Digipass Multi-Device Activation Service

Mis à jour le 23 Jan 2025
4 Minutes à lire

Partager
Sombre
Lumière
PDF

The content is currently unavailable in French. You are viewing the default English version.

Résumé de l’article

Avez-vous trouvé ce résumé utile ?

Merci pour vos commentaires

Description

The Digipass Multi-Device Activation Service groups functionalities for multi-device activation (two-step activation) of compliant Digipass (software or hardware) devices.

The Digipass multi-device activation is a different process from the standard software Digipass activation. The Digipass multi-device activation requires compliant Digipass devices and compliant DPX files (in the context of multi-device licensing; for more information, see Multi-device licensing).

When a compliant Digipass device is activated, settings and secrets are written into the device.

The multi-device activation global workflow

The multi-device activation process involves a particular authenticator application, the master activation application, which contains an individual master activation key for each Digipass serial number license. Every Digipass serial number license must be linked to a single user account.

The multi-device activation involves two activation messages generated by the customer. Two separate messages are used to guarantee that only the intended end user, and not an adversary who has intercepted one of the messages, can perform the activation. The first activation message allows activating a Digipass license in the device. The second activation message allows activating a Digipass instance of a license in the device.

Both activation messages should be delivered to the end-user via authentic channels. For instance, the first activation message (Activation Message 1) should be delivered via a secure letter or email. The second activation message (Activation Message 2) should be delivered via the online banking application.

Each serial number license will be used several times for activation of several Digipass instances (in several Digipass devices) of one user account.

Activation Message 1 may be used several times to allow activation of multiple Digipass instances (of a certain Digipass license) on multiple Digipass devices if necessary, or only once if a challenge is used. On the other hand, Activation Message 2 can be used for effective activation for one Digipass instance only.

Only one license will be consumed for the activation of the different Digipass instances for one user account.

For each activation of a new Digipass instance, new authenticator application BLOBs will be generated by Authentication Suite Server SDK. A sequence number will be incremented for each new Digipass instance issued from the same license. The number of instances which can be issued from a license will be limited to a pre-defined threshold between 1 and 99 (configured by OneSpan at time of order).

The different Digipass instances of one user account will have the same serial number but a different sequence number. The keys of the Digipass instance applications will be different for each instance.

The optional Secure Channel feature after activation of a Digipass instance allows protection of the messages exchanged between the server side and the client side. (applicable only for Digipass devices able to perform operations based on the Secure Channel protocol).

The Secure Channel will be usable only if the Secure Channel feature has been ordered (configured by OneSpan at time of order).

If the Secure Channel feature has been ordered, during the activation process it requires mandatory provisioning of a payload key represented on the server side by a payload key BLOB.

In this case, first a payload key will have to be generated once for each Digipass serial number license. The different Digipass instances activated from one Digipass serial number license must share the same payload key. After the activation, the payload key will protect the request messages and deactivation messages to exchange between the server and the client devices that have been activated using a particular Digipass license (for a particular user account).

If the Secure Channel feature has not been ordered, no payload key must be generated and provisioned.

To manage an interruption in the process, it should be possible to replay Activation Message 2 until the Activation Message 2 signature is validated by the server. To do so Activation Message 2 should be kept on the server side and deleted once the signature is validated.

Figure: Multi-device activation global workflow

Authentication Suite Server SDK will be involved in the following steps during the multi-device activation process:

Step 2: If the Secure Channel feature has been ordered – generation of the payload key BLOB; once per Digipass serial number license.
Step 3: Generation of Activation Message 1
Step 8: Verification of the device code, extraction of the device ID and the device type
Step 9: Generation of Activation Message 2 and of the Digipass instance application BLOBs
Step 15: Verification of Activation Message 2 signature with the functionality dedicated to the message signature validation and using the Digipass instance application BLOB corresponding to the crypto application defined into the client Digipass to perform the post-activation. See Activation Message 2 signature validation workflow for more information.

Steps 4 and 11: Authentication Suite Server SDK will not be involved in the message transformation into an image or other media (e.g. Cronto image generated with the Image Generator SDK).