The password fatal counter is decremented every time a wrong password is entered, and reset on correct password submission. When the counter is consumed, the Digipass SDK applies a penalty.
If the password security level is set to checksum or hash, wrong passwords matching the security level will also reset the counter. Setting the fatal counter value to 3 triggers the penalty when the user attempts a fourth time to enter the wrong password.
Reset key penalty
The reset-key penalty consists in resetting the Digipass secret in the dynamic vector. The secret is deleted and the Digipass instance needs to be reactivated. The event-counters are not reset. The Digipass status is set to locked.
Generate invalid OTP penalty
The generate–invalid-OTP penalty consists in generating an OTP, regardless whether the entered password is correct or not. Only the right password, that is, the one used during the activation, will generate a correct OTP.
With this penalty, if the submitted password matches the password security level but is not the correct password, the following will happen:
- On OTP/signature generation, the dynamic vector
Digipass-specific binary data. It is created after successful activation. It is updated by the OneSpan Digipass SDK at runtime.It contains the following:
Digipass status
Serial number suffix
PIN information
Encrypted Digipass secret
Status of the cryptographic Digipass applications
Last-time-used value of the cryptographic Digipass applications
Last-event-used value of the cryptographic Digipass applications-encrypting key calculated from the wrong password will be incorrect, and therefore the decrypted Digipass key will be incorrect as well. As a result, the generated OTP/signature will be invalid. Even if the dynamic vector-encrypting key is incorrect, the original Digipass key is not changed as it is not re-encrypted. If a valid password is entered, the Digipass SDK resets the password fatal counter in the dynamic vector to its initial value (set in the static vector The Digipass parameter set, i.e. customer-specific binary configuration data. It contains the Digipass serial number prefix, the customer master key and the parameter settings of the cryptographic application(s). It can be provided independently in clear text format, or as part of the FAD.
See also Customer master key; FAD.). The application status is reset from generate invalid OTP to activated. -
On password change, the dynamic vector-encrypting key calculated from the wrong password will be incorrect, and the decrypted Digipass key will be incorrect as well. The dynamic vector-encrypting key calculated from the new password will encrypt a wrong Digipass key that is not correct, which will compromise the key.
In this case, the Digipass key is lost and the application needs to be re-activated.