Authenticator management
OneSpan Cloud Authentication supports the API-based administration of authenticator management tasks. You can administrate authenticators through the authenticator-management interface of the OneSpan Trusted Identity platform API Provides the endpoints that are required for the successful completion of the operations..
Authenticator management tasks and request elements
The authenticator-management interface validates and returns the status of each operation upon completion. The interface handles the administration tasks with the relevant request endpoints and methods.
Operation | Description | Request endpoint |
---|---|---|
Query authenticators |
Retrieve all authenticators that match certain query criteria (e.g. serial number, domain, authenticator type, assignment status, instance description). |
|
View authenticator |
View a specific authenticator. |
|
Verify license activations |
Verify the availability of license activations for the provisioning of MDL authenticators. If you want to verify the availability of a single license, use the view-authenticator endpoint. |
|
If you want to verify several licenses or do not know a license number, use the query-authenticators endpoint (and filter e.g. by type and assigned = true as parameters). |
||
Delete authenticator | Delete the serial number of standard licensing (SDL) authenticators, and licenses and/or instances of MDL OneSpan licensing model with a one-to-one relationship between a user account and an authenticator serial number license. With this licensing model, a user account can be optionally bound to several authenticator instances. Multi-Device Activation, which is an activation process in two steps, guarantess that only the intended user can perform the device activation. authenticators. | |
Update authenticator application | Update an authenticator application. |
PATCH /authenticators/{serialNumber}/applications/{applName} |
Generate virtual OTP |
Generate a virtual OTP for an authenticator application. |
POST /authenticators/{serialNumber}/applications/{applName}/generate-votp |
Set PIN |
Set the PIN for an authenticator application. It is not possible to set the PIN for an authenticator application in the same request used for enabling / disabling the PIN for an authenticator application. |
PATCH /authenticators/{serialNumber}/applications/{applName} |
Reset PIN | Reset the PIN for an authenticator application. |
POST /authenticators/{serialNumber}/applications/{applName}/reset-pin |
Unlock authenticator application |
Unlock a user's authenticator application after too many incorrect PIN entries. For more information, see Unlock an authenticator after incorrect PIN entries. |
POST /authenticators/{serialNumber}/applications/{applName}/unlock |
Test authenticator application | Trigger a test for an authenticator application (one-time password (OTP) or signature test). |
POST /authenticators/{serialNumber}/applications/{applName}/test |
Assign authenticator |
Assign an authenticator to a user. For FIDO The FIDO (Fast IDentity Online) Alliance is an organization whose main goal is to reduce the user’s reliance on passwords. It proposes several frameworks that enable passwordless authentication.-based authentication, this task is performed during authenticator registration. |
|
Bind authenticator | Device binding: bind an authenticator to a device. | |
Decrypt an information message body | Decrypt the body of a Secure Channel The Secure Channel feature encrypts the communication between device and server. It uses payload keys to protect the confidentiality and authenticity of the message's payload. information message. For more information, see Decrypt an information message body. |
POST /authenticators/{serialNumber}/decrypt-information-message |
Generate activation data | Generate activation data for a software authenticator. |
POST /authenticators/{serialNumber}/generate-activation-data |
Generate activation message | Generate an activation message for an authenticator. |
POST /authenticators/{serialNumber}/generate-activation-message |
Move authenticator |
Move an authenticator from one domain to another. You can only move an authenticator to another domain before the authenticator instances are created! |
|
Reset authenticator activation |
Reset the activation information for a specified authenticator. For more information, see Reset authenticator activation information. |
|
Unassign authenticator | Unassign an authenticator from a user. | |
Unbind authenticator | Unbind an authenticator from its device. | |
Add authenticator instance description |
Add a description to an MDL authenticator instance. and use this description to identify this instance. For more information, see Identify authenticator instances by the instance description. |
or |
Enable/disable PIN | Enable / Disable the PIN for an authenticator application. |
PATCH /authenticators/{serialNumber}/applications/{applName} |
User-initiated authenticator time synchronization | User-initiated time synchronization for both time- and event-based authenticators. | |
Restrict the number of assigned authenticators per user |
Restrict the maximum number of authenticators assigned to a user for specific authenticator types. For more information, see Restrict the number of authenticators (licenses and/or instances) assigned per user. |
N.A. |
Authenticator provisioning of application secrets
With OneSpan Cloud Authentication, you can provision authenticators offline in multi-device licensing (MDL) mode supporting the OneSpan Cronto Specific colorful cryptogram, similar to a QR code that is used for visual transaction signing. technology. Supported authenticators are:
- Hardware authenticators with Cronto image support
- OneSpan Mobile Authenticator Studio
For more information about integrating Mobile Authenticator Studio provisioning, see Integration of Mobile Authenticator Studio provisioning.