Restrict the number of authenticators (licenses and/or instances) assigned per user

To avoid replay attacks, you can restrict the maximum number of authenticators assigned to a user for specific authenticator types. This applies to single-device licensing (SDL) and multi-device licensing (MDL) OneSpan licensing model with a one-to-one relationship between a user account and an authenticator serial number license. With this licensing model, a user account can be optionally bound to several authenticator instances. Multi-Device Activation, which is an activation process in two steps, guarantess that only the intended user can perform the device activation. authenticators, and authenticator instances (MDL only).

This feature is restricted to certain types of authenticators.

Restrictions by authenticator type

Authenticator type	Description	Limit
TYP03	MDL instance for authenticators on iOS, derived from the DAL10 authenticator type.	10 instances per user
TYP07	MDL instance for authenticators on Android, derived from the DAL10 authenticator type.	10 instances per user
DAL10	MDL license	1 per user
VIR10	Virtual authenticator	1 per user

If the limit has been exceeded, OneSpan Cloud Authentication displays the following error message: The authenticator limit has been reached.

If a user account has 10 or more active instances of TYP00, TYP03, or TYP07, it will not be possible to activate more until enough instances have been deleted to be at or under the 10-instance limit.

This limit exceeded error affects the following endpoints:

• POST /authenticators/{serialNumber}/assign
• POST /{registrationID}/add-device
• POST /registrations
• POST /users/{userID@domain}/assign

The limit can be adjusted per tenant in the relevant authentication policies by a OneSpan administrator.