security policies, geofences, groups and other settings to anyone. Administrator is also a person within the Company designated to install and configure Excalibur, as well as responsible for configuration of Company’s environment in accordance with Excalibur requirements. This is the highest user role in Excalibur and the Dashboard.
There are also user roles with specific access privileges in the Dashboard such as the Service Desk operator or Auditor, but they won’t be discussed in the scope of this document.
And lastly Excalibur Support - while not a user role, nor an end-user within the Company, Support refers to a point of contact in Excalibur, which helps a personnel responsible for Excalibur within the Company to fix problems they cannot resolve.
It’s important to note that even the Administrator is unable to modify events history within Excalibur, which includes Actions log, Timeline, Sessions, Incidents, Verifications and Errors as they have been happening.
User needs to register first to perform any other action in Excalibur. Registration starts on a Client where user clicks “Register” on the Excalibur login screen and proceeds with self-registration following on-screen instructions. During registration, user sets all authentication factors required by the security policy on his/hers Token, which initializes it.
Authentication or Login is an action based on a direct user intent and the only one in Excalibur which can operate in an online as well as offline mode. User performs his/hers intent by scanning a login QR code from a Client with his/hers Token. The login QR code is dynamically changing - by default Client generates a new one every 15 seconds with 90 seconds validity. Authentication factors are then verified based on the security policy and if it succeeds, in online mode the User is automatically logged into the Client, while in offline mode, the User is presented on his/hers Token with an OTP code, which he/she needs to manually enter on the Client’s Excalibur login screen to log in.
Authorization or Confirmation action is a push notification based action for example, VPN Login (in which a username needs to be entered) will trigger a push notification for a Token of a User specified by the username. On the Token, the User is asked to confirm given action with the exact specification of what is being confirmed. Authentication factors are then verified based on the security policy and if it succeeds, User’s action is authorized. RADIUS is currently the primary use-case of Authorization.
If a user forgets his/hers Token, or there’s any other reason a user cannot use or doesn’t have his/hers Token at the moment, there’s a backup option to utilize a Tokenless Authentication. In this case, User begins the process on Client’s Excalibur Login screen, selects “Forgotten phone”, inserts his/hers name, PIN and a reason why his/hers Token isn’t available at the moment. If entered name and pin are verified successfully, this request triggers a usual Verification process in which any verifier designated to verify this user based on the security policy, verifies the action either in person or remotely. Based on user’s Security policy, verifiers have the option to select a time interval (once, hour, 8hours, day) on theirs tokens during which the user can login without further verification on a particular computer. For further tokenless login on this computer, User must type username, PIN and give the reason.
Registered users have an option to reset his/hers authentication factors on his/hers Token. Firstly, authentication factors are verified based on the security policy and if it succeeds, User proceeds to set new factors.
If Company’s security policies allows users to show their current password on token`s screen, than this action is available in account settings for selected Company. Firstly, authentication factors are verified based on the security policy and if it succeeds, User’s currently active password stored in Active Directory is shown on his token’s screen.
If Company’s security policies allows action Set Geofence on tokens, than users can store their home or temporary locations thru special interactive screen found in application settings. Firstly, user must define locations on screen’s map by manually touching on dedicated location and confirming popup dialog. Next authentication factors are verified based on the security policy and if it succeeds, User defined location is synchronized between all registered companies.
In case of verification a User with appropriate privileges, e.g. Manager (Verifier) using his/hers Token confirms another User's (Initiator) identity and action. Verification begins when User triggers an action or incident, which requires Verification based on the security policy. From verifiers perspective, Verification begins either directly by scanning a verification QR code from initiator’s Token, or by receiving a push notification, or via Dashboard. Verification can be configured in the security policy as a required action for any Basic Action or any policy violation - incident. Basic Action’s flow is then modified to accommodate the Verification after the usual authentication factors verification succeeds on the Initiator’s side. If successful, the Verifier is prompted to confirm the action using his/hers authentication factors on his/hers Token. Every security policy change also requires a verification of the change by Administrator.
Some Client implementations enable a session status monitoring as well as a remote termination. When a User decides to terminate a session via Excalibur, he/she is offered two actions: Lock and Logout. User on his/hers Token is prompted to confirm either of the two and upon dialog confirmation, given session on a Client is locked / logged out. Locked session persists User’s environment state on a Client as it was left, and Token keeps it in the sessions list with status “Locked”. Logout terminates a user session, thus all unsaved changes are lost. After logout, given session is cleared from Token’s sessions list and moved to the sessions history. This action doesn’t involve the usual factors verification.
If Company’s Active Directory policy requires users to change their password regularly or if Administrator sets that user must change his/hers password on the next login, User will be prompted to do so at the end of the next usual Authentication process on a Client, where User is automatically prompted to enter a current password as well as to set a new one on the Excalibur Login screen. This action alone doesn’t involve the usual factors verification.
TIP: For more information on Excalibur design, topology and technical explanation of its functionality, as well as its components interaction, please refer to the Excalibur Whitepaper.
There are various characteristics of every error for consideration such as which User role(s) might be presented with an error and which might be able to resolve it, on which component(s) error originates (Source component) and on which it might be presented to the User (Destination component), as well as for which Action(s) given error occurs. Destination components on which the User can encounter an error are the Token and Client, while the main gateway for errors and logs for the Managers, Administrators and Service desk operator is the Dashboard, with a few exceptions when these errors might occur on their personal Tokens, because they were involved in an administrative action (such as the Verification) they were taking.
Based on how errors might be produced in Excalibur, they could be categorized as follows:
User Action Errors - are triggered by some user action, and usually begin on the Client (integration) or the Token. The Source Component of this error might be any Component involved in the action, and Destination Component is usually the one user had begun the action on.
Administrative Action Errors - are triggered by actions of administrative personnel, mostly performed in the Dashboard, but sometimes also on their Tokens, if their Tokens were involved in the given action (such as Verification) in the first place. The Source Component of this error might be any Component involved in the action, and Destination Component is usually the one administrative personnel used to perform the action on.
Excalibur System Errors - are mainly triggered by an internal functioning of Excalibur Components - their internal actions, interaction with each other as well as an interaction with platforms they run on, networking and other IO operations, also by installation / uninstallation and configuration of these components, and a few can be triggered by some user action. Generally, they are reported to the Server where they are processed and logged to be available for a review by the responsible personnel via Excalibur Dashboard. System Errors are usually non-resolvable by the User, so if they are triggered by some user action, an actual error is always logged on the Server, but might not be propagated in the same form to the User. Lastly, few System Errors might be encountered by Administrators when they install and configure Excalibur components, which are directly presented and explained in these components.
Besides Errors, there are also Statuses which have an informative character of the application / Action state and are usually triggered by some user action or external circumstances such as networking issues. Because these statuses are fairly common and there are only a few of them, they will be categorized together with errors they might result into in their own section in the beginning.
In this document, errors will be examined by Actions and their flow in which they can occur, categorized under Excalibur components on which they are presented to a respective user (Destination Components). An emphasis will be given to the most common errors, and errors that can occur in case of multiple actions will be grouped together and generalized in the beginning and subsequently referenced in the document.
All the errors in this document are clearly denoted by the prefix err, while statuses are denoted by the prefix stat. Errors’ and Statuses’ origins - Source components are denoted in a postfix of each error / status title by the name of respective Component in parentheses, specifically: (Server), (Token), (Client), (Facade), (WebSDK).
Example:
err: sample_error (Token)
This example denotes an error named “sample_error” originated from component Token.
For dynamic values, which are inserted by Excalibur based on current Action and its context, placeholders are used in the document. Placeholders are denoted with “{ACTION}” and they are used for generalized errors / statuses that occur with multiple Actions, and later replaced in a context of each Action.
This perspective discusses errors which Destination Component is the User’s Token. Every category / Action further examined under this perspective is denoted by the prefix Token.
This category groups all the errors that might occur for various Actions but have the same meaning for all of them. Thus, a description of these errors is generalized.
authenticate, register, reset, verify, authorize, terminate (lock, logout), show password, set geofence
Resolver
User - retry
Desc
{ACTION} was unsuccessful due to network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the {ACTION} again.
authenticate, register, reset, verify, authorize, show password, set geofence
Resolver
User - retry, Admin - assist with policy
Desc
default
Security Policy blocked this {ACTION} attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this {ACTION} attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this {ACTION} attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain {ACTION} such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the {ACTION} again once available, or contact your Administrator if the current security policy isn’t suitable for you.
User and Admin - report a bug, Support - debug and bugfix
Desc
Scanned QR code for {ACTION} is invalid.
Fix
The QR code was scanned properly, yet its content is invalid, which is an unexpected behaviour. It is likely that the user scans the code that is not generated by Excalibur. Please report this issue to your Administrator.
Admin Fix
Please report a bug to our Support. A photo of invalid QR code might be helpful.
Admin - assist with compatibility issues / report a bug
Desc
You try to interact with an old (incompatible) version of Excalibur.
Fix
Please address compatibility issues with your Administrator.
Admin Fix
Please verify user’s token and server versions in the Dashboard. Most likely user has an outdated version of Excalibur app on a smartphone. If the Server is outdated, then it should be updated. If there is no new server / token version available, or the error persists after the update, please contact our Support.
User - re-register, Admin - assist with re-register / report a bug
Desc
{ACTION} was unsuccessful because your User data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc
{ACTION} was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
Statuses describe application state rather than show an error to the User. Statuses might result in errors based on current circumstances. This category groups all the statuses which Destination Component is the User’s Token. They might occur for various Actions but have the same meaning for all of them, thus their description is generalized.
Colleague / Supervisor (Manager) / Service Desk / Admin - verify user
Desc
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your {ACTION}.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
User - wait / use OTP / check connection and retry
Desc
Login is taking longer than usual due to phone connection issues. Meanwhile, you can also log in with this OTP code.
Fix
Even though your phone’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your phone’s connection after this action.
User - wait / use OTP / check connection and retry
Desc
Login is taking longer than usual because of computer connection issues. You can log in with this OTP code.
Fix
Even though your computer’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your computer’s connection after this action.
Authentication is one of the Basic Actions which is based on a User intent of scanning a dynamically changing login QR code from the Client of choice. Its aim is to log in User into any of Company’s supported Clients (integrations), into which the User should have an access after successful multifactor verification.
The same as applicable for all the Basic Actions, Authentication might involve an additional Verification step based on Company security policy. Basic Authentication process could be divided into five phases:
Preparation on Token (online, offline)
Processing on Server (online)
Factors verification (online, offline)
Verification against Active Directory (online)
Processing on Client / WebSDK (online)
Next section consists of errors which may occur during some phase of authentication process (flow).
This phase is initiated by User after scanning Excalibur login QR with his token from the computer's screen or WebSDK component’s login page. QR code is then decoded and it’s content is validated locally on token. Based on data from QR, authentication intent is constructed and send over the network to the server for processing. Immediately after scanning the status screen is displayed on User’s token to show current authentication status, status of factors verification or to show following errors.
User and Admin - report a bug, Support - debug and bugfix
Desc
Scanned QR code for login is invalid.
Fix
The QR code was scanned properly, but its content is invalid, which is an unexpected behaviour. It is likely that the user scans the code that is not generated by Excalibur. Please report this issue to your Administrator.
Admin Fix
Please report a bug to our Support. A photo of invalid QR code might be helpful.
Login was unsuccessful due to the network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the login again.
Admin - assist with compatibility issues / report a bug
Desc
You try to interact with an old (incompatible) version of Excalibur.
Fix
Please address compatibility issues with your Administrator.
Admin Fix
Please verify user’s token and server versions in the Dashboard. Most likely user has an outdated version of Excalibur app on a smartphone. If the Server is outdated, then it should be updated. If there is no new server / token version available, or the error persists after the update, please contact our Support.
User - wait / use OTP / check connection and retry
Desc
Login is taking longer than usual due to phone connection issues. Meanwhile, you can also log in with this OTP code.
Fix
Even though your phone’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your phone’s connection after this action.
If authentication flow comes into this phase, we can call it from now online login or online authentication, because communication channel between token and server is established and active. All accounts matching and policy verifications are done on the server against online security policies. Most of errors in this section comes from account’s data incosistency or policy verification failures during authentication.
User - re-register, Admin - assist with re-register / report a bug
Desc
Login was unsuccessful because your User data on the Server are corrupted or missing, which might be due to a registration that didn’t finish successfully.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug
Desc
Login was unsuccessful because your User data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug
Desc
Login was unsuccessful because your Company data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc
Login was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
Security Policy blocked this login attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this login attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this login attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain login such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the login again once available, or contact your Administrator if the current security policy isn’t suitable for you.
During authentication user must verify his identity by providing security factors based on Company security policy. Some factors as PIN or biometry requires some user interaction. In that case, token should show appropriate screen to gather those factors. All factors that needs to be verified are displayed as an icons on indicator at the top of the token’s status screen. Different icon colours are used to indicate status of that factor (red - failure, green - success). Every failure during this phase causes into error policy_failed besides of state for additional verification.
Security Policy blocked this login attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this login attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this login attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain login such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the login again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your authentication.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
Errors in this section comes from credentials verification on Active Directory component - Facade. Presence of these errors indicates troubles with the user's AD account.
User - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc
{ACTION} was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
Final phase of authentication is to log in User into their operating system or webservice. Before signing in, status of the client is controlled to check if there is nothing that will block login. In cases of offline authentication, OTP code generated on token is verified and used to login User.
User - wait / use OTP / check connection and retry
Desc
Login is taking longer than usual because of computer connection issues. You can log in with this OTP code.
Fix
Even though your computer’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your computer’s connection after this action.
User - re-register, Admin - assist with re-register / report a bug
Desc
Login was unsuccessful because an invalid phone was used for the login attempt.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug
Desc
Login was unsuccessful because the pairing of Excalibur on your phone and computer failed.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register
Desc
Login was unsuccessful because the pairing of Excalibur on your phone and computer has timeout.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in self-registration. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug
Desc
Login was unsuccessful because Excalibur was unable to decrypt the login password.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in self-registration. If the problem persists or you cannot self-register, please contact your Administrator.
Login was unsuccessful because offline Excalibur authentication with OTP isn’t supported on this device.
Fix
For some use-cases like RDP, Storefront and such, offline authentication might not be needed or desired, thus some devices might not support it. Please make sure your smartphone has an internet connection and try again.
User - re register account, Administrator - assistance with re-registration / report an error
Desc
Login has been unsuccessful. Excalibur can’t decrypt the login password.
Fix
To resolve this error, the new registration is needed. Please, start with scanning of registration QR code given by selfregistration. If the problem persists or you are unable to self-register, please contact your Administrator
Registration is one of the Basic Actions which needs to be done before any other action in Excalibur is available the User. It’s based on a User intent of scanning a registration QR code obtained in a self-registration process. Its aim is to register the User into Excalibur, during which authentication factors required by a security policy are set and User’s Token is initialized.
The same as applicable for all the Basic Actions, Registration might involve an additional Verification step based on Company security policy. Basic Registration process could be divided into three phases:
User and Admin - report a bug, Support - debug and bugfix
Desc
Scanned QR code for registration is invalid.
Fix
The QR code was scanned properly, but its content is invalid, which is an unexpected behaviour. It is likely that the user scans the code that is not generated by Excalibur. Please report this issue to your Administrator.
Admin Fix
Please report a bug to our Support. A photo of invalid QR code might be helpful.
Registration was unsuccessful due to a network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the registration again.
Admin - assist with compatibility issues / report a bug
Desc
You try to interact with an old (incompatible) version of Excalibur.
Fix
Please address compatibility issues with your Administrator.
Admin Fix
Please verify user’s token and server versions in the Dashboard. Most likely user has an outdated version of Excalibur app on a smartphone. If the Server is outdated, then it should be updated. If there is no new server / token version available, or the error persists after the update, please contact our Support.
User - re-register, Admin - assist with re-register / report a bug
Desc
Registration was unsuccessful because your company certificate is corrupted.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc
Registration was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
Security Policy blocked this registration attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this registration attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this registration attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain registration such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the registration again once available, or contact your Administrator if current security policy isn’t suitable for you.
Security Policy blocked this registration attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this registration attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this registration attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain registration such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the registration again once available, or contact your Administrator if current security policy isn’t suitable for you.
Colleague / Supervisor (Manager) / Service Desk / Admin - verify user
Desc
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your registration.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
Factors reset is one of the Basic Actions available to Users on their initialized Tokens. This action involves verifying authentication factors and setting the new ones, both based on the security policy. The same as applicable for all the Basic Actions, Factors Reset might involve an additional Verification step based on Company security policy. Basic Factors Reset process could be divided into four phases:
Factors reset was unsuccessful due to network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the factors reset again.
User - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc
Factors reset was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
Security Policy blocked this factors reset attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this factors reset attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this factors reset attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain factors reset such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the factors reset again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Security Policy blocked this factors reset attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this factors reset attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this factors reset attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain factors reset such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the factors reset again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Colleague / Supervisor (Manager) / Service Desk / Admin - verify user
Desc
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your factor’s reset.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively,your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
Security Policy blocked this factors reset attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this factors reset attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this factors reset attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain factors reset such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the factors reset again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Show password is one of the Basic Actions available to Users on their initialized Tokens. This action involves verifying authentication factors to show their current password, based on the security policy. The same as applicable for all the Basic Actions, Show password might involve an additional Verification step based on Company security policy. Show password process could be divided into three phases:
Show password was unsuccessful due to network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the factors reset again.
Security Policy blocked this show password attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this show password attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this show password attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain show password such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the show password again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Security Policy blocked this show password attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this show password attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this show password attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain show password such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the show password again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Colleague / Supervisor (Manager) / Service Desk / Admin - verify user
Desc
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your action show password.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively,your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
Set geofence is one of the Basic Actions available to Users on their initialized Tokens. This action involves verifying authentication factors to set geofence, based on the security policy. The same as applicable for all the Basic Actions, setting geofence might involve an additional Verification step based on Company security policy. Set geofence process could be divided into three phases:
Set geofence was unsuccessful due to a network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the factors reset again.
Security Policy blocked this set geofence attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this set geofence attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this set geofence attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain set geofence such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the set geofence again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Security Policy blocked this show password attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this show password attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this show password attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain show password such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the show password again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Colleague / Supervisor (Manager) / Service Desk / Admin - verify user
Desc
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your action show password.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively,your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
Authorization is one of the Basic Actions in which contrary to the Authentication, User triggers his / hers intent on an Excalibur integration component (e.g. Radius), triggering a push notification for the Token, where after action confirmation, process continues similarly to the Authentication. The same as applicable for all the Basic Actions, Authorization might involve an additional Verification step based on Company security policy. Basic Authorization process could be divided into four phases:
Initiation on integration component (e.g. Radius)
Confirmation and preparation on Token
Processing on Server
Factors verification
Phase 1 - Initiation on integration component (e.g. Radius)¶
Authorization was unsuccessful due to network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the authorization again.
User - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc
Authorization was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
Security Policy blocked this authorization attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this authorization attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this authorization attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain authorization such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the authorization again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Security Policy blocked this authorization attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this authorization attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this authorization attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain authorization such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the authorization again once available, or contact your Administrator if the current security policy isn’t suitable for you.
Colleague / Supervisor (Manager) / Service Desk / Admin - verify user
Desc
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your authorization.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
Verification is one of the Special Actions that might be involved in any Basic Action as an additional step, based on Company security policy. Actions involving Verification first verify user’s own authentication factors and then proceeds with verification of the action by Users superior, who either scans verification QR code from User’s Token or if the supervisor is Manager or Administrator, he / she could verify the User via Dashboard. Verification process could be divided into three phases:
Verification was unsuccessful due to network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the verification again.
User - re-register, Admin - assist with re-register / report a bug
Desc
Verification was unsuccessful because your User data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
User - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc
Verification was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
Fix
This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.
Security Policy blocked this verification attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this verification attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this verification attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain verification such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the {ACTION} again once available, or contact your Administrator if current security policy isn’t suitable for you.
Security Policy blocked this verification attempt due to the failed factors verification.
pin_timeout
Security Policy blocked this verification attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factors
Security Policy blocked this verification attempt due to the failed verification of following factors: {FACTORS}.
Fix
There are several company security policies that might restrain verification such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the {ACTION} again once available, or contact your Administrator if current security policy isn’t suitable for you.
Colleague / Supervisor (Manager) / Service Desk / Admin - verify user
Desc
Please ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your verification.
Fix
This action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.
If the Client / integration component supports sessioning, Excalibur keeps track of a session lifecycle and enables remote Terminate operations - Lock and Logout. Session lifecycle is reported to User’s Token as well as to the Dashboard, where User or his / hers Manager or Administrator can terminate it. Thus, based on its origin, Termination process could be divided into two or three phases:
Preparation on Token (starts here if initiated on Token)
Processing on Server (starts here if initiated on the Server)
Lock/Logout was unsuccessful due to a network problem.
Fix
Please verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the lock/logout again.
User - report and re-register, Admin - report and assist with re-register, Support - debug and bugfix
Desc
Session {ACTION} was unsuccessful because associated accounts are missing.
Fix
Please report the issue to your Administrator. This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process.
Admin Fix
Please ensure there wasn't an issue which might have caused Excalibur database inconsistency or tampering. Otherwise, this is an unexpected behaviour that might be caused by an occasional bug. Please assist User with a new registration if needed and contact our support.
User - report and re-register, Admin - report and assist with re-register, Support - debug and bugfix
Desc
Session {ACTION} was unsuccessful because account requested to {ACTION} was not found on the computer with logged on session.
Fix
Please report the issue to your Administrator. This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process.
Admin Fix
Please ensure there wasn't an AD synchronization issue or for another reason missing account on the given Client. Otherwise, this is an unexpected behaviour that might be caused by an occasional bug. Please assist the User with a new registration and contact our support.
This is a set of platform-specific errors on Excalibur Android app. These errors originate from operations performed on the Android platform and specifics it incurs.
Excalibur utilizes your phone’s secure keystore, which locked after a while. Please unlock it with your screen lock to continue using Excalibur.
Fix
To unlock your phone's secure keystore please lock your phone and unlock it with your secure screen lock. Please note that Smart Lock or other vendor specific unlock extensions might not unlock the keystore.
Authentication is one of the Basic Actions which is based on a User intent of scanning a dynamically changing login QR code from the Client of choice. Its aim is to log in User into any of Company’s supported Clients (integrations), into which the User should have an access after successful multifactor verification.The same as applicable for all the Basic Actions, Authentication might involve an additional Verification step based on Company security policy. The special type of authentication is offline authentication, when client or token are disconnected, thus authentication factors cant be verified on the server. The login is realized with OTP code shown on the token which is rewrited to the client by the user. The following errors may occur on the client side during the authentication process.
User - Try again with right OTP code, Reregister account and try again, Service Desk - report to administrator
Desc
Client displays an error after rewriting OTP code
Fix
The OTP code is probably wrong rewrited. OTP code is uppercase sensitive. Character set: 0-9, a-z, A-Z. Large i, small L can be interchanged as well as zero and large O. Certificates may be corrupted.
Registration is one of the Basic Actions which needs to be done before any other action in Excalibur is available to the User. It’s based on a User intent of scanning a registration QR code obtained in a self-registration process or invitation email. Its aim is to register the User into Excalibur, during which authentication factors required by a security policy are set and User’s Token is initialized. The same as applicable for all the Basic Actions, Registration might involve an additional Verification step based on Company security policy. The following errors may occur on the client side during the registration process.
If the password has been changed or expired, Excalibur will prompt the user to create a new password or confirm the already changed password.The following errors may occur on the client side during the password changing or submitting..
Client displays an error after change of expired credentials.
Fix
Probably, the password for verification does not match with previous one
err: The password does not meet the password policy requirements. Check the minimum password length , password complexity and password history requirements (Client)¶
Resolver
User- try again with correct password which agree with security policy, Service Desk - Find out the rules for creating new passwords in the company. Assistance during password changing
Desc
Client displays an error after change of expired credentials.
Fix
Probably the new password has already been used, or does not reach the required length or does not comply with the security policy
Tokenless login is one of the Basic Actions which is based on a User intent of filling the credentials and reason why the user can not use online login to the Client of choice. Its aim is to log in User into any of Company’s supported Clients (integrations), into which the User should have an access after successful multifactor verification.The same as applicable for all the Basic Actions, Tokenless login might involve an additional Verification step based on Company security policy. The following errors may occur on the client side during the Tokenless login process.
User - try again with correct credentials. Service Desk, Administrator - check account in AD
Desc
Client displays an error after credentials providing
Fix
Probably wrong credentials, or account is not created in Active Directory, or is it deleted. For Tokenless login, the account must be registered on at least one phone, otherwise the client will report this error
User - check the network connection, choose other network if it is available, Login with OTP password, Service Desk - report to Administrator - check server availability
Desc
Client displays that is not connected to Excalibur server
Fix
PC is not connected to network, or Excalibur Server is not available
User, Service Desk - Check that client is installed on the client, Service Desk - report to Administrator - Check the path for loading of CPUI,
Desc
The client is not loaded after starting the PC
Fix
The CPUI load path may not be available, or the Client may not be available on the specified path. Possible uninstallation or incorrect installation of the Client