Authenticator licensing and activation

You can restrict the maximum number of assigned authenticators per user for specific authenticator types to the number of devices really needed via the policy settings. If you need to have more than one authenticator provided to your users, limit the number to avoid that too many authenticators (and/or instances) are assigned to or activated for single users. The higher the number of authenticators assigned to a single user, the higher the chances of successful OTP guessing attacks!

Standard licensing and activation

The standard licensing model applies to hardware authenticators that are pre-provisioned ex factory, and software authenticators using standard one-step activation.

The standard activation process involves generating an activation code and sending it to a software authenticator separately or as part of the full activation data. Although generating the activation data is part of the first-time activation process, you can regenerate and resend the activation data for already activated authenticators. This may be required for security purposes.

Generating the activation data of an activated authenticator or sending the activation data to it will invalidate the current activation! In this case, the user will no longer be able to log on with that authenticator.

Multi-device licensing and activation

OneSpan Authentication Server supports multi-device licensing (MDL) and multi-device activation (MDA). This licensing and activation model applies to the following authenticators:

  • E-signature authenticators: Digipass 760
  • Software authenticators: Mobile Authenticator Studio and Mobile Security Suite

Certain multi-device licensing/multi-device activation functionalities and the Secure Channel feature are aimed at the banking security market only. Some of these functionalities will therefore not be available for typical enterprise security deployments.

The multi-device licensing/multi-device activation with the Secure Channel feature requires a SOAP provisioning and/or SOAP signature license!

With the multi-device licensing model and its one-to-one relationship between a user account and an authenticator serial number license, a user account can optionally be bound to several authenticator instances. The multi-device activation process is an activation process in two steps that guarantees that only the intended end user can perform the device activation.

Multi-device licensing

With the multi-device licensing (MDL) model, each authenticator serial number corresponds to a unique authenticator license. Consequently, for each authenticator device compliant with the multi-device licensing model, the corresponding DIGIPASS export file (DPX) contains one authenticator master activation application for each authenticator license. These authenticator instances are represented in OneSpan Authentication Server as authenticators with a single authenticator master activation application.

One authenticator license allows to instantiate several authenticator instances that are bound to the same authenticator license. Authenticator instances are not different from authenticators activated in the standard process with regard to the representation of authenticator applications. OneSpan Authentication Server creates the authenticator instance(s) for a particular license during the multi-device activation process.

The number of instances that can be activated for each authenticator license is limited to a predefined threshold that is configured by OneSpan at the time of order. A maximum number of 99 instances can be configured, and each authenticator instance can have from 1 to 8 authentication or e-signature application(s). These authenticator instances are represented in OneSpan Authentication Server as authenticators with the same base serial number as the bound authenticator license, appended with the instance sequence number.

Multi-device activation

In the multi-device activation process, a two-step activation process, two separate activation messages are used for activating the device(s). This serves to guarantee that only the intended end user, and not an adversary who has intercepted one of the messages, can perform the activation. This multi-device activation is a different process from the standard software authenticator activation and requires authenticator devices and DPX files compliant with the multi-device licensing model. When a compliant authenticator is activated, settings and secrets are written into the device.

Master activation applications and activation messages

The multi-device activation process uses the master activation application, which contains an individual master activation key for each authenticator license. Every authenticator license must be linked to a single user account. Two separate activation messages are used in the activation process:

  1. Activation Message 1. The first activation message allows to activate an authenticator license in the device. It may be used several times to allow activation of multiple authenticator instances (of one authenticator license) on multiple authenticator devices if necessary. The validity period for Activation Message 1 is configurable in your OneSpan Authentication Server policy.
  2. Activation Message 2. The second activation message allows to activate an authenticator instance of a license in the device. It can be used for the effective activation of one authenticator instance only.

Both activation messages should be delivered to the end user via authentic channels. For instance, Activation Message 1 should be delivered via a secure letter or email and Activation Message 2 should be delivered via the online banking application.

Each authenticator license will be used several times for activation of several authenticator instances (in several authenticators) for one user account. However, only one license will be consumed for the activation of the different authenticator instances for one user account.

Authenticator instance sequence number

With each activation of a new authenticator instance, OneSpan Authentication Server will generate new authenticator applications. A sequence number will be incremented for each new authenticator instance issued from the same license. The number of instances which can be issued from a license will be limited to a pre-defined threshold between 1 and 99 (configured by OneSpan at the time of order). The different authenticator instances of one user share the base serial number (the serial number of the authenticator license), but will be appended with a unique sequence number for the authenticator instance. The keys of the authenticator instance applications will be different for each instance.