- 29 Oct 2024
- 3 Minutes to read
- DarkLight
Authenticator Management
- Updated on 29 Oct 2024
- 3 Minutes to read
- DarkLight
Intelligent Adaptive Authentication supports the API-based administration of authenticator management tasks. You can administrate authenticators through the authenticator-management interface of the OneSpan Trusted Identity platform API.
Authenticator management tasks and request elements
The authenticator-management interface validates and returns the status of each operation upon completion. The interface handles the administration tasks with the relevant request endpoints and methods.
Supported authenticator management tasks with the relevant endpoints and methods | ||
Operation | Description | Request endpoint |
---|---|---|
Query authenticators | Retrieve all authenticators that match certain query criteria (e.g. serial number, domain, authenticator type, assignment status, instance description). | |
Query FIDO authenticators | Retrieve FIDO authenticator registrations by user, registration type, or a combination of these two, either for a specific user or all users. For more information, see Find registrations. | |
View authenticator | View a specific authenticator. | |
Verify license activations | Verify the availability of license activations for the provisioning of MDL authenticators. If you want to verify the availability of a single license, use the view-authenticator endpoint. | |
If you want to verify several licenses or do not know a license number, use the query-authenticators endpoint (and filter e.g. by type and assigned = true as parameters). | ||
Delete authenticator | Delete the serial number of standard licensing (SDL) authenticators, and licenses and/or instances of MDL authenticators. | |
Delete FIDO authenticator | Deregister a FIDO authenticator and/or delete registrations of FIDO authenticators. For more information, see Delete registrations and Deregistration of a FIDO UAF authenticator. | |
Update authenticator application | Update an authenticator application. | PATCH /authenticators/{serialNumber}/applications/{applName} |
Update FIDO authenticator | Update a FIDO registration to change the customized registration name with the registration ID. For more information, see Update user registration name. | |
Generate virtual OTP | Generate a virtual OTP for an authenticator application. | POST /authenticators/{serialNumber}/applications/{applName}/generate-votp |
Set PIN | Set the PIN for an authenticator application. It is not possible to set the PIN for an authenticator application in the same request used for enabling / disabling the PIN for an authenticator application. | PATCH /authenticators/{serialNumber}/applications/{applName} |
Reset PIN | Reset the PIN for an authenticator application. | POST /authenticators/{serialNumber}/applications/{applName}/reset-pin |
Unlock authenticator application | Unlock a user's authenticator application after too many incorrect PIN entries. For more information, see Unlock an authenticator after incorrect PIN entries. | POST /authenticators/{serialNumber}/applications/{applName}/unlock |
Test authenticator application | Trigger a test for an authenticator application (one-time password (OTP) or signature test). | POST /authenticators/{serialNumber}/applications/{applName}/test |
Assign authenticator | Assign an authenticator to a user. For FIDO-based authentication, this task is performed during authenticator registration. | |
Bind authenticator | Device binding: bind an authenticator to a device. | |
Decrypt an information message body | Decrypt the body of a Secure Channel information message. For more information, see Decrypt an information message body. | POST /authenticators/{serialNumber}/decrypt-information-message |
Generate activation data | Generate activation data for a software authenticator. | POST /authenticators/{serialNumber}/generate-activation-data |
Generate activation message | Generate an activation message for an authenticator. | POST /authenticators/{serialNumber}/generate-activation-message |
Move authenticator | Move an authenticator from one domain to another. You can only move an authenticator to another domain before the authenticator instances are created! | |
Reset authenticator activation | Reset the activation information for a specified authenticator. For more information, see Reset authenticator activation information. | |
Unassign authenticator | Unassign an authenticator from a user. | |
Unbind authenticator | Unbind an authenticator from its device. | |
Add authenticator instance description | Add a description to an MDL authenticator instance. and use this description to identify this instance. For more information, see Identify authenticator instances by the instance description. | or |
Enable/disable PIN | Enable / Disable the PIN for an authenticator application. | PATCH /authenticators/{serialNumber}/applications/{applName} |
User-initiated authenticator time synchronization | User-initiated time synchronization for both time- and event-based authenticators. | |
Restrict the number of assigned authenticators per user | Restrict the maximum number of authenticators assigned to a user for specific authenticator types. For more information, see Restrict the number of authenticators (licenses and/or instances) assigned per user. | N.A. |
Authenticator provisioning of application secrets
With Intelligent Adaptive Authentication, you can provision authenticators offline in multi-device licensing (MDL) mode supporting the OneSpan Cronto technology. Supported authenticators are:
Hardware authenticators with Cronto image support
OneSpan Mobile Authenticator Studio