Challenge / Response Authorization

Challenge / Response authorization provides an additional level of control for access to applications and privileges, by presenting users with a challenge code in an end user message. In order for the user to progress, they must enter a corresponding response code into the message.

Any policy that has a message with challenge / response needs a shared key. This key is defined when you set up the first challenge / response message in your policy, although you can change it later if required. If you create a Workstyle containing a challenge / response message or you create a new challenge / response message and you are not prompted to create a shared key, then there is already a shared key for the policy. You cannot view this shared key, however you can change it here if required.

Challenge / Response authorization is configured as part of end user messages, and can be used in combination with any other authorization and authentication features of Privilege Management for Mac messaging.

Users are presented with a different, unique challenge code each time a challenge / response message is displayed.

Challenge and response codes are presented as an 8 digit number, to minimize the possibility of incorrect entry. When a user is presented with a challenge code, the message may be canceled without invalidating the code. A new challenge code will be generated every time the user runs the application.

For more information on configuring challenge / response authorization enabled end user messages, please see Message Design.

Shared Key

The first time you create a Privilege Management for Mac end user message with a challenge, you are asked to create a shared key. The shared key is used by Privilege Management for Mac to generate challenge codes at the endpoint.

Once you have entered a shared key, it will be applied to all end user messages that have challenge / response authorization enabled in the same Privilege Management for Mac settings.

To change the shared key:

  1. Right-click Privilege Management Settings and select Set Challenge / Response Shared Key.
  2. In the Challenge / Response Shared Key dialog box, edit the Enter Key and Confirm Key with the new Shared Key.
  3. Click OK to complete. If the key entered is not exact, you will be presented with a warning message.

We recommend your shared key is at least 15 characters and includes a combination of alphanumeric, symbolic, upper, and lowercase characters. As a best practice, the shared key should be changed periodically.

Generate a Response Code

There are two ways to generate a response code. You can either use the PGChallengeResponseUI.exe utility that is installed as part of the Privilege Management Policy Editor, or you can generate them directly within the MMC.

In order to generate a response code, you must have set a Challenge / Response Shared Key. You are prompted to do this when you create any policy that has a Challenge / Response message assigned to it. Alternatively, you can set the Challenge / Response Shared Key from the home page of the Privilege Management Settings node by clicking Set Challenge / Response Shared Key.

You can generate a response code from the Privilege Management Policy Editor. This launches a tool called PGChallengeResponseUI.exe. This tool is part of your installation and can be used independently of the Privilege Management Policy Editor. The tool is installed to the path <Installation Dir>\Avecto\Privilege Guard Privilege Management Policy Editors\.

To generate a response code in the Privilege Management Policy Editor:

  1. Click the Privilege Management Settings node, and then Tools on the right-hand side.
  2. Click Response Code Generator.
  3. Enter the shared key you have defined and the challenge code from the end user.
  4. The response code is generated once both the Shared Key and the 8 character challenge code have been entered.

The response value can then be sent to the end user to enter into their challenge dialog.