Integration of User Login with Challenge/Response

With OneSpan Cloud Authentication you can implement functionality for your users to log in to your web application via Challenge/Response authentication. This can also be combined with other types of one-time password (OTP)-based authentication.

An authenticator (hardware or software) that supports Challenge/Response authentication is provisioned for the user. During the allocation of the authenticator, hardware authenticators can either be defined to use Challenge/Response or time-based OTPs, and can be modified on an as-needed basis.

For Challenge/Response authentication with OneSpan Cloud Authentication, the challenge is not restricted to a single authenticator, but limited to a set of compatible authenticators. The only constraints are the challenge length and presence of a check-digit. When the challenge is generated externally, the same limits (length, check-digit presence) apply.

Authenticators offer two types of challenges:

  • Time-based: The authenticator generates an OTP based on the provided challenge and the current time.
  • Event-based: The authenticator generates an OTP based only on the provided challenge.

Event validation refers to the POST /users/{userID@domain}/events/validate endpoint. The endpoint should specify the event type as LoginAttempt.

Login flow

Login flow - Challenge/Response OTP

Login flow—Challenge/Response OTP

For Challenge/Response authentications, the web application automatically requests a random challenge. This challenge is presented to the user on the login page. The user enters it in their authenticator and enters the response, e.g. an OTP, in the login page. With this, authentication is complete.

Sequence of a login operation with Challenge/Response

  1. The user initiates the login operation and triggers the client application to send a request to generate a challenge. This request includes the following parameters:
    • authenticator user
    • authenticator domain
    • Challenge/Response OTP
  2. The web service validates the Challenge/Response OTP.

    1. OneSpan Cloud Authentication returns the validation result of the OTP.
    2. The Login service forwards the validation result to the web service.
  3. The client application checks the status of the login request with the web service.
  4. The web service returns to the client application that authentication has been successful.

Integration of the user login with Challenge/Response

A sequence of requests is required to integrate user authentication with Challenge/Response.

To integrate user authentication with Challenge/Response

  1. Issue a generateChallenge request with the POST /users/{userid@domain}/generate-challenge endpoint:

    • Payload:

      • length: number

        Possible values: min. 4, max. 16.

        By default, the lenght is set to 6 in the TID Platform API to reflect the Challenge/Response application properties for a standard TID authenticator.

      • checkDigit: value

        Possible values: true or false.

  2. Issue a login request with the POST /users/{userid@domain}/login endpoint. Include the request ID derived from the generate-challenge request and the OTP created with the challenge.

    • Payload:

      • objectType: “LoginInput”
      • credentials.authenticator.OTP
      • requestID