Login
    Contenu x
    Authenticator Programming
    • 02 Jan 2025
    • 2 Minutes à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    Authenticator Programming

    • Mis à jour le 02 Jan 2025
    • 2 Minutes à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    There are various authenticator settings that can affect common administrative tasks.

    Authenticator client PIN

    An authenticator (client) PIN is a digit-based secret, known by the user, which needs to be typed into the authenticator to generate a new one-time password (OTP). This implies two-factor authentication: the person logging in must possess the authenticator (something you have) and know the authenticator PIN (something you know) to generate an OTP.

    PIN change can be offered to users through pre-programmed PIN modification settings. For more information, refer to the specific authenticator model user documentation.

    Authenticator PIN settings include:

    • Initial PIN. An initial PIN can be set for an authenticator. This PIN must be sent to the authenticator user, typically separate from the authenticator delivery.
    • First use PIN modification. This requires a PIN change from the user upon the first use of the authenticator.
    • PIN change. This allows a user to change the authenticator PIN as desired.
    • PIN length. This can be set for an authenticator.
    • Authenticator lock. This sets the number of consecutive incorrect PIN entries allowed before the authenticator is locked.

    The authenticator client PIN requires an authenticator with a keypad to type the PIN. It is not possible with one-button authenticator models (see Authenticators). The server PIN is an alternative solution for two-factor authentication only available with one-button authenticator models (see Server PIN).

    Each authenticator can be given a grace period when it is assigned to a user account (see Grace period).

    Time/event-based authenticator applications

    Time-base and event-based modes differ for different authenticator application types (see Table: Time-based and event-based modes of authenticator application types).

    Table:  Time-based and event-based modes of authenticator application types
    Authenticator application typeTime-based modeEvent-based mode
    Response-Only

    Generates an OTP based on the current time. The common time step used is 36 seconds. This means that the OTP displayed will change every 36 seconds, whether or not an OTP has been requested from the authenticator.

    Generates a new OTP each time a request for an OTP is made.

    Challenge/ResponseGenerates an OTP based on the challenge given and the current time. The common time step used is 9 hours (slow challenge). This means that if the exact same challenge is given to an authenticator within a 9-hour period, the authenticator application generates the same OTP. However, challenges are very rarely repeated within such a time period.

    Generates an OTP based on the challenge given only.

    Signature

    Generates a different signature for the same input data at different times.

    Contains a numeric counter that increases every time a signature is generated.

    A signature authenticator application can also be neither time-based nor event-based. Such authenticator applications will always produce the same signature for the same input. There is no difference between real-time and deferred time with such signatures.

    OTP length

    This setting refers to the length of the OTP values generated by the authenticator for Response-Only and Challenge/Response authenticator applications.

    A check digit may be added to each OTP. This is generated from the response and allows for faster invalidation of incorrect OTP values. The OTP length setting does not include the check digit.

    Challenge length

    This setting refers to the length of the challenge that should be expected by the authenticator. This is used by Challenge/Response authenticator applications.

    A check digit may be expected with each challenge. This is generated by the server from the challenge and allows the authenticator to reject most invalid challenges. The challenge length does include the check digit.

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle