Logon permutations
Logon methods
The logon methods specified are:
- Response-only
-
Challenge/response
- 1-step challengerResponse: a random challenge is presented on the logon page before the user ID is known. This is supported for SOAP clients and form-based IIS Modules.
- 2-step challenge/response: a challenge is generated after the user submits their user ID with a request to be given a challenge. The user then logs in with the response to the challenge in a second step. This is supported for all kinds of authentication client.
- Virtual Mobile Authenticator, either primary or backup
- Push notification
Logon actions
Users may be allowed to do these things during a logon:
- Set their server PIN, either on first use or after a PIN reset.
- Change their server PIN.
- Inform OneSpan Authentication Server that their static password for the back-end system, e.g. Windows, has been modified.
- Perform a self-assignment operation for an authenticator in their possession.
Logon variables
The variables which a user may need to enter to perform one of the above functions listed below. The code or word used to designate each variable in the following tables is included in brackets.
- One-time password (OTP)
- Password (Password)
- Server PIN (PIN)
- Serial number of the authenticator (Serial No)
- Serial number separator (Sep.)
- Request keyword (Keyword)
Password format
In a SOAP authentication request, there are two password formats that can be used:
- Cleartext combined. All the logon variables listed above must be entered into a single password field. This format applies when the logon screen or web page cannot be extended with additional entry fields.
- Cleartext separate. The logon variables are entered in separate fields.
In RADIUS authentication requests, the PAP password protocol corresponds to the cleartext combined password format. The CHAP, MSCHAP and MSCHAP2 password protocols are handled as different password formats (as the password is hashed in various ways according to the protocol). In general, these hash-based password formats are not capable of combining different logon variables, unless OneSpan Authentication Server is already aware of all the variables.
Score-based authenticator applications do not support CHAP-based RADIUS authentications.
In administrative logons and IIS Module authentication requests, the cleartext combined password format is always used.