Multiple authenticators or authenticator applications

Authenticator users can have multiple authenticators assigned to their user accounts. Those authenticators may have multiple authenticator applications enabled. In that case, OneSpan Authentication Server needs to know:

1. Whether a user is allowed to have multiple authenticator applications assigned.
2. Which authenticator and authenticator application will be used for a particular logon of the user.

Figure: Multiple authenticator assignments illustrates an example of how authenticators and authenticator applications can be assigned.

You can configure whether to allow the use of multiple authenticator applications per user. By default, this setting is enabled.

OneSpan Authentication Server also supports the multi-device licensing and multi-device activation model (see Authenticator licensing and activation).

One authenticator license allows to instantiate several authenticator instances that are bound to the same authenticator license. Authenticator instances are not different from authenticators activated in the standard process with regard to the representation of authenticator applications. OneSpan Authentication Server creates the authenticator instance(s) for a particular license during the multi-device activation process.

Aside from configuring whether multiple authenticator applications per user is allowed, you can also restrict which authenticator application is allowed for a specific policy. With this kind of restriction, OneSpan Authentication Server will only verify OTP against that type of authenticator application. So if a policy restricts allowed authenticator applications to Response-Only, then OneSpan Authentication Server will verify all OTP only against RO applications assigned to a user.

When considering whether to allow multiple authenticator applications per user and/or which authenticator applications to allow, see Table: OTP authentication for scenarios with single and multiple authenticator applications. This table explains how OneSpan Authentication Server authenticates OTP from each user account, given various possible scenarios.

Table: OTP authentication for scenarios with single and multiple authenticator applications

Scenario	User account 1	User account 2	User account 3
Multiple authenticator applications allowed, no policy restrictions on authenticator applications.	OTP is authenticated against all authenticator applications from assigned authenticators.	OTP is authenticated against all authenticator applications from assigned authenticators.	OTP is authenticated against the authenticator application from assigned authenticators.
Multiple authenticator applications allowed, only RO applications allowed.	OTP is authenticated only against application 1 of both assigned authenticators.	OTP is authenticated only against application 1 of assigned authenticators.	OTP is authenticated against application 1 of assigned authenticators.
Single authenticator applications allowed, no policy restrictions on authenticator applications.	OneSpan Authentication Server detects multiple authenticator applications assigned and immediately fails the logon attempt.	OneSpan Authentication Server detects multiple authenticator applications assigned and immediately fails the logon attempt.	OTP is authenticated against authenticator application from assigned authenticators.
Single authenticator applications allowed, only RO applications allowed.	OneSpan Authentication Server detects multiple RO authenticator applications assigned and immediately fails the logon attempt.	OneSpan Authentication Server detects one RO assigned, and authenticates OTP against this application.	OTP is authenticated against authenticator application from assigned authenticators.

For information about grace periods with multiple authenticators, see Grace period.