Ditch PUK for Challenge-Response

Date: 2019-09-25
Author: Declan Inglis, Delivery Engineer

Ditch PUK for Challenge-Response

If you’ve ever blocked the PIN code to your mobile phone, then you know using a personal unlocking key (PUK) can be a hassle. Most mobile phones use a PUK for resetting a lost or forgotten PIN. These PUK codes often are difficult to remember, and most users do not have them handy when needed.

But, what if we were able to unblock a PIN using a much more convenient method – Challenge-Response? In computer security, challenge-response authentication is a family of protocols in which one party presents a question (challenge) and another party must provide a valid response for authentication. There are different approaches to authentication using challenge-response systems, but modern challenge-response authentication methods typically incorporate one or more cryptographic protocols to prove the user being authenticated knows a secret without the need to share the secret itself. In challenge-response authentication, the client application initially obtains a random challenge data, from the server, calculates a cryptogram (the response) that proves the possession of the secret, then the cryptogram is sent back to the server.

Now, companies that deploy all PIV-enabled smart cards and tokens have the option to unblock PIN codes using challenge-response thanks to our vSEC:CMS. PIV-enabled smart cards can for example be used as Common Access Cards (CAC cards). Smart cards are credit-card-sized smart cards and used by government organizations, enterprises and financing companies and more to enable physical and network access to buildings and computer systems. IT directors at large and small organizations can now easily unblock devices using challenge-response rather than relying on cumbersome and hard-to-remember PUK codes.

Versasec has long supported challenge-response for Yubico. Now, our latest version of vSEC:CMS, also supports PIV smartcards from Gemalto, IDemia, Morpho, Oberthur, Taglio, Feitian and more. To view the full list of vSEC:CMS- support cards, visit Versasec’s supported credential page.

PUK code and Challenge-Response are methods that are suitable to be used in an unconnected setup, meaning that the credential (for example smart card) is not connected to the management system. If the credential is connected directly to the management system, either directly or over a network, more convenient and more secure methods can be used. To learn more about other ways to unblock a PIN code, read our recent blog, https://versasec.com/blog/2019-05-21_Best-Procedures-for-Unblocking-PIN-Codes-Using-vSEC-CMS.


Our product suite provides all the software tools to administrate and manage credentials in a secure and convenient way.

Start here

Free Product Trial

Versasec provides enabling IT security products centered on the usage of security devices such as smart cards. Our solutions enable customers to securely authenticate, issue and manage user credentials more cost effectively. Get a free product trial.

Job Openings

We are always looking for new exceptional persons to join our team! Find out more about our job openings.

Versasec Support

Versasec customers with an existing support and maintenance contract can access the Versasec Support Portal, offering extensive professional support and maintenance services. The Versasec Support Portal offers a variety of services, allowing for customers and any site visitor to communicate directly with support engineers.

Contact Support

Company Blog

Our blog addresses the latest security trends and stories. The posts discuss how identity and access management are playing a larger role in keeping corporate data safe as well as brand reputations intact.

Visit our Blog
Share this article