Administrating Authenticator Activations, Licenses, And Instances for MDL

Administrating authenticator activations

You can retrieve information about the activation status of authenticator instances via the DIGIPASS >Activation Information tab of the Administration Web Interface. You can also activate authenticators via the multi-device activation process.

Activate an authenticator license using multi-device licensing (process)

For this procedure, the Generate Activation Data administrative privilege is required.

1. The client application requests an activation message for a specific authenticator license from OneSpan Authentication Server. The server generates this message, Activation Message 1, and provides it to the client application.
2. The client application generates a color QR code of Activation Message 1 and displays this image. Scan this color QR code with your authenticator.
3. The authenticator generates and displays a device code. Type that code in the client application.

4. OneSpan Authentication Server validates the device code, generates a new authenticator instance and Activation Message 2, and provides this together with a request key to the client application.

   If no activations are left for the relevant authenticator license, OneSpan Authentication Server returns an error message, explaining that the selected authenticator license does not support any new activation, because the activation threshold has been reached.

   When the first step to generate Activation Message 1 has been skipped, OneSpan Authentication Server returns an error message, explaining that Activation Message 1 cannot be used anymore and that a new Activation Message 1 is required.

5. The client application generates a color QR code of Activation Message 2. Scan this image with the same authenticator that was used for scanning the image representation of Activation Message 1.
6. On OneSpan Authentication Server, the authenticator instance is now activated.
7. (OPTIONAL) Enter the activation signature that is displayed on the authenticator after scanning Activation Message 2 into the client application. The client application requests a test signature for a specific instance of the authenticator, the request key, and the activation signature from OneSpan Authentication Server.
8. (OPTIONAL) OneSpan Authentication Server validates the activation signature, and provides the result to the client application.
9. (OPTIONAL) The authenticator instance activation process is now finalized on the authenticator.

Authenticator instances on a device, which are assigned to a specific user, can also be deactivated.

Deactivate an authenticator instance (process)

1. The client application sends a DIGIPASS Deactivate SOAP request for a specific user ID and authenticator instance to the system.
2. OneSpan Authentication Server searches all authenticator applications for the authenticator instance selected for deactivation, deactivates these applications, and expires the authenticator instance. The system then provides the deactivation message in the response envelope.
3. The client application generates a color QR code of the deactivation message. Scan this image with your authenticator and confirm on that device that you want to deactivate the selected authenticator instance.
4. Once you confirm this, the deactivation has succeeded.

Typically, each Activation Message 1 is generated once per authenticator license. It is then reused for any activation during the validity of this Activation Message 1 and for each instance of that authenticator license. Activation Message 1 can also be reset which will effect in resetting the activation of the authenticator license pertaining to this activation message.

Reset activation of a specific authenticator license (process)

1. In OneSpan Authentication Server, select the authenticator license of the required user.
2. Select the required authenticator license from that list and click Reset Activation.
3. OneSpan Authentication Server resets Activation Message 1 for the selected authenticator license. If no Activation Message 1 exists for the selected authenticator license, OneSpan Authentication Server displays a corresponding notification.

Administrating authenticator licenses and instances

When an authenticator is an authenticator license, i.e. a master activation application is linked to the authenticator, the License Information tab is displayed in the DIGIPASS properties page of the Administration Web Interface. Via this tab, you can retrieve authenticator information about the license status, and reset the activation message.

It is also possible to query all authenticator instances for an authenticator license, or query OneSpan Authentication Server specifically for all authenticator licenses in the Administration Web Interface:

To query all authenticator instances for an authenticator license

1. Open the Administration Web Interface.
2. Select DIGIPASS.
3. Select the required authenticator.
4. Switch to the License Information tab.
5. Click Show Activations to get a result set that contains all authenticator instances that are linked to the selected authenticator license.

To query specifically for all authenticator licenses

1. Open the Administration Web Interface.
2. Select DIGIPASS > Find/manage.

3. On the Find/manage page, limit the search by selecting Master-Activation as the application type.

   OneSpan Authentication Server displays a list of results that contains all authenticator licenses.

Authenticator licenses can also be deleted via the OneSpan Authentication Server Administration Web Interface:

To delete authenticator instances and licenses

1. Open the Administration Web Interface.
2. Select DIGIPASS > Find/manage.

3. On the Find/manage page, limit the search by selecting Master-Activation as the application type.

   OneSpan Authentication Server displays a list of results that contains all authenticator licenses compliant with the multi-device licensing and multi-device activation model.

4. Start deleting the required licenses. You will be prompted to confirm the deletion of the selected authenticator licenses and all related authenticator instances. Once you have confirmed this, OneSpan Authentication Server will search all authenticator instances linked to the authenticator license, and deletes all instances as well as the authenticator license.

To delete authenticator instances and licenses (from the Manage User page)

1. Open the Administration Web Interface.

2. Locate the user account, whose authenticator license you want to delete with one of the following methods:

   • Via the extended search:

     1. Select USERS > Find/manage.
     2. Specify the search criteria according to your needs.
     3. Click SEARCH.

   • Using the fast search:

     1. Type the user ID of the relevant user account in the FIND box on the main page.
     2. Select USERS.
     3. Click SEARCH.
   • Via the USERS > List tab.
3. On the Manage User page, switch to the Assigned DIGIPASS tab.
4. Select the serial number of the authenticator you want to delete and click DELETE.

Authenticator licenses with active authenticator instances, i.e. existing authenticator instances which have not been deactivated, cannot be deleted.

Authenticator instances are automatically deleted when the respective authenticator is unassigned from the user. This action is not reversible, i.e. the deleted instances cannot be recovered!