2-step challenge/response: Cleartext separate password format

The following table applies when SOAP uses Cleartext Separate password format

The column Stored Password Proxy Off AND Back-End Auth. Required contains Yes if:

  • The Stored Password Proxy feature is not enabled.
  • AND back-end authentication is enabled.

In most cases, this does not affect 2-step challenge/response, just when a keyword only is used.

Table: Logon permutations – 2-step challenge/response cleartext separate
Logon type Request method Stored password proxy off AND back-end authentication required Input fields required for pre-challenge step Input fields required for response step
Normal logon Keyword Yes Keyword Password+OTP
No Keyword OTP
Password N/A Password OTP
Keyword-Password N/A Keyword+Password OTP
Password-Keyword N/A Password+Keyword OTP
Changed Password Keyword N/A Keyword Password+OTP
Password N/A Password OTP
Keyword-Password N/A Keyword+Password OTP
Password-Keyword N/A Password+Keyword OTP
Self-assignment[1] N/A N/A

Password

SerialNo (separate parameter)[2]

OTP

A self-assignment process that uses 2-step challenge/response is always done using the static password. The request method is not applicable until after the authenticator is assigned to the user account.

  1. Back-end authentication is still required for successful self-assignment.
  2. If a serial number separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes.