Provisioning overview
In OneSpan Authentication Server, the term provisioning refers to delivery, registration, and activation of the software.
Software delivery
You are free to deliver the software to your customers in any way you choose. You can either deliver software to users, or allow them to download the software from a secure site. An activation code is required to activate the software authenticator. This code can be delivered via two methods:
Online delivery
With this method, the activation code is delivered directly to the application that is going to use it. If the activation code is delivered in this way, the user will never see it. This option is available for Mobile Authenticator Studio and the OneSpan Mobile Authenticator app.
Offline delivery
With offline delivery, available for Mobile Authenticator Studio, the activation code is delivered via a mechanism such as email, text message, or fax.
User/authenticator registration
The authenticator records must be imported from a DIGIPASS export file (DPX) before registration can occur.
Each software authenticator user requires a user account in OneSpan Authentication Server. The user accounts can either be imported to OneSpan Authentication Server, created individually, or created dynamically during registration if Dynamic User Registration (DUR) is available.
For software authenticators to work, an authenticator needs to be assigned to the user account. This can be done in two ways:
- Manually. An administrator explicitly assigns an authenticator, e.g. via the Administration Web Interface.
- Automatically. OneSpan Authentication Server selects a random authenticator and assigns it to the new user account as it is created. In OneSpan Authentication Server this behavior is known as auto-assignment.
Afterward, an activation code is generated and sent to the user.
Activate software
Each software authenticator needs to be activated before it can be used. This means that OneSpan Authentication Server is informed that all the components are in place for the software authenticator and you are ready to use it.
There are two stages of activation:
- Delivering the activation code to the software authenticator.
- Sending the first one-time password to the server.
Figure: Provisioning steps
Delayed activation
The authenticator start time defines a particular date and time when an activated (software) authenticator can effectively be used for authentication. If defined in the effective policy, the start time can be automatically calculated based on a delayed activation period when assigning/registering the authenticator to a user. Although the software authenticator has already been activated, OneSpan Authentication Server will not allow it to be used for authentication, until the start time has been reached. This is called delayed activation.
If defined in the effective policy, two separate notification messages are sent to the respective user to indicate delayed activation:
- The activation delayed notification is sent when the authenticator is assigned/registered to the user.
- The activation completed notification is sent when the start time has been reached, i.e. when the authenticator can effectively be used.
The notification messages are sent using Message Delivery Component (MDC) and handled independently of each other: if defined, either both, none, or either one is sent.
Provisioning components
There are two required components and one optional component required to implement provisioning:
Web application (customized)
The web application controls the user interaction during provisioning. It uses the OneSpan Authentication Server SDK to communicate with OneSpan Authentication Server. For more information, refer to the OneSpan Authentication Server SDK product documentation.
The web application should be able to do the following:
- Make the software authenticator available for download.
- Facilitate the delivery of the activation code to the user.
- Send the first one-time password to OneSpan Authentication Server.
OneSpan Authentication Server
OneSpan Authentication Server handles user account and authenticator records. It generates activation codes, verifies OTP values, and stores static passwords.
Back-end system
The back-end system can be used by OneSpan Authentication Server for Dynamic User Registration and/or static password verification. For more information, see Back-end authentication.
User authentication during provisioning
The user authentication method during a software authenticator provisioning process depends on two factors:
- The local authentication method set in the relevant policy.
- Whether the user already has an activated authenticator.
The possible local authentication settings and their effects on the provisioning process are:
- If Local Authentication is set to DIGIPASS/Password during Grace Period, the users must use their static password when activating their first authenticator. Upon successful completion of the authenticator activation the grace period ends, and any future provisioning operations will require the user to authenticate with an OTP.
- If Local Authentication is set to DIGIPASS or Password, the users must use their static password when activating their first authenticator. After this, the users can authenticate with their static password or their authenticator during any future provisioning operations.
If the local authentication method is Digipass Only, users who are activating their first authenticator will be unable to complete the activation because they are not allowed to authenticate with their static password.
For more information about local authentication methods, see Local authentication.