Online activation process

During the online activation, the Mobile Authenticator Studio application automatically connects to the server that provides the activation service, and requests the activation message.

The application may use a registration identifier by which end users are identified on the server. Based on this identifier, the server delivers the corresponding Activation Message 1. The identifier needs to be an alphanumeric ASCII string of up to 40 characters.

Online registration request

The registration identifier is generated and managed by the Mobile Authenticator Studio integrator. It is stored and remains in the authenticator application storage. It cannot be changed.

To prevent activation data from being delivered to a wrong user, the registration identifier can be combined with an authorization code. The combination of authorization code and registration identifier ensures that the authenticator data is delivered to the correct user. The authorization code needs to be a string of up to 40 characters.

The authorization code can contain all the ASCII characters between 0x20 (SPACE) and 0x7E (~).

The authorization code is configured in the online activation section of the Mobile Authenticator Studio configuration file. To increase security during the delivery process, the activation data is protected by an encryption protocol based on the activation password (customer historical secret), i.e. a secret shared between the server and the end user. Using the authorization code for data delivery is optional.

To avoid typing errors, the authorization code and activation password can use a checksum based on a Luhn-10 algorithm and can be generated using the Digipass Software Advanced Provisioning Protocol (DSAPP) SDK.

The  encryption protocol uses an encryption key based on a Diffie-Hellman shared secret, which the server and the application derive from their private keys and the public key of the other party. Key pairs are generated according to an ECDH mechanism based on a NIST P-256 curve.

Online activation with advanced encryption

The activation data is generated by Authentication Server Framework. The server key pair generation, the decryption of the client public key, the session key derivation, and the encryption of the activation data are managed by the DSAPP library. For more information about how to integrate the advanced provisioning protocol with Mobile Authenticator Studio, refer to the Mobile Authenticator Studio Integration Guide and the Mobile Authenticator Studio Two-Step Integration Samples Specification.

If the activation password is incorrect, an error message will be displayed, and Mobile Authenticator Studio will not be activated.

A device unique identifier can be added to the online request to check if the end user installs the Mobile Authenticator Studio application on the same or on a new device. The presence of the device identifier in the request is indicated by the device identifier mask in the URL that is set in the application configuration file. For more information about how to send the device unique identifier to the provisioning server, refer to the Mobile Authenticator Studio Integration Guide.