Request methods and request keywords
For 2-step Challenge/Response and Virtual Mobile Authenticator, the method of requesting a challenge or OTP are defined in the policy. The methods for primary and backup Virtual Mobile Authenticator are defined separately.
The possible request methods are:
- Keyword. Use the fixed request keyword, with or without another item.
- KeywordOnly. Use only the fixed keyword, which can be blank.
- Password. Use the static password.
- KeywordPassword. Use the request keyword followed by the static password. No separator or whitespace characters should be between them.
- PasswordKeyword. Use the static password followed by the request keyword. No separator or whitespace characters should be between them.
- KeywordPIN. Use the request keyword followed by the PIN.
If the password is used for the request method, and a user's authenticator is still within the grace period, OneSpan Authentication Server may process the authentication with the password only and not as a 2-step Challenge/Response or Virtual Mobile Authenticator logon.
The static password is compared against the password stored in the user account:
- If the user account does not have a password set, the password has to be verified via back-end authentication. If back-end authentication is disabled and no password is set in the user account, the request methods that use a password will not work.
- If the passwords do not match and back-end authentication is enabled, the password will be verified via back-end authentication.
The methods to request these three logon processes can be the same. When OneSpan Authentication Server recognizes a request, it will verify that there is an authenticator capable to handle that logon process. If there is not, OneSpan Authentication Server will ignore the request.
The request methods for primary and backup Virtual Mobile Authenticator are both defined as keyword otp. A user has a Digipass GO 7 with backup Virtual Mobile Authenticator enabled. When the user logs on with the keyword otp, OneSpan Authentication Server generates a backup Virtual Mobile Authenticator OTP, because the user does not have a primary Virtual Mobile Authenticator.