Banking scenario: Self-provisioning and administrating of authenticators with multi-device activation

In banking context, authenticator self-provisioning and administrating usually uses multi-device licensing (MDL) and multi-device activation (MDA) of OneSpan Authentication Server, with compliant authenticators.

This includes:

  1. Generation and administration of an activation letter for the end user.
  2. Activation of a new authenticator instance.

Generating and sending an activation letter

  1. The end user requests the bank to send the user an activation letter to activate authenticators.
  2. Once the end user has entered the banking credentials to the client application, the system validates these credentials, creates a user account in the OneSpan Authentication Server database, and assigns an authenticator license to the newly created user account.

  3. Based on Activation Message 1 generated by the system, the client application generates a color QR code and prints an end user–specific activation letter that includes the serial number of the authenticator license and the color QR code.

    If no authenticator license is available for assignment, the provisioning operation fails, and the client application notifies the end user to contact the bank.

    Also, for this operation to succeed, the policy specified in the client component record in OneSpan Authentication Server for the client application must allow auto-assignment.

Alternatively, the user administrator can also initiate sending activation letter to end users by connecting to the client application, entering the OneSpan Authentication Server credentials, and uploading a DIGIPASS export file (DPX) to the client application. The system creates an authenticator record to process all DPX files. The user administrator also uploads a user import file that aligns the authenticator licenses with the user IDs for assignment. The system then generates Activation Message 1 and returns it to the client application that generates a color QR code based on this message, and prints an end user–specific activation letter that includes the serial number of the authenticator license and the color QR code. The activation letters are sent to the end users by mail.

Activating a new authenticator instance in the authenticator device

  1. Once the end user has received the activation letter, the user scans the color QR code contained in the letter with an authenticator device that is compliant with MDL and MDA. For more information about compliant authenticators, see Authenticator licensing and activation.
  2. The end user enters the banking credentials, the serial number contained in the activation letter, and the device code generated by the authenticator upon scanning the color QR code.
  3. The system validates the end user's credentials in a back-end system and verifies the authenticator license with the provided serial number assigned to the local user ID of the end user.
  4. The system adds the new device, creates a new authenticator instance, and generates Activation Message 2. This message is returned together with a request key and the serial number of the new authenticator instance to the client application.
  5. The client application generates a color QR code that represents Activation Message 2.
  6. The end user scans this image with the same authenticator device that was used to scan the color QR code from the activation letter.
  7. With this, the authenticator device creates a new authenticator instance based on Activation Message 2 and displays an activation signature to be entered into the client application by the end user.
  8. The system validates the activation signature, returns the result to the client application that displays this result to the end user who then disconnects from the client application.