Common

Functional: This element is used to configure miscellaneous Mobile Authenticator Studio functionalities.

• authorizeCopyPaste: Enable copy/paste in Mobile Authenticator Studio. With this enabled, users can copy generated responses to the clipboard.

• passwordConfirmation: Enable the password confirmation feature. With this enabled, users will have to confirm their PIN.

• passwordFormat: Indicates the authorized character set for the password. Possible values are alphanumeric (abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789), numeric (0123456789), or without any restrictions (any). This attribute is optional. The default value is any.

• trueNumericKeypad: For numeric passwords, when set to true, a true numeric keypad is displayed. This attribute is optional. The default value is false.

• closeInBackground: Enables the Close in Background feature. If set to true, the application will be terminated as soon as the user switches to another application, or the device changes to standby mode. If set to false, the application’s life cycle relies on the operating system. This key is only taken into account for Android.

• restoreDataFieldsOnResume: Enable the restoration of data field values feature. If set to true, the end user will be able to leave the application and go back without losing the entries to their data fields when making a signature.

• reactivateOnSVUpdate: Enable the reactivate on SV update feature. If an activated application is updated and the static vector in the XML customization file is not identical to the static vector stored for the activated authenticator, a warning message will be displayed, indicating that the authenticator must be reactivated.

• deviceIdentificationMethod: Set the device identification method for Android. Possible values are android_ id and device_serial. The default value is android_ id.

  • android_ id: the device fingerprint will be generated using the Android ID for Device Binding, for the device identifier generation, and to protect the storage.

  • device_serial: the device fingerprint will be generated using the Device Serial only for device binding and the generation of the device identifier. To protect the storage, the Device Serial plus the Android ID are used. Also, the READ_PHONE_STATE permission will be required.

  Android ID: Each Android device has a unique identifier which is generated when the device first boots. This data:

  • Is unique per device and user account on Android devices before Android 8.

  • Is unique per device, application, and user account on Android devices as of Android 8.

  • Does not change after reinstalling the application.

  • Changes after a factory reset of the device.

  • Does not require any permission.

  Device Serial: Each Android device has a unique identifier defined by the manufacturer during production. This data:

  • Is unique per device.

  • Does not change after reinstallation of the application.

  • Does not change after a factory reset of the device.

  • Requires the READ_PHONE_STATE permission on Android devices as of Android 8.

• deviceIdentificationMigrationEnabled: Enables the device identification migration feature on Android. If this is activated, the READ_PHONE_STATE permission will be required. This feature will allow the migration of the storage using the Device ID (i.e. IMEI for GSM and MEID or ESN for CDMA phones) during the upgrade from Mobile Authenticator Studio versions prior to 4.14.3. The default value is false.

• allowPasswordFallback: Enables the password fallback for biometric verification. If this is activated, the biometric verification menu includes a button. When you click this button, a password verification dialog opens. The fallback button on the biometric verification dialog can be customized by providing a Fallback button to the current view. The password verification dialog can be customised for each view by providing the text as a label with the id. E.g. for fingerprint recognition BiometricFingerprintRecognitionFallbackDescriptionMessage, and BiometricFaceRecognitionFallbackDescriptionMessage for face recognition. The default value is false.

• sslPinningEnabled: Enables the SSL pinning feature. If the feature is enabled, PEM-encoded certificates to pin must be placed in the \CustomizationTool\input\cert folder. The default value is false.

  You can export a PEM-encoded certificate from a keystore using keytool with this command:

  keytool -export -alias MyCertificateAlias -keystore MyKeyStore.keystore -rfc -file MyPEMCertificate.pem

  You can export a PEM-encoded certificate using OpenSSL with this command:

  openssl x509 -pubkey -noout -in MyPEMCertificate.pem

• gatewayAPIKey: Authentication key allowing communication with DIGIPASS Gateway version 5 or later. This value is provided by the DIGIPASS Gateway administrator.

Functional > GlobalPassword:

• expiration: Defines the duration of the password validity in seconds. This attribute is mandatory if global password is enabled. The minimum value is 10 , the maximum value is 200.

Functional > App2App: This element is used to configure App-to-App secure channel functionalities.

• secureChannelAction id: This is the identifier of the Secure Channel action to be used.

Functional > App2App > App2AppSecureChannelWhiteListURLs: Contains one or more URL elements indicating which URLs can be used for the App-to-App Secure Channel Communication feature. For more information about this feature, refer to the Mobile Authenticator Studio Integration Guide.

This feature is only available if the Two-Step Activation feature is enabled

Mobile Authenticator Studio application will return an error, if the URLs used for the App-to-App Secure Channel Communication feature do not appear in the App2AppSecureChannelWhiteListURLs section. This error message indicates that there is an integration error.

Only the beginning of the used URLs is checked. E.g. if only one URL is listed in the App2AppSecureChannelWhiteListURLs section with the value MY_APP_SCHEME://, the MY_APP_SCHEME://x-error URL is valid, but not the ANOTHER_APP_SCHEME:// URL.

Functional > Geolocation: At startup, the Mobile Authenticator Studio application can retrieve the device geolocation. This information is used for the calculation of the score (see Functional>ScoreGeneration).

• timeout: Seconds during which the Mobile Authenticator Studio application tries to obtain the device’s geolocation.

• accuracy: Minimum location accuracy (in meters) the Mobile Authenticator Studio application tries to retrieve within the given timeout. Note that if the retrieved geolocation has an accuracy that allows the real geolocation to be outside of every authorized zone, the geolocation is considered unauthorized.

Functional > Geolocation > AuthorizedZone: Represents an authorized zone for generating an OTP. Zones are defined by their boundaries: the southern and northern latitudes as well as the eastern and western longitudes.

• north: Northern latitude.

• west: Western longitude.

• south: Southern latitude.

• east: Eastern longitude.

Functional > ScoreGeneration: This element is used to configure the Score-Based Authentication feature. For more information about this feature, refer to the Mobile Authenticator Studio Product Guide.

ScoreGeneration must contain at least one of the following elements: PlatformCategory, UserCategory, or ContextCategory.

Functional > ScoreGeneration > PlatformCategory: This element is used to configure the category related to the platform.

• threshold: Double in the [0;1] interval defining the threshold for the sum of the category elements. If the sum is greater than this threshold, the category score is set to 1. This attribute is mandatory.

Functional > ScoreGeneration > PlatformCategory: > RootingStatus: This element is used to configure the effect of the rooting status on the PlatformCategory score. The specified weight is taken into account if the device is detected to be rooted.

• weight: Double in the [0;1] interval defining the influence of the element on the score of its parent category. A weight of 0 means that the element has no impact on the score of its parent category. This attribute is mandatory.

Functional > ScoreGeneration > PlatformCategory > MinumumVersionAndro id: This element is used to configure the effect of the Android OS version on the PlatformCategory score. The specified weight is taken into account if the device OS version is lower than the one specified by the version attribute.

• version: A string representing the minimum version number as a set of up to three integers, separated by dots. This attribute is mandatory.

• weight: Double in the [0;1] interval defining the influence of the element on the score of its parent category. A weight of 0 means that the element has no impact on the score of its parent category. This attribute is mandatory.

• Functional > ScoreGeneration > PlatformCategory > MinumumVersionIOS: This element is used to configure the effect of the IPhone OS version on the PlatformCategory score. The specified weight is taken into account if the device OS version is lower than the one specified by the version attribute.

  • version: A string representing the minimum version number as a set of up to three integers, separated by dots. This attribute is mandatory.

  • weight: Double in the [0;1] interval defining the influence of the element on the score of its parent category. A weight of 0 means that the element has no impact on the score of its parent category. This attribute is mandatory.

Functional > ScoreGeneration > UserCategory: This element is used to configure the category related to the user.

• threshold: Double in the [0;1] interval defining the threshold for the sum of the category elements. If the sum is greater than this threshold, the category score is set to 1. This attribute is mandatory.

Functional > ScoreGeneration > UserCategory> BiometryProtected: This element is used to configure how biometric protection affects the UserCategory score. The specified weight will be taken into account if the application is not password-protected.

• weight: Double in the [0;1] interval defining the influence of the element on the score of its parent category. A weight of 0 means that the element has no impact on the score of its parent category. This attribute is mandatory.

  Biometric protection is only available for:

  • iPhone devices with an iOS version later than 12.0, and Touch ID, or Face ID.

  • Samsung devices with Android 5.0 Lollipop (API level 21) or above, all devices from Android 6.0 (API level 23) with fingerprint support.

Functional> ScoreGeneration > ContextCategory: This element is used to configure the category related to the context.

• threshold: Double in the [0;1] interval defining the threshold for the sum of the category elements. If the sum is greater than this threshold, the category score is set to 1. This attribute is mandatory.

Functional> ScoreGeneration > ContextCategory > GeolocationAuthorizedPosition: This element is used to configure the effect of the device presence in an authorized position (see Functional>Geolocation)) on the ContextCategory score. The specified weight is taken into account if there is a chance that the device might not be in an authorized zone (i.e. geolocation not available or device not in an authorized zone).

• weight: Double in the [0;1] interval defining the influence of the element on the score of its parent category. A weight of 0 means that the element has no impact on the score of its parent category. This attribute is mandatory.

Functional > Permissions: This element is used to define the texts which must be displayed when a user is requested to grant a permission.

Functional > Permissions > Permission:

• id=”ReadPhoneStateUsageDescription”: This is the permission message displayed when the read phone state permission is required (Android).

• id=”CameraUsageDescription”: This is the permission message displayed when the camera permission is required (Android and iOS).

• id=”LocationUsageDescription”: This is the permission message displayed when the location permission is required (Android and iOS).

• id=”FaceRecognitionUsageDescription”: This is the permission message displayed when the face recognition permission is required (iOS).

• id="NotificationsUsageDescription": This is the permission message displayed when the notification permission is required (Android).

Functional > Permissions > PermissionError:

• id=”MandatoryPermissionsMissing”: This is the message displayed when a mandatory permission has been refused on Android.