This mode can be used for Web authentication, where Challenge/Response is supported. In this mode, the authentication process takes place in two steps.

First, the users request a challenge to be generated. How the users need to request the challenge is defined by the Request Method and Request Keyword policy settings. The challenge is generated specifically for their authenticator and in accordance to the specified settings (see Request methods and request keywords).

When a challenge is returned, the users submit a second step logon with the response to the challenge as their OTP. This second step goes through the whole authentication process again to verify the response.

This mode is also possible for Web authentication, where Challenge/Response is supported. In this mode, the user sees only one logon step. This mode is suitable for time-based Challenge/Response, but is less secure for non-time-based Challenge/Response. If an attacker manages to capture some valid responses, the attacker can repeatedly request new challenges until one known comes up again.

With 1-step Challenge/Response, a random challenge is requested automatically by the Web application and presented to the users on the login page. A general-purpose challenge is generated, without reference to any particular authenticator's programming. The users log in with their response to the challenge as their OTP.