Event-based algorithms

When event-based authenticator applications are used and because secrets are static, Digipass needs to feed its crypto-engine with both an internal event value and secrets to generate a dynamic password (or a signature).

Ideally, the host and Digipass authenticator events are perfectly synchronized (identical). In this case, the host could only consider the current event value corresponding to one dynamic password, and other dynamic passwords could be rejected. All the passwords generated by Digipass would have to be presented and validated on the host to remain perfectly synchronized.

Because the host and Digipass events are likely to vary in real situations, Authentication Suite Server SDK provides a transparent mechanism to synchronize the authenticator application internal event value and the host event value stored into the authenticator application BLOB.

The maximum gap between the authenticator application and the host event values is called the event window and can be customized with the EventWindow kernel parameter. By default, this parameter value is set to 100.

With an event-based authenticator application, Authentication Suite Server SDK is not able to detect code replay attempts or chronological signature errors in case of signature validation.

For OTP or signature validation in online mode, Authentication Suite Server SDK will only iterate on events greater than the current event. Consequently, a replay attempt will be rejected by Authentication Suite Server SDK, but the error code returned will be error 1Code or signature not verified rather than error 201: Code replay attempt or error 206: “Chronological signature error”.