TID Challenge-Response Authentication (Policy)

Mis à jour le 16 Oct 2024
2 Minutes à lire

Partager
Sombre
Lumière

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

The following is an overview of the relevant default settings of Challenge/Response authentication with OneSpan Cloud Authentication.

Parent policy: Identikey Local Authentication

Parameter name	Default value	Description
TID Challenge-Response Authentication—Default parameter settings
1step_cr_enabled	Yes - Any Challenge	1-Step Challenge/Response - Permitted This controls whether 1-step Challenge/Response logins will be enabled for the current policy and, if so, where the challenge should originate. To enable 1-step Challenge/Response, you also need to set Challenge Check Mode (see below). Possible values: Default. Use the setting of the parent policy. No. 1-step Challenge/Response may not be used. Yes – Server Challenge. 1-step Challenge/Response may be used if the instance of the Authentication component verifying the response also generated the challenge. Yes – Any Challenge. 1-step Challenge/Response may be used with any random challenge.
chal_check_mode	0	Challenge Check Mode This setting is for advanced control over time-based Challenge/Response authentication. 1 is the default value if the setting is not specified at all. Possible values: 0. The challenge is not checked at all. This is necessary for a 1-step Challenge/Response. 1. The challenge presented for verification must be the last one that was generated specifically for that authenticator. This is the normal mode of operation in a 2-step Challenge/Response. 2. The challenge presented for verification is ignored. Instead, the last one that was generated specifically for that authenticator is used. 3. Only one verification is permitted per time step. This option only applies to time-based Challenge/Response procedures. This is a method of avoiding a potential replay of a captured response if the same challenge comes up again in the same time step. 4. If the same challenge and response are presented for verification twice in a row during the same time step, they are rejected. This is an advanced method of avoiding a potential replay of a capture Challenge/Response.
initial_window	1 hour	Initial Time Window This controls the maximum allowed time variation between an authenticator and the host system, the first time that the authenticator is used. The time is specified in hours. This Initial Time Window is also used directly after a Reset Application operation, which can be used if it appears that the internal clock in the authenticator has drifted too much since the last successful login. This only applies to time-based authenticators when verifying an OTP. In either case, after the first successful login, the initial time window is no longer active.
event_window	10 events	Event Window This controls the maximum allowed number of event variations between an authenticator application and the host system during login. This only applies to event-based authenticator applications and always applies for OTP verification. For signature validation, it depends on the online signature level setting whether the event window is used or not.

Cet article vous a-t-il été utile ?

What's Next

TID Cloud Authentication (Policy)