- 22 Oct 2024
- 2 Minutes to read
- DarkLight
Integration of User Login with Challenge/Response
- Updated on 22 Oct 2024
- 2 Minutes to read
- DarkLight
With OneSpan Cloud Authentication you can implement functionality for your users to log in to your web application via Challenge/Response authentication. This can also be combined with other types of one-time password (OTP)-based authentication.
You can also generate your own challenge and provide to your users to sign transactions.
An authenticator (hardware or software) that supports Challenge/Response authentication is provisioned for the user. During the allocation of the authenticator, hardware authenticators can either be defined to use Challenge/Response or time-based OTPs, and can be modified on an as-needed basis.
For Challenge/Response authentication with OneSpan Cloud Authentication, the challenge is not restricted to a single authenticator, but limited to a set of compatible authenticators. The only constraints are the challenge length and presence of a check-digit. When the challenge is generated externally, the same limits (length, check-digit presence) apply.
Authenticators offer two types of challenges:
Time-based: The authenticator generates an OTP based on the provided challenge and the current time.
Event-based: The authenticator generates an OTP based only on the provided challenge.
Event validation refers to the POST /users/{userID@domain}/events/validate endpoint. The endpoint should specify the event type as LoginAttempt.
Login flow
Login flow—Challenge/Response OTP
For Challenge/Response authentications, the web application automatically requests a random challenge. This challenge is presented to the user on the login page. The user enters it in their authenticator and enters the response, e.g. an OTP, in the login page. With this, authentication is complete.
Sequence of a login operation with Challenge/Response
The user initiates the login operation and triggers the client application to send a request to generate a challenge. This request includes the following parameters:
authenticator user
authenticator domain
Challenge/Response OTP
The web service validates the Challenge/Response OTP.
OneSpan Cloud Authentication returns the validation result of the OTP.
The Login service forwards the validation result to the web service.
The client application checks the status of the login request with the web service.
The web service returns to the client application that authentication has been successful.
Integration of the user login with Challenge/Response
A sequence of requests is required to integrate user authentication with Challenge/Response.
To integrate user authentication with Challenge/Response
Issue a generateChallenge request with the POST /users/{userid@domain}/generate-challenge endpoint:
Payload:
length: number
Possible values: min. 4, max. 16.
By default, the length is set to 6 in the TID Platform API to reflect the Challenge/Response application properties for a standard TID authenticator.
checkDigit: value
Possible values: true or false.
Issue a login request with the POST /users/{userid@domain}/login endpoint. Include the request ID derived from the generate-challenge request and the OTP created with the challenge.
Payload:
objectType: “LoginInput”
credentials.authenticator.OTP
requestID