Scenario: multi-device activation (MDA) 

This topic describes the post-deployment authenticator provisioning using multi-device licensing (MDL) and multi-device activation (MDA) of OneSpan Authentication Server. For more information about multi-device licensing and multi-device activation, see Authenticator licensing and activation.

An authenticator compliant with MDL is required to perform multi-device activation, for instance Mobile Authenticator Studio and Digipass 760.

During the provisioning procedures as described below an authenticator instance is loaded into an authenticator device. These procedures are executed each time a new authenticator instance needs to be loaded into an authenticator device.

The following preconditions apply for the provisioning procedure to succeed:

• The user account has not been created in OneSpan Authentication Server.
• The user knows the static password (in case of first-time software authenticator provisioning).

• The provisioning policy has been defined with the following settings:

  • Policy > Local Authentication: DIGIPASS/Password during Grace Period or DIGIPASS or Password
  • Policy > Back-End Authentication: Always or If Needed
  • Policy > Back-End Protocol: Windows, RADIUS, LDAP Back-End Authentication, or custom name
  • User > Dynamic User Registration: Yes

User authentication during software authenticator provisioning may vary depending on the local authentication policy settings and on whether the user already has an activated authenticator. For more information, see User authentication during provisioning.

The first step in the provisioning procedure is to register with the system to start the post-deployment provisioning of a new authenticator device.

To register an authenticator license

1. Start a provisioning registration operation to provide the user credentials to OneSpan Authentication Server.
2. OneSpan Authentication Server verifies that a user account is available, validates the user credentials, and queries for authenticator licenses assigned to your user. The system generates Activation Message 1 and includes it in the response envelope.
3. The client application provides Activation Message 1 encoded in an image. Scan this image with the authenticator that supports multi-device licensing.
4. The authenticator generates and displays a device code.

If no authenticator license is assigned to the user, OneSpan Authentication Server verifies if auto-assignment has been set in the policy used. If it is enabled, OneSpan Authentication Server will search a random and available authenticator license, which it will assign to the end user. If auto-assignment is disabled in the policy, the provisioning operation fails.

When OneSpan Authentication Server queries for authenticator licenses assigned to the user, but there are no activations left for this particular authenticator license, it will return an error message explaining that the activation threshold for this license has been reached.

After you have registered an authenticator license, the second step in the multi-device activation process is to register a device.

To register an authenticator device

1. The client application starts a provisioning registration operation for an authenticator and provides the end user's registration identifier and the device code to OneSpan Authentication Server.
2. The server retrieves the registration context (e.g. the authenticator serial number used in the previous step), validates the device code, and generates a new authenticator instance using the authenticator license.
3. The server generates Activation Message 2 for the authenticator license and includes it in the response envelope.
4. The client application provides Activation Message 2 encoded in an image. Scan this image with the authenticator that supports multi-device licensing.
5. The authenticator generates and displays a signature.

After registering the device, the end user activates a new authenticator instance. Based on Activation Message 2, a signature generated by the authenticator instance is validated. With this, the new authenticator instance is activated.