Use case scenarios
The SAS architecture supports the use of a token-side or a server-side PIN in either QuickLog or Challenge-Response mode. In addition, the application using the API must support challenges, inner and outer window authentication, and static password authentication. The following sections discuss these features in detail.
Note
Localization: To support localization, SAS returns only necessary data in its challenge messages. The application is required to construct a localized version of it to display to the client.
For example, SAS would return only 19863257, but the application would display: "Please respond to the challenge: 19863257."
Note
Mode: Tokens can operate in either Challenge-Response or QuickLog mode. QuickLog mode is recommended because it simplifies the logon experience and strengthens security by eliminating the requirement to enter a challenge into a token to get an OTP. QuickLog does not rely on time to remain synchronized with the server. Instead, each time an event-based token is activated, a new token code is generated.
Basic authentication
The communication between the application and the server uses challenge messages and states, similar to the RADIUS protocol. The following scenario shows the most basic interaction between the application and the server:
- The application issues an authentication request that includes the user name, organization name, and a passcode.
- The server responds with one of twelve possible return codes. For more information, see Authenticate method.
Challenge-Response authentication
The challenge message and state attribute issued from the authenticating server are central to the concept of challenge-response authentication, outer window authentication, and server-side PIN changes. This mechanism is employed to authenticate tokens in challenge-response mode in the following manner:
- The application issues an authentication request that includes the user name, organization name, and an empty passcode.
- The server responds with a challenge message containing a challenge string, for example,
Challenge: 19863257, and a state attribute. See LOCALIZATION NOTE. - The authenticating application responds to the challenge by issuing another authentication request that includes the same user name, organization name, a response, and the state attribute.
Outer window authentication
User authentication through inner and outer window authentication, supported only for hardware tokens, uses challenge messages and state attributes, similar to the Challenge-Response Authentication scenario. In outer window authentication, users provide a match in a large look-ahead window, and respond to a follow-up challenge by providing the exact next OTP from their token. The following sequence illustrates the process:
- The application issues an authentication request that includes the user name, organization name, and a passcode.
- The server finds a match for the provided OTP in the outer window, and then issues a challenge to the client containing an outer window authentication string, for example: "Please re-authenticate using the next OTP from your token", and a state attribute.
- The authenticating application responds to the challenge by issuing another authentication request that includes the same user name, organization name, a response, and the state attribute.
PIN authentication
SAS supports several PIN types:
- No PIN
- Fixed PIN (token-side PIN validation)
- User-changeable PIN (token-side PIN validation)
- Fixed PIN stored on server
- User-changeable PIN stored on server
- Server-changeable PIN stored on server
The SAS authentication mechanism supports incoming passcodes in the following formats:
[PIN+OTP][OTP][NEWPIN][StaticPassword][null]— empty passcode to request a challenge
PINs stored on the server can be user-changeable or server-changeable. To accommodate this, leverage the challenge framework in the following manner.
User-changeable PIN stored on server
- The application issues an authentication request that includes the user name, organization name, and a passcode.
- The server finds a match for the provided OTP and determines that the PIN must be changed.
- The server issues a challenge to the client containing a PIN change string, for example, "Your PIN has expired. Please enter a new PIN", and a state attribute.
- The authenticating application responds to the challenge by returning a new PIN and the state attribute.
Server-changeable PIN stored on server
- The application issues an authentication request that includes the user name, organization name, and a passcode.
- The server finds a match for the provided OTP and determines that the PIN must be changed.
- The server issues a challenge to the client containing a PIN change string, for example, "Your new PIN is 628. Please re-authenticate using this new PIN and your next passcode", and a state attribute. See LOCALIZATION NOTE.
- The authenticating application responds to the challenge by issuing another authentication request that includes the user name, organization name, the new PIN and OTP, and the state attribute.
Static password authentication
SAS offers the option of static password authentication, including enabling the user to change the password. The challenge-response architecture can be used in the following manner:
- The application issues an authentication request that includes the user name, organization name, and a static password.
- If the user is not required to change the password and it is correct, the server returns access-accept.
- If the user is required to change the password, a challenge message is issued to the client, for example, "Your password has expired. Please enter a new password", and a state attribute. See LOCALIZATION NOTE.
- If a challenge message has been issued in step 3, the authenticating application responds to the challenge by issuing an authentication request that includes the user name, organization name, the new static password, and the state attribute.
MobilePass push authentication
MobilePass push authentication enables users to approve an authentication request through a push notification sent to their enrolled MobilePASS+ authenticator. When push authentication is initiated, the SAS server sends a push notification to the user's MobilePASS+ authenticator. The user approves the request on their MobilePASS+ authenticator to complete authentication.
The following sequence illustrates the push authentication flow:
- The application issues an authentication request that includes the user name, organization name, and a null or empty passcode.
- The SAS server delivers a push notification to the user's enrolled MobilePASS+ authenticator.
- The user approves the push notification on their MobilePASS+ authenticator.
- The server returns return code
1(authentication succeeded).
If the user does not respond within the timeout period, the server returns return code 9 (push timed out). If the user explicitly denies the push notification, the server returns return code 11 (push denied).
Numerical challenge authentication
Numerical challenge authentication (push with number matching) adds an additional layer of security to push authentication by requiring the user to match a number displayed in the application with the number shown on their MobilePASS+ authenticator. This helps prevent accidental approval of push notifications.
The following sequence illustrates the numerical challenge flow:
- The application issues an authentication request that includes the user name, organization name, and a null or empty passcode.
- The server returns return code
10(numerical push challenge) along with a challenge number in the challenge field and a state attribute. - The application displays the challenge number to the user.
- The user matches the displayed number with the number shown on their MobilePASS+ authenticator and approves the push notification.
- The application re-calls the
Authenticatemethod with the same user name, organization name, IP address, passcode, and the challenge and state attributes returned in step 2. - The server returns return code
1(authentication succeeded), return code9(push timed out), or return code11(push denied by user).