OneSpan Authentication Server authentication process

OneSpan Authentication Server authenticates logon requests via two methods:

• Local authentication. OneSpan Authentication Server uses information from its own data store.
• Back-end authentication. OneSpan Authentication Server consults a back-end system to verify logon information.

The exact authentication process varies depending on the effective policy settings and the user account.

In general, OneSpan Authentication Server uses the following process to authenticate a user:

1. Verify that a client component record for the client application that has sent the authentication request exists in the data store (see Identifying the client component record).

2. Determine which policy applies to the client component record (see Identifying the policy).

3. Perform several user checks (see Looking up and checking the user account):

   • Windows username/domain resolution (if used)
   • Existence of a user account
   • Status of the user account (disabled, locked, expired, possible unlock)

4. If local authentication is used, authentication can occur in two ways (see Local authentication):

   • With an authenticator. Verify a one-time password (OTP), Challenge/Response, or Virtual Mobile Authenticator logon request.
   • Without an authenticator. Verify a static password logon request.
5. If back-end authentication is used, verify the provided password with another back-end system (see Back-end authentication).
6. (OPTIONAL) If a Challenge/Response or Virtual Mobile Authenticator logon is needed, provide a challenge or OTP.

7. Audit the authentication result and return it to the client application.

   OneSpan Authentication Server may perform relevant database updates, e.g. lock the user account.