Controls whether 1-step Challenge/Response logins will be enabled for the current policy and, if so, where the challenge should originate.

To enable 1-step Challenge/Response, you also need to set Challenge Check Mode (see POLICIES – DP Control Parameters (tab)).

Note that 1-step Challenge/Response is not applicable in a RADIUS environment.

Possible values:

• Default. Use the setting of the parent policy.
• No. 1-step Challenge/Response may not be used.
• Yes – Server Challenge. 1-step Challenge/Response may be used, if the OneSpan Authentication Server instance verifying the response also generated the challenge.
• Yes – Any Challenge. 1-step Challenge/Response may be used with any random challenge.

The method by which a user has to request a 2-step Challenge/Response logon.

This is the only mode of Challenge/Response available in a RADIUS environment.

The request is made in the password field during logon. The keyword is specified by Request Keyword. The request fails if the user does not have a Challenge/Response-capable authenticator assigned. This includes authenticator applications of type CR, SG, and MM.

Possible values:

• Default. Use the setting of the parent policy.
• None. Do not use 2-step Challenge/Response.
• Keyword. Use the request keyword, with or without another item. This can be blank.
• KeywordOnly. Only the keyword will be accepted.
• Password. Use the static password.
• KeywordPassword. Use the keyword followed by the static password. No separator characters or whitespace should be between them.
• PasswordKeyword. Use the static password followed by the request keyword. No separator characters or white space should be between them.
• KeywordPIN. Use the request keyword followed by the PIN.