Digipass SDK licensing - standard single-device licensing

In the single-device licensing (SDL) model, OneSpan generates a unique serial number of ten characters which is associated to Digipass data on the server side. The Digipass authenticator can thus be instantiated on a single device to ensure the symmetry.

Activation process

Before you can work with the Digipass SDK you need to activate it. To activate it as a single-device licensing model, the activation data, which includes the parameter settings, the serial number, and the Digipass key of a Digipass authenticator, must be provided to the Digipass SDK binary.

Contrary to the activation of Digipass in the multi-device licensing model, the activation data is provided in one step to the Digipass SDK.

This set of data can be provided applying either of the following methods:

• Offline. The data required to activate the Digipass authenticator is provided independently.

  • OneSpan provides the Digipass static vector in a flat file named export.svf. The static vector must be integrated with the Digipass SDK.

  • OneSpan provides the Digipass serial number in a flat file named ACode.log. The serial number must be delivered to the user.

    Instead of entering a serial number, the user can enter a serial number suffix. However, this is not recommended because the serial number prefix will be retrieved from the static vector, and this serial number prefix can differ between the hard-coded static vector in the mobile application and the Digipass BLOBs used by the server.

  • OneSpan provides the Digipass activation code with the Digipass serial number in a flat file named ACode.log. This may also be dynamically generated by a OneSpan server solution, i.e. OneSpan Authentication Server Framework or OneSpan Authentication Server. For more information, refer to the relevant product documentation. The activation code must be delivered to the user in a secure way.

• Online. The data is not provided independently but as part of the full activation data.        

  • The Digipassfull activation data is generated by a OneSpan server solution, i.e. OneSpan Authentication Server Framework or OneSpan Authentication Server. For more information, refer to the relevant product documentation. The full activation data must be dynamically provided to the Digipass SDK.

Optionally, and depending on the Digipass parameter settings, the activation process may also require a Digipass password. The password is chosen by the user and protects the Digipass authenticator against unauthorized use. It is set during the activation process but may be changed in the course of the Digipass lifecycle (see Delegated protection).

Digipass reactivation

During the Digipass life cycle you may want to re-use the Digipass serial number, for instance when re-installing the Digipass authenticator to a new host platform (like a new mobile phone) or when a Digipass protection password has been lost. During the regular activation process, the event-based Digipass authenticator uses an initial event counter set to 0. If the Digipass authenticator is activated and used to validate responses, the counters are incremented on the server side. By re-activating the same Digipass authenticator on a new platform, the Digipass counters are set to 0, while on the server the counters have a different value. By re-activating the same Digipass authenticator on the same platform, the counters are not changed.

To push the value of the Digipass counters as a set on the server side to the Digipass SDK, the SDK supports the Digipass event reactivation counter. This data contains the current value of each cryptographic Digipass application event counter and is provided by a OneSpan server solution, i.e. OneSpan Authentication Server Framework or OneSpan Authentication Server. For more information, refer to the relevant product documentation.

Binding Digipass to the host platform

To ensure that a Digipass authenticator is used only on the platform where it was activated, the Digipass SDK can use platform-specific data as a diversifier of the Digipass key to generate responses. This data must be provided by the integrating application.

The data used to identify the platform must be unique and not predictable. The Device Binding SDK provides this data to identify the platform host of the integrating application.

The data must be exchanged with the OneSpan server solution to enable the symmetric feature on the server side. It is transferred to the server within the derivation code, which contains a hash of the platform-specific data authenticated with a Digipass OTP. Once the derivation code is validated on the server side, the platform-specific data hash is stored in the Digipass server data. All future OTP validations will be done against the Digipass authenticator and the platform data. If the same Digipass authenticator is installed on another platform, the generated OTP will be rejected.

When a platform is replaced, the binding process must be repeated to bind the Digipass authenticator to the new platform. On the server side, the binding can only be cleared by re-importing the Digipass data from the DPX file.

For more information, refer to your server solution documentation. This feature is supported by server solutions using OneSpan Authentication Server Framework 3.11.2 or later.