One-time password and e-signature generation

As part of the OneSpan authentication product lines, Mobile Authenticator Studio can be used to generate one-time passwords (OTPs) and e-signatures.

Cryptographic application

Mobile Authenticator Studio supports up to eight cryptographic applications for OTP or e-signature generation. A cryptographic application is a set of parameters that defines how authenticator responses are generated. The following parameters determine the setup of a cryptographic application:

• Operating mode

• OTP time step

• Secret type

• Cryptographic algorithm

• Response format

• Response length

• Response check digit

• Host confirmation code

The supported character set for the signature data is:

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ%&'()*+,-./:;<=>?_

SPACE (0x20) is included.

Lowercase characters are automatically converted into uppercase before the signature is processed.

ABcdEF, abcdef, and ABCDEF will produce the same response if used as a data field.

Cryptographic algorithm

The algorithm for OTP or e-signature generation may be either of the following:

• Time-based

  A time seed provided by the device running the app is used to generate OTPs. Time-based authenticators may have a time step of 8*2n, where n can be between 0 and 15 (e.g. from 8 seconds to 3 days).

• Event-based

  A counter is used to generate OTPs. The counter is created by the app and stored on the device.

• Time- and event–based

  A time seed and a counter are used to generate OTPs.

To generate an OTP, the algorithm processes the seed which is encrypted by a cryptographic algorithm based on a secret called authenticator key. Each cryptographic authenticator application can share the same authenticator key, or use its own key.

The following cryptographic algorithms are supported:

• Triple DES

• AES

• OATH

Mobile Authenticator Studio versions prior to 4.0 used odd parity cryptographic keys with a size of 56 or 112 bits. With Mobile Authenticator Studio 4.0, the key size has been increased to 64 or 128 bits.

Check digit and host confirmation code

The generated OTP or e-signature can have between 4 and 16 decimal or hexadecimal characters. A check digit may be added, which increases the OTP length by 1 character.

Mobile Authenticator Studio may sign up to 8 data fields of up to 16 digits each. The supported minimum and maximum data field length is specified in the cryptographic application’s parameter set, which is part of the authenticator's static vector.

In addition to OTP or e-signature generation, Mobile Authenticator Studio also supports host confirmation code (HCC) generation. It is a string of up to 10 decimal or hexadecimal characters which identifies the authentication server. After validating an OTP, the server generates and returns the HCC, which the user can compare with the code displayed on the mobile device. Thus, the user can be sure that the OTP was validated by the correct authentication server.

Score-based authentication

Mobile Authenticator Studio supports the generation of a score-based authenticator response. This score-based response is an authenticator response which includes the status of different device criteria that are grouped in three categories:

• Platform criteria

• User criteria

• Context criteria

The platform criteria are linked to the platform that hosts the Mobile Authenticator Studio authenticator. These criteria could be the jailbreak, rooting status, or the platform’s current version. The value of the rooting status criteria is set to 1 if the device is rooted. The value of the minimum version criteria is set to 1 if the application is running on a platform with a lower version than the expected minimum version.

The user criteria are linked to the person using Mobile Authenticator Studio. These criteria are the password protection status which can be either Enabled or Disabled. The value of the criteria is set to 1 if the authenticator is not password-protected.

The context criteria are linked to the current usage of the Mobile Authenticator Studio authenticator. These criteria are the usage data of the application that is used from one of the authorized geographical zones defined in the application configuration file. The value of the criteria is set to 1 if the device is used outside an authorized zone, or if the access to the geolocation service is not possible. For more information on geolocation, see Appendix: Geolocation.

A timeout can be used to limit the waiting time for an answer, to avoid blocking the authenticator response generation by waiting too long for an answer from the device's geolocation service.

The score determined by Mobile Authenticator Studio is the total score of each criteria category:

score = (platform_criteria_score<<2) + (use_criteria_score<<1) + context_criteria_score

where with n criteria evaluated in a category, the following applies:

1. if ∑_k=0 criteriaValue(k) * criteriaWeight(k) ≤ categoryThreshold

2.   category_score = 0

3. else

4.   category_score = 1

Each criteria category is weighted by its own threshold.

Below are two examples of weighted criteria and the corresponding values. The criteria used in these examples are:

• Two criteria in the Platform category

• One criterion in the User category

• One criterion in the Context category

These criteria are weighted as follows:

• 40% to criterion 1 in the Platform category

• 60% to criterion 2 in the Platform category

• 70% to the criterion in the User category

• 100% to the criterion in the Context category

Once calculated, the value of the score is embedded in the generated authenticator response. It is retrieved on the server-side through a dedicated return code of the response validation function of OneSpan Authentication Server Framework.

The validation of the score-based response requires OneSpan Authentication Server Framework as of version 3.14.