March 2021

To further increase the security, Intelligent Adaptive Authentication now limits the number of authenticator instances that are derived from a single license. Since the one-time password (OTP) is validated across all available authenticator instances, reducing the number of authenticator instances also reduces the chances of an attacker using the correct OTP. Once the limit is reached, an administrator can reset the activation count for that license.

The maximum number is now limited to 30 authenticator instances.

Intelligent Adaptive Authentication now supports the latest Apple HTTP/2 certificate and authentication mode and the latest Google HTTP v1 mode.

The Apple Push Notification service HTTP/2 interface has been deployed and replaces the previous binary interface. No changes are needed for existing certificates. For new Apple applications, you need to provide either a PKCS#12 certificate for the certificate mode, or a PKCS#8 certificate for the authentication mode. For the Apple application, you can bundle multiple application identifiers (Apple staging identifier and production identifier). This feature is not accessible in the Sandbox environment.

The Firebase Cloud Messaging HTTP v1 interface has been deployed and provides strong security via short-lived access tokens. The previous modes are supported.

OneSpan recommends deploying the latest Push Notification server mode for Apple (authentication) and Google (short-lived token) to provide the highest security support.

Intelligent Adaptive Authentication now supports device binding of software authenticators (single-device licensing). After the activation data has been generated, an authenticator can be bound to a device. Two new endpoints have been added for the implementation of this feature.

Endpoint to call the relevant Authentication component administration command:

POST /authenticators/{serialNumber}/bind

This endpoint accepts derivationCode as payload.

The following failure responses are included:

• 400: The input is invalid.

• 404: The authenticator was not found.

• 409: Failed to bind authenticator to device.

  • Device binding not supported by the authenticator

  • Authenticator already bound

  • Invalid derivation code

• 500: Unexpected server error.

Endpoint to unbind an authenticator from its device:

POST /authenticators/{serialNumber}/unbind

This endpoint does not accept a payload.

The following failure responses are included:

• 400: The input is invalid.

• 404: The authenticator was not found.

• 409: Failed to unbind the authenticator.

  • Device binding not supported by the authenticator

  • Authenticator not bound

• 500: Unexpected server error.

For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.

Intelligent Adaptive Authentication now supports the deletion of authenticators. This applies to the deletion of standard licenses (based on the authenticator serial number) and the deletion of licenses and instances of multi-device licensing authenticators.

A new endpoint has been added to perform the delete operation:

DELETE /authenticators/{serialNumber}

This endpoint does not accept any payload but accepts the serialNumber as path parameter.

The following failure responses are included:

• 400: The input is invalid.

• 404: The authenticator was not found.

• 409: Failed to delete authenticator.

• 500: Unexpected server error.

For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.

Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:

• 5.2.0

• 5.0.2

• 4.24.4

• 4.24.2

• 4.23.0

• 4.21.1

• 4.20.2

• 4.19.3