Digipass SDKlicensing – standard single-device licensing (SDL) model

Single device licensing model (overview)

In the single-device licensing (SDL) model, OneSpan generates a unique serial number of ten characters which is associated to Digipass data on the server side. The Digipass authenticator can thus be instantiated on a single device to ensure the symmetry.

Activation process

Before you can work with the Digipass SDK you need to activate it. To activate it as a single-device licensing model, the activation data, which includes the parameter settings, the serial numberClosed The unique identifier of a Digipass license. It consists of a 3-alphanumeric-character prefix set in the static vector, and a 7-digit suffix. The suffix can be provided in the XFAD or by the user during Digipass activation. See also XFAD, Digipass serial number prefix, Digipass serial number suffix., and the Digipass keyClosed 128-bit secret key used by the Digipass algorithm to generate one-time passwords or e-signatures. The key is provided to the Digipass instance through the activation code. See also Activation code, Digipass instance. of a Digipass authenticator, must be provided to the Digipass SDK binary.

Contrary to the activation of Digipass in the multi-device licensing model, the activation data is provided in one step to the Digipass SDK.

This set of data can be provided applying either of the following methods:

Optionally, and depending on the Digipass parameter settings, the activation process may also require a Digipass password. The password is chosen by the user and protects the Digipass authenticator against unauthorized use. It is set during the activation process but may be changed in the course of the Digipass lifecycle (see Delegated protection).

Digipass reactivation

During the Digipass life cycle you may want to re-use the Digipass serial number, for instance when re-installing the Digipass authenticator to a new host platform (like a new mobile phone) or when a Digipass protection password has been lost. During the regular activation process, the event-based Digipass authenticator uses an initial event counter set to 0. If the Digipass authenticator is activated and used to validate responses, the counters are incremented on the server side. By re-activating the same Digipass authenticator on a new platform, the Digipass counters are set to 0, while on the server the counters have a different value. By re-activating the same Digipass authenticator on the same platform, the counters are not changed.

To push the value of the Digipass counters as a set on the server side to the Digipass SDK, the SDK supports the Digipass event reactivation counterClosed This is the value to initialize the event-based Digipass counter. It should be provided to the OneSpan Digipass SDK during the re-activation process to synchronize the event counter between the Digipass data on the server-side and the Digipass instance on the client side. See also Digipass instance, Digipass SDK.. This data contains the current value of each cryptographic Digipass application event counter and is provided by a OneSpan server solution, i.e. OneSpan Authentication Server FrameworkClosed API-based authentication platform that serves as back-end for Digipass strong authentication and e-signatures. or OneSpan Authentication ServerClosed A centralized authentication solution that offers strong authentication and validation of transaction signatures. It verifies authentication requests from individuals trying to access the corporate network or business applications.. For more information, refer to the relevant product documentation.

Binding Digipass to the host platform

To ensure that a Digipass authenticator is used only on the platform where it was activated, the Digipass SDK can use platform-specific data as a diversifier of the Digipass key to generate responses. This data must be provided by the integrating application.

The data used to identify the platform must be unique and not predictable. The Device Binding SDKClosed Facilitates Digipass application development; it provides a function to generate a unique identifier for a given mobile device, the device fingerprint. The SDK can be used on a variety of devices and various supported platforms. provides this data to identify the platform host of the integrating application.

The data must be exchanged with the OneSpan server solution to enable the symmetric feature on the server side. It is transferred to the server within the derivation codeClosed Optional code used to carry platform-specific data from client to server in the standard licensing model; part of the Digipass binding feature.It contains a Digipass response based on one of the Digipass cryptographic application key and bits extracted from the fingerprint of the platform where Digipass is running., which contains a hash of the platform-specific data authenticated with a Digipass OTP. Once the derivation code is validated on the server side, the platform-specific data hash is stored in the Digipass server data. All future OTP validations will be done against the Digipass authenticator and the platform data. If the same Digipass authenticator is installed on another platform, the generated OTP will be rejected.

When a platform is replaced, the binding process must be repeated to bind the Digipass authenticator to the new platform. On the server side, the binding can only be cleared by re-importing the Digipass data from the DPX file.

For more information, refer to your server solution documentation. This feature is supported by server solutions using OneSpan Authentication Server Framework 3.11.2 or later.