Host codes

If the client component requests a host code and the authenticator is capable of generating one, then OneSpan Authentication Server will generate a host code and the application will display it to the user. The user generates a host code on the authenticator and verifies that it is the same as the one on the screen.

Host code generation and usage

An authenticator host code is computed as follows:

1. The authenticator generates a OTP and splits it into two parts. The first part is used for end-user authentication. The second part is the host code and is used for server authentication.
2. The end user sends the first part to the server as proof of identity and keeps the second part secret.
3. The server verifies the OTP for end-user authentication. If valid, the end user is authenticated to the server. The server then computes the second part of the OTP, i.e. the host code.
4. The server sends the host code to the end user, who verifies (visually) whether it matches the host code generated by the authenticator.

Host code generation is passed as a parameter in the authentication request. This parameter has two options:

• Optional. Return a host code only if the authenticator is host code–capable.
• Required. The authenticator must be host code–capable or the request will fail.