Setting up 2-step challenge/response

2-step challenge/response is available for web authentication, where challenge/response is supported. In this mode, the authentication process takes place in two steps.

1. First, the user requests a challenge to be generated. The policy defines how this request should be made with the Request Method and Request Keyword settings.

   The challenge is generated specifically for the OneSpan Authentication Server, according to its programming.

2. Assuming that the request for the challenge is accepted and a challenge is returned, the user submits a second step logon with the response to the challenge as OTP. This second step goes through the whole authentication process again to verify the response.

To set up 2-step challenge/response, you must edit the policies associated with the client component.

Before you begin

The procedure assumes that a client component has already been defined and assigned a policy. 2-step challenge/response is enabled in the policy associated with the client component.

Setting up 2-step challenge/response

To set up 2-step challenge/response

1. Log on to the OneSpan Authentication Server Administration Web Interface (see Accessing OneSpan Authentication Server Appliance Configuration Tool and OneSpan Authentication Server Administration Web Interface).
2. Locate the client component via CLIENTS > List.
3. Click the policy of the client component to view it.
4. Click Edit to edit the policy.

5. Update the challenge settings:

   1. Switch to the Challenge tab.
   2. Click Edit.

   3. To enable 2-step challenge/response, set Request Method to one of the following:

      • Keyword. Use a request keyword (see Keywords). For challenge/response, this can be blank.
      • Password. Use the static password.
      • KeywordPassword. Use the request keyword followed by the static password. No separator characters or whitespace should be between them.
      • PasswordKeyword. Use the static password followed by the request keyword. No separator characters or whitespace should be between them.
   4. Set Request Keyword if you have chosen a keyword-related option.
   5. Click Save.

6. Update the check mode settings:

   1. Switch to the DP Control Parameters tab.
   2. Click Edit.

   3. Set Challenge Check Mode to one of the following:

      • DP specific Challenge Required. The challenge presented for verification must be the last one that was generated specifically for that authenticator. This is the normal mode of operation in 2-step challenge/response.
      • Auth. Only with DIGIPASS Challenge. The challenge presented for verification is ignored. The last one that was generated specifically for that authenticator is used. This is rarely applicable.
      • 1 C/R Auth. Permitted per Time Step. Only one verification is permitted per time step. This option only applies to time-based challenge/response. This is a method to avoid a potential replay of a captured response if the same challenge comes up again in the same time step.
      • Reject all C/R Auth. Replays in same Time Step. If the same challenge and response are presented for verification twice in a row during the same time step, they are rejected. This is an advanced method to avoid a potential replay of a capture challenge/response.
   4. Click Save.