User Authentication

Get an overview of useful practices for the user authentication process.

Authentication types

A user has two logon paths when attempting to authenticate with OneSpan Authentication Server:

• Local authentication: OneSpan Authentication Server uses information from its own data store. For more information, refer to the OneSpan Authentication Server Product Guide, Section "Local authentication".
• Back-end authentication: OneSpan Authentication Server consults a back-end system to verify login information. For more information, refer to the OneSpan Authentication Server Product Guide, Section "Back-end authentication".

For back-end authentication with Active Directory via LDAP, always use SSL for connections between OneSpan Authentication Server and the Active Directory back-end server. Connections that do not use SSL may cause issues and should only be used for testing purposes, never in production.

The exact authentication process used by OneSpan Authentication Server will vary depending on the applicable policy and the user account.

The following process overview describes how OneSpan Authentication Server authenticates users with authenticators:

1. Verify that a client component record for the client application sending the authentication request exists in the data store.
2. Determine which policy applies for the client component record.

3. Perform several user checks:

   • Windows user name/domain resolution (if used)
   • Existence of a user account in OneSpan Authentication Server
   • Status of the user account (disabled, locked, expired, possible unlock)

4. Local authentication: If local authentication is used, authentication can occur in two ways:

   • With an authenticator: Verify a one-time password (OTP), Challenge/Response, or Virtual Mobile Authenticator logon.
   • Without an authenticator: Verify a static password.
5. Back-end authentication: Check the provided password with another back-end system.
6. If a Challenge/Response or Virtual Mobile Authenticator logon is needed, provide a challenge or OTP.
7. Audit and return the authentication result.

During the last step of the authentication process, OneSpan Authentication Server may perform relevant database updates, e.g. user account lock.

For more detailed information on the user authentication process, refer to the OneSpan Authentication Server Product Guide, Section "User authentication".

Identifying user authentication policies

To configure user authentication, dedicated policies need to be created in the Web Administration Service to specify the most common settings to cover most request handling processes. Each request is handled according to a configured policy, which is identified by the applicable client record.

Policies can be set up in a hierarchy, where a policy inherits attributes from a parent policy, but applies some modifications for a slightly different scenario. At the top of that hierarchy is a given parent or base policy, which does not inherit any attributes from any other policy, i.e. a so-called parentless policy. That topmost policy is not necessarily the default base policy specified in OneSpan Authentication Server, i.e. Base Policy.

Factors that influence user authentication include:

• Local authentication setting. This setting indicates whether to perform local authentication, and if so, whether a static password is permitted. For more information, refer to the  OneSpan Authentication Server Product Guide, Section "Local authentication".
• Back-end authentication setting. This setting indicates whether to perform back-end authentication, and if so, when to do it. For more information, refer to the  OneSpan Authentication Server Product Guide, Section "Back-end authentication".
• User lock threshold. If a user's lock count equals or exceeds the user lock threshold in the policy in use, the user account will be locked.
• User account inactivity setting. This is the maximum days between authentications.
• Domain restrictions. Only users of an accepted domain can authenticate with a specific client component.

For a full listing of possible settings and the preloaded policies available with OneSpan Authentication Server, refer to the OneSpan Authentication Server Administrator Reference.