Multi-device licensing

With the multi-device licensing model, each Digipass serial number corresponds to a unique Digipass license. The representation of a Digipass license for a serial number on the server side is a master activation application BLOB.

The master activation application is a particular authenticator application acting as a Digipass license.

One Digipass license allows to instantiate several Digipass authenticator instances bound to the same Digipass serial number license. The number of instances that can be activated for each Digipass license is limited to a predefined threshold configured by OneSpan at the time of order (from 1 to 99).

With the multi-device licensing model and the one-to-one relationship between a user account and a Digipass serial number license, a user account can optionally be bound to several Digipass authenticator instances.

For Digipass devices compliant with the multi-device licensing model, the corresponding DPX files contain Digipass master activation applications (one for each serial number) that act as the Digipass licenses.

Each Digipass license has one Digipass master activation application represented on the server side by a Digipass master activation application BLOB for each serial number license.

The generation of the Digipass authenticator instance(s) for a particular license will be performed by Authentication Suite Server SDK during a multi-device activation process.

Each Digipass authenticator instance can have from 1 to 8 authenticator applications (authentication, e-signature or unlock application), configured by OneSpan at the time of order and represented on the server side by a Digipass Instance Application BLOB for each application of each instance.

Figure: Conceptual data model with multi-device licensing model shows a conceptual data model suitable for a multi-device licensing model.

Figure:  Conceptual data model with multi-device licensing model

Extraction of the Digipass authenticators from the DPX file

In case of DPX files for Digipass devices based on the multi-device licensing model, the following data will be extracted during the import process for each Digipass serial number in the DPX file:

• The Digipass master activation type (informational type name given to the license authentiator)
• One Digipass master activation application name (application names given to the license activation application)
• One Digipass master activation application authentication mode (always MA)
• One Digipassmaster activation application BLOB (acting as the license)
• The activation vector (a data string containing licnese-specific encrypted activation data necessary for the activation process)
• The sequence number threshold (a number from 1 to 99 indicating the number of instances which can be activated with the license; configured by OneSpan at the time of order)

In case of DPX files for Digipass authenticators (hardware or software) based on the multi-device licensing model, additional data is present and must first be extracted from the DPX file during the import process:

• The static vector (data string containing parameter settings common for all the licenses in the DPX file necessary for the activation process)

• The message vector (data string containing configuration settings for the messages that will be generated by Authentication Suite Server SDK for the activation process and the optional Secure Channel process)

Generation of the Secure Channel payload key for a Digipass license

The Secure Channel feature, optionally applicable after the activation of a Digipass instance, allows protecting the messages exchanged between the server and the client (applicable only Digipass devices able to perform operations based on the Secure Channel protocol).

The Secure Channel will be usable only if the Secure Channel feature has been ordered (configured by OneSpan at the time of order).

If the Secure Channel feature has been ordered, during the activation process it requires mandatory provisioning of a payload key represented on the server side by a payload key BLOB.

In this case, first a payload key BLOB will have to be generated once for each Digipass serial number license. The different Digipass instances activated from one Digipass serial number license must use the same payload key BLOB to be provisioned with the same payload key.

The generation of the payload key BLOB for a particular license in the context of the multi-device licensing will be performed by Authentication Suite Server SDK.

See Digipass Multi-Device Activation Service for more information on the provisioning of the Secure Channel payload key during the multi-device activation process.

See Digipass Secure Channel Service for more information on the Secure Channel.

Generation of the Digipass instances from a Digipass license

Each imported license allows to instantiate several Digipass authenticator instances bound to the same Digipass serial number license (from 1 to 99; configured by OneSpan at the time of order).

The generation of the Digipass authenticator instance(s) for a particular license in the context of the multi-device licensing will be performed by Authentication Suite Server SDK during the multi-device activation process.

The following data will be extracted for each new instance generated for a specific Digipass serial number:

• The Digipass instance sequence number (number from 1 to 99 indicating the sequence number of the instance generated)
• The Digipass instance type (informational type name given to the instance)
• Up to eight Digipass instance application names (application names given to the instance applications, ending with two decimal digits equals to the sequence number, e.g. APPL1 03)
• Up to eight Digipass instance application authentication modes (RO, CR, SG, MM, or UL)
• Up to eight Digipass instance application BLOBs