Digipass SDKlicensing – standard single-device licensing (SDL) model
Single device licensing model (overview)
In the single-device licensing (SDL) model, OneSpan generates a unique serial number of ten characters which is associated to Digipass data on the server side. The Digipass authenticator can thus be instantiated on a single device to ensure the symmetry.
Activation process
Before you can work with the Digipass SDK you need to activate it. To activate it as a single-device licensing model, the activation data, which includes the parameter settings, the serial number The unique identifier of a Digipass license. It consists of a 3-alphanumeric-character prefix set in the static vector, and a 7-digit suffix. The suffix can be provided in the XFAD or by the user during Digipass activation. See also XFAD, Digipass serial number prefix, Digipass serial number suffix., and the Digipass key 128-bit secret key used by the Digipass algorithm to generate one-time passwords or e-signatures. The key is provided to the Digipass instance through the activation code. See also Activation code, Digipass instance. of a Digipass authenticator, must be provided to the Digipass SDK binary.
Contrary to the activation of Digipass in the multi-device licensing model, the activation data is provided in one step to the Digipass SDK.
This set of data can be provided applying either of the following methods:
- Offline. The data required to activate the Digipass authenticator is provided independently.
- OneSpan provides the Digipass static vector The Digipass parameter set, i.e. customer-specific binary configuration data. It contains the Digipass serial number prefix, the customer master key and the parameter settings of the cryptographic application(s). It can be provided independently in clear text format, or as part of the FAD. See also Customer master key; FAD. in a flat file named export.svf. The static vector must be integrated with the Digipass SDK.
OneSpan provides the Digipass serial number in a flat file named ACode.log. The serial number must be delivered to the user.
Instead of entering a serial number, the user can enter a serial number suffix Consists of the last seven decimal digits of the Digipass serial number. The serial number suffix is unique per user.. However, this is not recommended because the serial number prefix Consists of the first three characters of the Digipass serial number. The serial number prefix is unique per customer. will be retrieved from the static vector, and this serial number prefix can differ between the hard-coded static vector in the mobile application and the Digipass BLOBs used by the server.
- OneSpan provides the Digipass activation code The Digipass secret key in a decimal or hexadecimal character string format, encrypted with the customer master key in the static vector. It is one of the following: 20 decimal digits for a single-length secret key; the second part of the key is derived from the first part. 40 decimal digits for a double-length secret key. 16 hexadecimal characters for a single-length secret key; the second part of the key is derived from the first part. 32 hexadecimal characters for a double-length secret key. To prevent it from alteration the activation code ends with a checksum on one digit. with the Digipass serial number in a flat file named ACode.log. This may also be dynamically generated by a OneSpan server solution, i.e. OneSpan Authentication Server Framework API-based authentication platform that serves as back-end for Digipass strong authentication and e-signatures. or OneSpan Authentication Server A centralized authentication solution that offers strong authentication and validation of transaction signatures. It verifies authentication requests from individuals trying to access the corporate network or business applications.. For more information, refer to the relevant product documentation. The activation code must be delivered to the user in a secure way.
- Online. The data is not provided independently but as part of the full activation data Serves to finalize the activation. The full activation data includes the parameter settings for the OneSpan Digipass SDK activation, the Digipass key, and and the Digipass serial number. It is the concatenation of the static vector, the activation code, and the serial number suffix. If the activation code is encrypted by an activation password and/or a nonce, it becomes encrypted full activation data (XFAD). See also activation code, Digipass SDK, encrypted full activation data, nonce, serial number suffix..
Optionally, and depending on the Digipass parameter settings, the activation process may also require a Digipass password. The password is chosen by the user and protects the Digipass authenticator against unauthorized use. It is set during the activation process but may be changed in the course of the Digipass lifecycle (see Delegated protection).
Digipass reactivation
During the Digipass life cycle you may want to re-use the Digipass serial number, for instance when re-installing the Digipass authenticator to a new host platform (like a new mobile phone) or when a Digipass protection password has been lost. During the regular activation process, the event-based Digipass authenticator uses an initial event counter set to 0. If the Digipass authenticator is activated and used to validate responses, the counters are incremented on the server side. By re-activating the same Digipass authenticator on a new platform, the Digipass counters are set to 0, while on the server the counters have a different value. By re-activating the same Digipass authenticator on the same platform, the counters are not changed.
To push the value of the Digipass counters as a set on the server side to the Digipass SDK, the SDK supports the Digipass event reactivation counter This is the value to initialize the event-based Digipass counter. It should be provided to the OneSpan Digipass SDK during the re-activation process to synchronize the event counter between the Digipass data on the server-side and the Digipass instance on the client side. See also Digipass instance, Digipass SDK.. This data contains the current value of each cryptographic Digipass application event counter and is provided by a OneSpan server solution, i.e. OneSpan Authentication Server Framework API-based authentication platform that serves as back-end for Digipass strong authentication and e-signatures. or OneSpan Authentication Server A centralized authentication solution that offers strong authentication and validation of transaction signatures. It verifies authentication requests from individuals trying to access the corporate network or business applications.. For more information, refer to the relevant product documentation.
Binding Digipass to the host platform
To ensure that a Digipass authenticator is used only on the platform where it was activated, the Digipass SDK can use platform-specific data as a diversifier of the Digipass key to generate responses. This data must be provided by the integrating application.
The data used to identify the platform must be unique and not predictable. The Device Binding SDK Facilitates Digipass application development; it provides a function to generate a unique identifier for a given mobile device, the device fingerprint. The SDK can be used on a variety of devices and various supported platforms. provides this data to identify the platform host of the integrating application.
The data must be exchanged with the OneSpan server solution to enable the symmetric feature on the server side. It is transferred to the server within the derivation code Optional code used to carry platform-specific data from client to server in the standard licensing model; part of the Digipass binding feature.It contains a Digipass response based on one of the Digipass cryptographic application key and bits extracted from the fingerprint of the platform where Digipass is running., which contains a hash of the platform-specific data authenticated with a Digipass OTP. Once the derivation code is validated on the server side, the platform-specific data hash is stored in the Digipass server data. All future OTP validations will be done against the Digipass authenticator and the platform data. If the same Digipass authenticator is installed on another platform, the generated OTP will be rejected.
When a platform is replaced, the binding process must be repeated to bind the Digipass authenticator to the new platform. On the server side, the binding can only be cleared by re-importing the Digipass data from the DPX file.
For more information, refer to your server solution documentation. This feature is supported by server solutions using OneSpan Authentication Server Framework 3.11.2 or later.