Home

MSCHAPv2

MSCHAPv2, or Microsoft Challenge Handshake Authentication Protocol version 2, is a password-based authentication protocol used in PPP connections, many VPN implementations, and Windows remote access services. It is the successor to MS-CHAP v1 and provides a challenge-response mechanism that allows both sides to authenticate without sending the cleartext password.

In operation, the server sends a challenge to the client. The client uses the user’s password to

Security and limitations often discussed with MSCHAPv2 focus on its reliance on NTLM-based hashes. While MSCHAPv2

Usage notes: MSCHAPv2 is commonly found in legacy PPTP VPN configurations and Windows-based remote access setups,

compute
an
NTLMv2-style
response
based
on
the
server
challenge
and
additional
data
provided
by
the
client,
and
then
sends
this
response
back
to
the
server.
The
server
performs
the
same
computation
using
the
user’s
password
hash
and
the
received
data
to
verify
the
response.
MSCHAPv2
also
supports
a
mutual
authentication
step,
enabling
the
client
to
verify
that
the
server
possesses
the
correct
password
as
part
of
the
exchange.
improves
security
relative
to
MS-CHAP
v1
by
adding
mutual
authentication
and
stronger
cryptographic
techniques,
it
remains
vulnerable
to
offline
dictionary
or
brute-force
attacks
if
an
attacker
captures
the
authentication
handshakes
and
has
access
to
the
password
hash.
Consequently,
password
strength
is
critical,
and
the
use
of
additional
transport
security
or
stronger
authentication
methods
is
recommended.
For
new
deployments,
alternatives
such
as
EAP-TLS
or
EAP-TTLS/PEAP
with
certificate-based
or
robust
credential
methods
are
generally
preferred
over
MSCHAPv2.
often
in
conjunction
with
RADIUS
or
similar
backends.