The information required to be entered during a login will vary according to the configuration settings of the relevant Policy, the login method, and any actions to be performed during the login.
This section refers to authentication processing only, not Signature Validation or Provisioning.
10.1.1 Login Methods
The login methods specified are:
Response Only Challenge/Response:
1-Step Challenge/Response: a random challenge is presented on the login page before the User ID is known.
This is supported for SOAP clients and form-based IIS Modules.
2-Step Challenge/Response: a challenge is generated after the user submits their User ID with a request to be given a challenge. The user then logs in with the response to the challenge in a second step. This is supported for all kinds of authentication client.
Virtual Digipass - Primary or Backup
10.1.2 Login Actions
A User may be allowed to do these things during a login:
Set their Server PIN – on first use or after a PIN reset.
Change their Server PIN.
Inform the Identikey Server that their static password for the Back-End System – eg. Windows - has been modified.
Perform a Self-Assignment for a Digipass in their possession.
10.1.3 Login Variables
The variables which a User may need to enter, in order to do one of the above functions are listed below. The code or word used to designate each variable in the following tables is included in brackets.
One Time Password (OTP) Password (Password)
Server PIN (PIN)
Serial Number of their Digipass (Serial No) Serial Number Separator (Sep.)
Request Keyword (Keyword)
10.1.4 Password Format
In a SOAP authentication request, there are two Password Formats that can be used:
Cleartext Combined
Using this format, all the login variables listed above must be entered into a single password field. This format applies when the login screen or web page cannot be extended with additional entry fields.
Cleartext Separate
Using this format, the login variables are entered in separate fields.
In RADIUS authentication requests, the PAP password protocol corresponds to the Cleartext Combined password format. The CHAP, MS-CHAP and MS-CHAP2 password protocols are handled as different password formats (as the password is hashed in various ways according to the protocol). In general, these hash-based password formats are not capable of combining different login variables, unless all the variables are already known to the Identikey Server.
In administrative logons and IIS Module authentication requests, the Cleartext Combined password format is always used.
10.1.5 Policy Settings
The Policy settings which will affect the variables required in logins are:
Stored Password Proxy
If this attribute is set to Enabled, each User's password must be kept up to date in the Identikey Server. This is typically achieved by enabling Password Autolearn.
Password Autolearn
If the Identikey Server is informed of a User's password change, the new password will only be recorded by the Identikey Server if Password Autolearn is enabled in the relevant Policy
Serial Number Separator
If a Serial Number Separator is specified, the User may enter their Digipass serial number exactly as it appears on the back of their Digipass (or in the documentation provided to the User), including dashes. If a Serial Number Separator is not specified, the Digipass serial number must be padded to 10 characters, with all non-numerical characters removed.
Back-End Authentication
In the following login permutations tables, 'Back-End Authentication Required' means that the Back-End Authentication setting is set to Always or If Needed.
Note
Back-End Authentication is required for Self-Assignment and Password Autolearn logins.
10.1.6 Response Only – Cleartext Combined Password Format
The following two tables apply to the following cases:
SOAP using Cleartext Combined password format Administration logins
RADIUS using PAP IIS Modules
The first table applies in these cases when:
EITHER the Stored Password Proxy feature is enabled OR Back-End Authentication is not enabled
Table 55: Login Permutations - Response Only Cleartext Combined (1)
Login Type Existing PIN? Separator?
Password Field Contents Server PIN
Required
Normal login Yes N/A PIN+OTP
Set PIN No N/A OTP+NewPIN+NewPIN
Change PIN Yes N/A PIN+OTP+NewPIN+NewPIN
Changed Password Yes N/A Password+PIN+OTP
Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN Self-Assignment1 Yes Yes SerialNo+Sep.+Password+PIN+OTP
No SerialNo+Password+PIN+OTP
No Yes SerialNo+Sep.+Password+OTP+NewPIN+NewPIN No SerialNo+Password+OTP+NewPIN+NewPIN
No Server Normal login N/A N/A OTP
1 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self-Assignment.
Login Type Existing PIN? Separator?
Password Field Contents PIN
Required
Changed Password N/A N/A Password+OTP
Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP
No SerialNo+Password+OTP The second table applies in these cases when:
The Stored Password Proxy feature is not enabled AND Back-End Authentication is enabled
Table 56: Login Permutations - Response Only Cleartext Combined (2)
Login Type Existing PIN? Separator?
Password Field Contents Server PIN
Required
Normal login Yes N/A Password+PIN+OTP
Set PIN No N/A Password+OTP+NewPIN+NewPIN
Change PIN Yes N/A Password+PIN+OTP+NewPIN+NewPIN
Changed Password Yes N/A Password+PIN+OTP
Set PIN and Changed Password No N/A Password+OTP+NewPIN+NewPIN Change PIN and Changed Password Yes N/A Password+PIN+OTP+NewPIN+NewPIN Self-Assignment2 Yes Yes SerialNo+Sep.+Password+PIN+OTP
No SerialNo+Password+PIN+OTP
Normal login N/A N/A Password+OTP
Changed Password N/A N/A Password+OTP
Self-Assignment N/A Yes SerialNo+Sep.+Password+OTP
No SerialNo+Password+OTP
Examples
Self-Assignment of a GO 1 Digipass with no existing Server PIN and Serial Number Separator set to '::'.
3-179-0987::pA192ss086382012341234
Self-Assignment of a GO 3 Digipass with no Server PIN required and no Serial Number Separator set.
0031790987PA192ss0863820
2 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes. Note that Back-End Authentication is required for successful Self-Assignment.
10.1.7 Response Only – CHAP/MS-CHAP/MS-CHAP2
The following table applies to the following case only:
RADIUS using CHAP, MS-CHAP or MS-CHAP2 EITHER the Stored Password Proxy feature is enabled OR Back-End Authentication is not enabled
Table 57: Login Permutations - Response Only CHAP/MS-CHAP/MS-CHAP2 Login Type Server PIN
Required? Password Field Contents
Normal login Yes PIN+OTP
No OTP
10.1.8 2-Step Challenge/Response – Cleartext Combined Password Format
The following table applies to the following cases:
SOAP using Cleartext Combined password format Administration logins
RADIUS using PAP IIS Modules
Challenge/Response in RADIUS is only supported for PAP.
The column Stored Password Proxy Off AND Back-End Auth. Required contains Yes when:
The Stored Password Proxy feature is not enabled AND Back-End Authentication is enabled
In most cases, this does not affect 2-Step Challenge/Response; just when a Keyword only is used.
Table 58: Login Permutations – 2-Step Challenge/Response Cleartext Combined
Login Type Serial Number Separator? 2-Step Challenge/Response Request Method
Stored Password Proxy Off AND Back-End Auth.
Required3 Pre-Challenge Response
Normal login N/A Keyword Yes Keyword Password+OTP
No Keyword OTP
Password N/A Password OTP
Keyword-Password N/A Keyword+Password OTP
Password-Keyword N/A Password+Keyword OTP
Changed Password N/A Keyword N/A Keyword Password+OTP
Password N/A Password OTP
Keyword-Password N/A Keyword+Password OTP
Password-Keyword N/A Password+Keyword OTP
Self-Assignment4 Yes N/A N/A SerialNo+Sep.+Password OTP
No N/A N/A SerialNo+Password OTP
3 Back-End Authentication is required for Self-Assignment and Password Autolearn logins.
4 If a Serial Number Separator is not set, the serial number must have all non-numerical characters removed and be padded to 10 characters with preceding zeroes.
10.1.9 Virtual Digipass
The 2-step Virtual Digipass login is possible when using a SOAP client, the RADIUS Access-Challenge mechanism or an IIS Module in form-based authentication mode. The static password is required in either the first or the second step, but not both.
However, many RADIUS environments and IIS Module 'basic authentication' do not support the 2-step login process. If the 2-step login process is not possible, two separate 1-step logins are required. The second login must include the Password as well as the OTP, but it is not necessary to provide the Password in the first login, if only a Keyword is used.
Using the Cleartext Combined password format, all inputs in the table below are entered into the Password field.
Using the Cleartext Separate password format, the Keyword and/or Password are always entered into the Static Password field, while the OTP is entered into the OTP field.
Table 59: Login Permutations – Virtual Digipass Login
Type Request Method 2-step login Two 1-step logins
Step 1 Step 2 Step 1 Step 2
Normal login
Keyword Keyword Password+OTP Keyword Password+OTP
Password Password OTP Password Password+OTP
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP
Changed Password
Keyword Keyword Password+OTP Keyword Password+OTP
Password Password OTP Password Password+OTP
Keyword-Password Keyword+Password OTP Keyword+Password Password+OTP
Password-Keyword Password+Keyword OTP Password+Keyword Password+OTP