Ditch PUK for Challenge-Response
Author: Declan Inglis, Delivery Engineer
If you’ve ever blocked the PIN code to your mobile phone, then you know using a personal unlocking key (PUK) can be a hassle. Most mobile phones use a PUK for resetting a lost or forgotten PIN. These PUK codes often are difficult to remember, and most users do not have them handy when needed.
But, what if we were able to unblock a PIN using a much more convenient method – Challenge-Response? In computer security, challenge-response authentication is a family of protocols in which one party presents a question (challenge) and another party must provide a valid response for authentication. There are different approaches to authentication using challenge-response systems, but modern challenge-response authentication methods typically incorporate one or more cryptographic protocols to prove the user being authenticated knows a secret without the need to share the secret itself. In challenge-response authentication, the client application initially obtains a random challenge data, from the server, calculates a cryptogram (the response) that proves the possession of the secret, then the cryptogram is sent back to the server.
Now, companies that deploy all PIV-enabled smart cards and tokens have the option to unblock PIN codes using challenge-response thanks to our vSEC:CMS. PIV-enabled smart cards can for example be used as Common Access Cards (CAC cards). Smart cards are credit-card-sized smart cards and used by government organizations, enterprises and financing companies and more to enable physical and network access to buildings and computer systems. IT directors at large and small organizations can now easily unblock devices using challenge-response rather than relying on cumbersome and hard-to-remember PUK codes.
Versasec has long supported challenge-response for Yubico. Now, our latest version of vSEC:CMS, also supports PIV smartcards from Gemalto, IDemia, Morpho, Oberthur, Taglio, Feitian and more. To view the full list of vSEC:CMS- support cards, visit Versasec's supported credential page.
PUK code and Challenge-Response are methods that are suitable to be used in an unconnected setup, meaning that the credential (for example smart card) is not connected to the management system. If the credential is connected directly to the management system, either directly or over a network, more convenient and more secure methods can be used. To learn more about other ways to unblock a PIN code, read our recent blog, https://versasec.com/blog/2019-05-21_Best-Procedures-for-Unblocking-PIN-Codes-Using-vSEC-CMS.