Challenge-Response Authentication (Policy)
  • 18 Oct 2024
  • 1 Minute to read
  • Dark
    Light

Challenge-Response Authentication (Policy)

  • Dark
    Light

Article summary

The following is an overview of the relevant default settings of Challenge/Response authentication with Intelligent Adaptive Authentication.

  • Parent policy: Identikey Local Authentication

Challenge-Response Authentication—Default parameter settings

Parameter name

Default value

Description

1step_cr_enabled

Yes - Any Challenge

1-Step Challenge/Response - Permitted

This controls whether 1-step Challenge/Response logins will be enabled for the current policy and, if so, where the challenge should originate.

To enable 1-step Challenge/Response, you also need to set Challenge Check Mode (see below).

Possible values:

  • Default. Use the setting of the parent policy.

  • No. 1-step Challenge/Response may not be used.

  • Yes – Server Challenge. 1-step Challenge/Response may be used if the instance of the Authentication component verifying the response also generated the challenge.

  • Yes – Any Challenge. 1-step Challenge/Response may be used with any random challenge.

1step_cr_length

7

Challenge Length

Specifies the length of the challenge (excluding a check digit) which should be generated for 1-step Challenge/Response logins.

chal_check_mode

0

Challenge Check Mode

This setting is for advanced control over time-based Challenge/Response authentication. 1 is the default value if the setting is not specified at all.

Possible values:

  • 0. The challenge is not checked at all. This is necessary for a 1-step Challenge/Response.

  • 1. The challenge presented for verification must be the last one that was generated specifically for that authenticator. This is the normal mode of operation in a 2-step Challenge/Response.

  • 2. The challenge presented for verification is ignored. Instead, the last one that was generated specifically for that authenticator is used.

  • 3. Only one verification is permitted per time step. This option only applies to time-based Challenge/Response procedures. This is a method of avoiding a potential replay of a captured response if the same challenge comes up again in the same time step.

  • 4. If the same challenge and response are presented for verification twice in a row during the same time step, they are rejected. This is an advanced method of avoiding a potential replay of a capture Challenge/Response.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant