Login
    Contenu x
    Integration of User Login and Event Validation with Challenge/Response
    • 21 Oct 2024
    • 2 Minutes à lire
    • Sombre
      Lumière
    Contenu

    Integration of User Login and Event Validation with Challenge/Response

    • Mis à jour le 21 Oct 2024
    • 2 Minutes à lire
    • Sombre
      Lumière
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    With Intelligent Adaptive Authentication you can implement functionality for your users to log in to your web application and validate events via Challenge/Response authentication.. This can also be combined with other types of one-time password (OTP)-based authentication.

    You can also generate your own challenge and provide to your users to sign transactions.

    An authenticator (hardware or software) that supports Challenge/Response authentication is provisioned for the user. During the allocation of the authenticator, hardware authenticators can either be defined to use Challenge/Response or time-based OTPs, and can be modified on an as-needed basis. The use of Challenge/Response or other authentication methods depends on the rules set in the Risk Management component. The challenge must return the value set to 10 (ChallengeCRDevice2FA).

    For Challenge/Response authentication with Intelligent Adaptive Authentication, the challenge is not restricted to a single authenticator, but limited to a set of compatible authenticators. The only constraints are the challenge length and presence of a check-digit. When the challenge is generated externally, the same limits (length, check-digit presence) apply.

    Authenticators offer two types of challenges:

    • Time-based: The authenticator generates an OTP based on the provided challenge and the current time.

    • Event-based: The authenticator generates an OTP based only on the provided challenge.

    Event validation refers to the POST /users/{userID@domain}/events/validate endpoint. The endpoint should specify the event type as LoginAttempt.

    Login flow

    Login flow - Challenge/Response OTP

    Login flow—Challenge/Response OTP

    The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user. If the user signs the authentication request with the Intelligent Adaptive Authentication Challenge/Response (CR) OTP (ChallengeCRDevice2FA), the login request is successfully accepted.

    Sequence of a login operation with Challenge/Response

    Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.

    1. The user initiates the adaptive authentication login operation and triggers the client application to send a request to generate a challenge and an event validation request. This request includes the following parameters:

      • authenticator user

      • authenticator domain

      • Challenge/Response OTP

      • CDDC data

      • session identifier

      The user's credentials (static password) must not be included in the request input!

    2. The web service triggers a Risk Management component-event request for the challenge generation and event validation.

    3. The Risk Management component responds with a challenge (ChallengeCRDevice2FA).

      1. The web service returns the Challenge/Response OTP challenge (ChallengeCRDevice2FA) to the client application.

      2. The client application collects the Challenge/Response OTP.

    4. The client application sends a second login to the application server (provided by the user's authenticator).

    5. The client application sends the Challenge/Response OTP to the web service.

    6. The web service validates the Challenge/Response OTP.

      1. Intelligent Adaptive Authentication returns the validation result of the OTP.

      2. The Login service forwards the validation result to the web service.

      3. The web service returns an HTTP 200 status code to the client application that authentication has been successful.

    7. The client application checks the status of the login request with the web service.

    8. The web service returns to the client application that authentication has been successful.

    Integration of the user login with Challenge/Response

    A sequence of requests is required to integrate user authentication with Challenge/Response.

    To integrate user authentication with Challenge/Response

    1. Issue a generateChallenge request. Two endpoints are available for this operation, events/validate or login:

      • POST /users/{userID@domain}/events/validate:

        • Payload:

          • eventType: "LoginAttempt"

          • objectType: challengeResponse

          • objectType: challengeResponse.length

          • objectType: challengeResponse.checkDigit

          • sessionID

      • POST /users/{userid@domain}/login:

        • Payload:

          • objectType: “AdaptiveLoginInput”

          • objectType: “challengeResponse”

          • objectType: “challengeResponse.length”

          • objectType: “challengeResponse.checkDigit”

          • sessionID

    2. Issue a login request. Two endpoints are available for this operation, events/validate or login:

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle