aXsGUARD Identifier 3.0.2.0 Product Guide v1.5
User Authentication Process
3.5.3.3
Response Only
The Response only login and authentication process involves the following steps:
the User generates an OTP with their DIGIPASS device
the User enters their User ID and the OTP in the login window
the aXsGUARD Identifier authenticates the User (see image below).
Image 8: Response Only Login and Authentication Process
3.5.3.4
Challenge/Response
There are two processes possible for a Challenge/Response OTP login:
1-step login: this is useful for client applications which can only support a single login screen, e.g. RADIUS
without support for Challenge/Response or Web HTTP Basic Authentication. The Challenge generated by the
aXsGUARD Identifier is not specific to any DIGIPASS device, but is presented in the login window when the
User attempts to access the client application.
2-step login: this is possible with applications which support two login screens, e.g. Citrix Web Interface and
RADIUS with support for Challenge/Response. The User first requests a Challenge, submitting identification
data. The Challenge generated by the aXsGUARD Identifier is then specific to the User's DIGIPASS device. This
adds an extra security layer to the login and authentication process.
Some Policy settings are possible for Challenges:
Challenge length: the length of the challenge for all users can be pre-defined (please see the on line help for
more information).
Challenge Check digit: Challenges may include 'check digits' computed from the structure of the Challenge,
which enable a DIGIPASS device to reject an incorrectly typed (and therefore invalid) Challenge (please see the
on line help for more information).
Challenge Check Mode: this setting is for advanced control over time-based Challenge/Response
authentication (please see the on line help for more information).
©
2009 VASCO Data Security
33