Digipass SDK licensing – premium multi-device licensing model

Premium multi-device licensing (overview)

In the multi-device licensing (MDL) model, OneSpan generates a unique serial number of ten characters. This unique serial number can be associated with several Digipass data on the server side. Each Digipass data is identified by its unique serial number and a sequence numberClosed This is the unique identifier of a Digipass instance from a Digipass license. It consists of two numeric characters from 01 to 99.. On the client side, the Digipass license can thus be instantiated several times. This mode fits the deployment of one Digipass authenticator per device of the same user. Each Digipass authenticator of the user shares the same serial number but has a different sequence number.

Activation process

Before you can work with the Digipass SDK you need to activate it. To activate it as a multi-device licensing (MDL) model, the activation data, which includes the parameter settings, the serial number, the sequence number, and the Digipass keyClosed 128-bit secret key used by the Digipass algorithm to generate one-time passwords or e-signatures. The key is provided to the Digipass instance through the activation code. See also Activation code, Digipass instance. of a Digipass authenticator, must be provided to the Digipass SDK binary.

Contrary to the activation of a Digipass authenticator in the single-device licensing (SDL) model, for the MDL model the activation data is provided in two steps to the Digipass SDK: first, the license is activated, then the instanceClosed The association of a unique Digipass key, serial number, sequence number, a static vector, and a Digipass secret. is activated. Each step consists in providing the client side with the Digipass SDK and the server side with an activation message generated by OneSpan Authentication Server FrameworkClosed API-based authentication platform that serves as back-end for Digipass strong authentication and e-signatures.. This feature is supported by server solutions using OneSpan Authentication Server Framework as of version 3.13.

Activation message transfer between Digipass SDK and Authentication Server Framework

The transfer of the activation message from the server to the device must be operated via a secure channel. We recommend to use the Digipass Software Advanced Provisioning Protocol SDKClosed Implements the DSAPP protocol to securely transfer the server-side generated Digipass software activation data to the Digipass software client. The SDK encrypts the activation data before transferring it to the client application and decrypts it again. to establish a secure channel if the message is transferred in a connected mode. For more information, see Digipass Software Advanced Provisioning Protocol SDK.

If the activation message is transferred in an unconnected mode, we recommend to use different channels to transfer the different activation messages.

License activation

The first step to activate a Digipass authenticator in MDL mode is to activate the Digipass license.

Sequence: Digipass license activation

  1. OneSpan Authentication Server Framework generates Activation Message 1 which is then provided to the Digipass SDK.

    Activation Message 1 contains the following information used by the Digipass SDK:

    For more information about generating the activation messages, refer to the OneSpan Authentication Server Framework documentation.

  2. As a result of the license activation, the Digipass SDK generates a device codeClosed Mandatory code used to carry platform-specific data from client to server in the premium licensing model.It contains a Digipass response based on one of the Digipass cryptographic application key and bits extracted from the fingerprint of the platform where Digipass is running. which contains a device ID. This is a concatenation of information about the device type and device-unique data, provided to the Digipass SDK by the hosting application. Both are signed with the license key.
  3. The device code must be provided to OneSpan Authentication Server Framework on the server side to generate a Digipass instance for the device for which the license has been activated.

The following device types can be received by OneSpan Authentication Server Framework in the device code.

Device types received by OneSpan Authentication Server Framework
Return device type Value
iOS 3
Jailbroken iOS 5
Android 7
Rooted Android 9
Windows 17
Linux 19
Mac 21

Instance activation

The second step to activate a Digipass authenticator in MDL mode is to activate the Digipass instance.

Sequence: Digipass instance activation

  1. OneSpan Authentication Server Framework generates Activation Message 2 which is then provided to the Digipass SDK.

    Activation Message 2 contains the following information used by the Digipass SDK:

  2. As a result of the Digipass instance activation, the Digipass SDK generates a MACClosed Message authentication code. signature with the Digipass instance key.

  3. The MAC signature must be provided to OneSpan Authentication Server Framework on the server side to confirm the correct activation of the Digipass instance.

Optionally, and depending on the Digipass parameter settings, the activation process may also require a Digipass password. The password is chosen by the user and protects the Digipass authenticator against unauthorized use. It is set during the activation process but may be changed in the course of the Digipass lifecycle (see Delegated protection).

In the multi-device licensing mode, a Digipass instance cannot be reactivated, OneSpan Authentication Server Framework only generates Activation Message 2 once. If a Digipass instance cannot be used anymore, it must be replaced with a new one. The number of instances per Digipass serial number is limited to 99.