Scenario: Mobile Authenticator Studio (Provisioning)

In a scenario involving Mobile Authenticator Studio, activation codes are encrypted with pre-loaded static passwords.

Pre-conditions

  • The user account has been created on OneSpan Authentication Server.
  • The user knows the static password (in case of first-time software authenticator provisioning).
  • The static password has been imported into OneSpan Authentication Server.
  • The provisioning policy has been defined with the following settings:

    • Policy > Local Authentication: DIGIPASS/Password during Grace Period or DIGIPASS or Password
    • Policy > Back-End Authentication: None
    • DIGIPASS > DIGIPASS Type: The appropriate type for the version of Mobile Authenticator Studio used.

User authentication during software authenticator provisioning may vary depending on the local authentication policy settings and on whether the user already has an activated authenticator. For more information, see User authentication during provisioning.

Mobile Authenticator Studio offline activation process

Figure: Mobile Authenticator Studio offline activation process

There are a couple of activation options for Mobile Authenticator Studio 4.x provisioning that affect how the Mobile Authenticator Studio authenticator is provisioned:

  • Offline activation – manual or via QR code
  • Standard online activation
  • Advanced online activation
  • multi-device activation

Offline Activation – Manual or via QR code

Offline activation is performed by the administrator who assigns the Mobile Authenticator Studio 4.x authenticator to a user, and then uses the Administration Web Interface to generate the activation data. When the activation data has been generated, it has to be entered on the activation screen of the Mobile Authenticator Studio app on the mobile phone. The activation data can be sent via SMS or email, or it can be scanned using a QR code or a color QR code. The activation code is entered and the transaction is committed on the mobile phone.

If a device bind is required, the administrator has to manually bind the device via the Administration Web Interface.

The mobile phone with the activated Mobile Authenticator Studio app is then distributed to the user.

Mobile Authenticator Studio online activation process

Figure: Mobile Authenticator Studio online activation process

Standard online activation

The user enters the user ID, password, domain, and mobile phone number into the provisioning website for standard registration. The provisioning website verifies with OneSpan Authentication Server that the user is valid. Then it assigns a Mobile Authenticator Studio authenticator and sends an SMS containing the URL to download the Mobile Authenticator Studio package. The registration identifier and activation password are displayed on the provisioning website. The user downloads the Mobile Authenticator Studio package and enters the registration identifier and activation password in the Mobile Authenticator Studio app on the phone.

When the user has entered the registration identifier and activation password, the mobile phone sends a request to the provisioning website for the activation data. The provisioning website sends the activation data back to the mobile phone, which will automatically activate the Mobile Authenticator Studio app. Afterward, if a device bind is required, the Mobile Authenticator Studio app will request the bind data and bind the authenticator.

The user then receives a response on the mobile device indicating whether the activation has been successful.

Advanced online activation

Advanced online activation is performed by the user and uses the Digipass Software Advanced Provisioning Protocol (DSAPP). The difference between advanced online activation and standard online activation is how the OTP is generated when the authenticator is used. If you intend to use DSAPP, you must perform advanced online activation. If you do not intend to use DSAPP when generating OTPs, you must use standard online activation.

DSAPP can be used for activation if it has been enabled on OneSpan Authentication Server. If DSAPP is used, the user has to enter a user ID, domain, and password on the DSAPP registration page of the provisioning website. The provisioning website verifies with OneSpan Authentication Server that the user is valid. Then it assigns a Mobile Authenticator Studio authenticator and sends an SMS containing the URL to download the Mobile Authenticator Studio package. The registration identifier and activation password are displayed on the provisioning website. The user must download the Mobile Authenticator Studio package and enter the registration identifier and activation password in the Mobile Authenticator Studio app on the mobile phone.

When the user has entered the registration identifier and activation password, the mobile phone sends a request to the provisioning website for the activation data. The provisioning website sends the activation data back to the mobile phone, which will automatically activate the Mobile Authenticator Studio app. Afterward, if a device bind is required, the Mobile Authenticator Studio app will request the bind data and bind the authenticator.

The user then receives a response on the mobile device indicating whether the activation has been successful.