Challenge-Response Authentication (Policy)

The following is an overview of the relevant default settings of Challenge/Response authentication with OneSpan Cloud Authentication.

  • Parent policy: Identikey Local Authentication
Challenge-Response Authentication—Default parameter settings
Parameter name Default value Description
1step_cr_enabled Yes - Any Challenge

1-Step Challenge/Response - Permitted

This controls whether 1-step Challenge/Response logins will be enabled for the current policy and, if so, where the challenge should originate.

To enable 1-step Challenge/Response, you also need to set Challenge Check Mode (see below).

Possible values:

  • Default. Use the setting of the parent policy.
  • No. 1-step Challenge/Response may not be used.
  • Yes – Server Challenge. 1-step Challenge/Response may be used if the instance of the Authentication component verifying the response also generated the challenge.
  • Yes – Any Challenge. 1-step Challenge/Response may be used with any random challenge.
1step_cr_length 7

Challenge Length

Specifies the length of the challenge (excluding a check digit) which should be generated for 1-step Challenge/Response logins.

chal_check_mode

0

Challenge Check Mode

This setting is for advanced control over time-based Challenge/Response authentication. 1 is the default value if the setting is not specified at all.

Possible values:

  • 0. The challenge is not checked at all. This is necessary for a 1-step Challenge/Response.
  • 1. The challenge presented for verification must be the last one that was generated specifically for that authenticator. This is the normal mode of operation in a 2-step Challenge/Response.
  • 2. The challenge presented for verification is ignored. Instead, the last one that was generated specifically for that authenticator is used.
  • 3. Only one verification is permitted per time step. This option only applies to time-based Challenge/Response procedures. This is a method of avoiding a potential replay of a captured response if the same challenge comes up again in the same time step.
  • 4. If the same challenge and response are presented for verification twice in a row during the same time step, they are rejected. This is an advanced method of avoiding a potential replay of a capture Challenge/Response.