Integration of User Login and Event Validation with Challenge/Response

With Intelligent Adaptive Authentication you can implement functionality for your users to log in to your web application and validate events via Challenge/Response authentication.. This can also be combined with other types of one-time password (OTP)-based authentication.

An authenticator (hardware or software) that supports Challenge/Response authentication is provisioned for the user. During the allocation of the authenticator, hardware authenticators can either be defined to use Challenge/Response or time-based OTPs, and can be modified on an as-needed basis. The use of Challenge/Response or other authentication methods depends on the rulesClosed Rules are used to define sets of criteria to verify if an event (transaction and non-monetary event) matches any fraudulent behavior. If an event matches a previously defined rule, an alert can be raised. set in the Risk Management component. The challenge must return the value set to 10 (ChallengeCRDevice2FA).

For Challenge/Response authentication with Intelligent Adaptive Authentication, the challenge is not restricted to a single authenticator, but limited to a set of compatible authenticators. The only constraints are the challenge length and presence of a check-digit. When the challenge is generated externally, the same limits (length, check-digit presence) apply.

Authenticators offer two types of challenges:

  • Time-based: The authenticator generates an OTP based on the provided challenge and the current time.
  • Event-based: The authenticator generates an OTP based only on the provided challenge.

Event validation refers to the POST /users/{userID@domain}/events/validate endpoint. The endpoint should specify the event type as LoginAttempt.

Login flow

Login flow - Challenge/Response OTP

Login flow—Challenge/Response OTP

The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user. If the user signs the authentication request with the Intelligent Adaptive Authentication Challenge/Response (CR) OTP (ChallengeCRDevice2FA), the login request is successfully accepted.

Sequence of a login operation with Challenge/Response

  1. The user initiates the adaptive authentication login operation and triggers the client application to send a request to generate a challenge and an event validation request. This request includes the following parameters:
    • authenticator user
    • authenticator domain
    • Challenge/Response OTP
    • CDDC data
    • session identifier

    The user's credentials (static password) must not be included in the request input!

  2. The web service triggers a Risk Management component-event request for the challenge generation and event validation.
  3. The Risk Management component responds with a challenge (ChallengeCRDevice2FA).
    1. The web service returns the Challenge/Response OTP challenge (ChallengeCRDevice2FA) to the client application.
    2. The client application collects the Challenge/Response OTP.
  4. The client application sends a second login to the application server (provided by the user's authenticator).
  5. The client application sends the Challenge/Response OTP to the web service.
  6. The web service validates the Challenge/Response OTP.

    1. Intelligent Adaptive Authentication returns the validation result of the OTP.
    2. The Login service forwards the validation result to the web service.
    3. The web service returns an HTTP 200 status code to the client application that authentication has been successful.
  7. The client application checks the status of the login request with the web service.
  8. The web service returns to the client application that authentication has been successful.

Integration of the user login with Challenge/Response

A sequence of requests is required to integrate user authentication with Challenge/Response.

To integrate user authentication with Challenge/Response

  1. Issue a generateChallenge request. Two endpoints are available for this operation, events/validate or login:

    • POST /users/{userID@domain}/events/validate:

      • Payload:

        • eventType: "LoginAttempt"
        • objectType: challengeResponse
        • objectType: challengeResponse.length
        • objectType: challengeResponse.checkDigit
        • sessionID
    • POST /users/{userid@domain}/login:

      • Payload:

        • objectType: “AdaptiveLoginInput”
        • objectType: “challengeResponse”
        • objectType: “challengeResponse.length”
        • objectType: “challengeResponse.checkDigit”
        • sessionID
  2. Issue a login request. Two endpoints are available for this operation, events/validate or login: