Authenticator programming

There are various authenticator settings that can affect common administrative tasks.

Authenticator client PIN

An authenticator (client) PIN is a digit-based secret, known by the user, which needs to be typed into the authenticator to generate a new one-time password (OTP). This implies two-factor authentication: the person logging in must possess the authenticator (something you have) and know the authenticator PIN (something you know) to generate an OTP.

Authenticator PIN settings include:

  • Initial PIN. An initial PIN can be set for an authenticator. This PIN must be sent to the authenticator user, typically separate from the authenticator delivery.
  • First use PIN modification. This requires a PIN change from the user upon the first use of the authenticator.
  • PIN change. This allows a user to change the authenticator PIN as desired.
  • PIN length. This can be set for an authenticator.
  • Authenticator lock. This sets the number of consecutive incorrect PIN entries allowed before the authenticator is locked.

The authenticator client PIN requires an authenticator with a keypad to type the PIN. It is not possible with one-button authenticator models (see Authenticators). The server PIN is an alternative solution for two-factor authentication only available with one-button authenticator models (see Server PIN).

Each authenticator can be given a grace period when it is assigned to a user account (see Grace period).

Time/event-based authenticator applications

Time-base and event-based modes differ for different authenticator application types (see Table: Time-based and event-based modes of authenticator application types).

Table: Time-based and event-based modes of authenticator application types
Authenticator application type Time-based mode Event-based mode
Response-Only

Generates an OTP based on the current time. The common time step used is 36 seconds. This means that the OTP displayed will change every 36 seconds, whether or not an OTP has been requested from the authenticator.

Generates a new OTP each time a request for an OTP is made.
Challenge/Response Generates an OTP based on the challenge given and the current time. The common time step used is 9 hours (slow challenge). This means that if the exact same challenge is given to an authenticator within a 9-hour period, the authenticator application generates the same OTP. However, challenges are very rarely repeated within such a time period.

Generates an OTP based on the challenge given only.
Signature

Generates a different signature for the same input data at different times.

Contains a numeric counter that increases every time a signature is generated.

A signature authenticator application can also be neither time-based nor event-based. Such authenticator applications will always produce the same signature for the same input. There is no difference between real-time and deferred time with such signatures.

OTP length

This setting refers to the length of the OTP values generated by the authenticator for Response-Only and Challenge/Response authenticator applications.

A check digit may be added to each OTP. This is generated from the response and allows for faster invalidation of incorrect OTP values. The OTP length setting does not include the check digit.

Challenge length

This setting refers to the length of the challenge that should be expected by the authenticator. This is used by Challenge/Response authenticator applications.

A check digit may be expected with each challenge. This is generated by the server from the challenge and allows the authenticator to reject most invalid challenges. The challenge length does include the check digit.

Signature settings

Signature authenticator applications can be configured with the following settings:

  • Signature length. The length of the signature generated by the authenticator.
  • Signature data fields. The data fields that may be provided when signing a transaction. There may be from 1 to 8 fields, each field with a minimum length of 0 and a maximum length of 16.
  • Check digit. A check digit for transaction signatures (signature data fields) is optional.