Version 3.24 (July 2023)

In previous versions, the grace period of an authenticator instance ended automatically only if a successful OTP authentication happened.

Beginning with 3.24, the grace period also expires automatically after a successful multi-device licensing (MDL) activation, either using an OTP or a signature validation, since this indicates a properly working and activated authenticator as well.

In previous versions, OneSpan Authentication Server Appliance ignored scoring information in authenticator responses. That means that OTP values with score warning were gracefully accepted.

Beginning with 3.24, OneSpan Authentication Server Appliance evaluates scoring information in authenticator responses. If OneSpan Authentication Server Appliance detects a score warning, it will reject the OTP (even an otherwise valid one). You can detect such cases in the error stack information included in the respective audit message, e.g. "{Error Code: '(-140)' ; Error Message: 'Serial VDS1010000-1 Application APP 1 RO OTP Incorrect - Operation Successful with Platform & User Warning'}".

In previous versions, OneSpan Authentication Server Appliance uses only one connection to the Message Delivery Component (MDC) service to submit message delivery requests. Each request is queued and processed one after another. This means that later requests can take quite long to be processed if the single connection is blocked by a previous request.

OneSpan Authentication Server Appliance now uses a connection pool, i.e. a number of concurrent connections to the Message Delivery Component (MDC) server. Each connection is used to handle one message delivery and will be closed when completed. If a message is taking longer to deliver, e.g. because the respective gateway is unresponsive, another connection is opened to process the next message, until all connections are in use.

To make performance investigations easier and to help tracking issues, OneSpan Authentication Server Appliance captures the elapsed time of specific (SOAP) operations. The elapsed time is added to the audit message record of the respective operation. The Elapsed time audit message field is only visible in the Audit Viewer application.

Note that you do not need to enable performance monitoring to capture the elapsed time, but only the following audit messages will include it:

In previous versions of OneSpan Authentication Server Appliance, with Active Directory back-end authentication enabled, every authentication request would trigger a DNS lookup. For example, 10 authentications per second would lead to 10 DNS queries in the same period. This behavior caused unnecessary latency and was error-prone.

Starting with OneSpan Authentication Server Appliance 3.24, DNS responses are cached for 5 minutes, resulting in slightly faster authentication and more tolerance for DNS failures.

For OTP-based authentications, clock synchronization is vitally important. An out-of-sync clock or a slowly drifting clock can cause widespread authentication failures.

OneSpan Authentication Server Appliance now has monitoring built in and will warn in case of clock synchronization issues. The time offset to the user-supplied NTP servers is checked once per hour. If no synchronization partner is found for 5 attempts in a row, or if all synchronization peers are off by more than 30 seconds, a warning is displayed on the dashboard.

In the Configuration Tool and the Administration Web Interface, there are now links in the top right corner to easily switch between both interfaces.

The link in the Administration Web Interface is only visible for administrators that have the Appliance Administration privilege. The link in the Configuration Tool is always visible.

If share IAS Web Administration Session is enabled (or a login is active), the link will redirect you to the home page of the other tool. If this feature is not enabled, the login page of the other tool will be displayed.

Description: The Message Delivery Component (MDC) default settings for the OneSpan gateways to relay SMS and push notifications are outdated. The respective DNS names will become unavailable in the future. Moreover, the documentation lists outdated or incorrect values in different sections.

Affects: OneSpan Authentication Server Appliance 3.17–3.23

Status: This issue has been fixed. The default values are now set correctly during initial setups and corrected during upgrades if required, respectively. The occurrences in the documentation have been updated.

Description: In some cases, the Message Delivery Component (MDC) attempts to send emails that violate SMTP line ending rules by using a bare line feed (LF). This behavior can cause SMTP gateways to reject such messages.

Status: This issue has been fixed. MDC now always uses CR/LF line ending for SMTP messages.

Description: The following documents contain incorrect information about license-related CPU and memory limitations:

• OneSpan Authentication Server Virtual Appliance VMware vSphere Guest Installation Guide

• OneSpan Authentication Server Virtual Appliance Citrix XenServer Guest Installation Guide

The described limitations no longer exist.

Status: The documentation has been updated.

Description: The documentation contains a warning note, which recommends that you set up SSL for connections between OneSpan Authentication Server Appliance and Active Directory back-end servers.

This recommendation is obsolete, since you need to set up and use SSL for connections between OneSpan Authentication Server Appliance and the Active Directory back-end server. Unencrypted connections to an Active Directory back-end server do not work reliably (if at all), unless you have a very old and specially configured version of Windows Server.

OneSpan Authentication Server Appliance does not officially support unencrypted connections to Active Directory via LDAP!

Status: The documentation has been updated. The note text has been rephrased to explicitly require SSL for Active Directory connections. The option to disable SSL for Active Directory back-end connections is deprecated and will be removed in a future version of OneSpan Authentication Server Appliance.

Description: In environments where offline authentications are handled and OneSpan Authentication Server Appliance replication is enabled, the memory and CPU load can increase tremendously under certain circumstances. Authentication requests are properly processed and the replication connections remain active, but replication is not processed fast enough and the replication queue keeps increasing.

Status: This issue has been fixed.

Description: In environments where Stored Password Proxy is set to No and Back-End Authentication is set to Always in the effective policy, provisioning fails even with correct credentials. In such scenarios, the static password and a valid one-time password (OTP) are required as a combined input for the password field. Although the OTP is verified successfully, the static password is not correctly extracted from the combined input. The subsequent back-end authentication fails.

Affects: OneSpan Authentication Server Appliance 3.23

Status: This issue has been fixed.

Description: Sometimes, when the Message Delivery Component (MDC) service attempts to send a message via a push notification gateway, that external gateway can take long to respond (up to several minutes). During this period, OneSpan Authentication Server keeps the related connection to the database alive, thus blocking valuable resources. Under some circumstances, this behavior can yield issues when the database connections are released later.

Affects: OneSpan Authentication Server Appliance 3.18–3.23

Status: This issue has been fixed. The storage subsystem handling has been improved to allow more efficient resource usage. The request-related database connections are released and become available for other threads, while push notifications are being sent.

Description: In some circumstances, the performance can decrease drastically when OneSpan Authentication Server has connection issues with a slow LDAP back-end server and the number of transactions is still increasing. Because resource sharing between threads is handled incorrectly in this case, all threads used for LDAP back-end communication get blocked. In the worst case, this can lead to authentication failures.

Affects: OneSpan Authentication Server Appliance 3.18–3.23

Status: This issue has been fixed.

Description: Some local time zones, e.g. Cairo time, do not observe daylight saving time.

Status: This issue has been fixed. Time zone data has been updated, and time zones will be correctly observed for a little while longer.

Description: OneSpan Authentication Server settings (e.g. tracing or provisioning settings) are usually updated without restarting the IDENTIKEY Authentication Server service. However, for systems that are continually very busy, these configuration requests can take a very long time. This might cause the browser to time out, which makes it impossible to change the settings.

Affects: OneSpan Authentication Server Appliance environments that continuously experience high load, and where OneSpan Authentication Server settings are changed.

Status: This issue has been fixed. If OneSpan Authentication Server settings are updated and the IDENTIKEY Authentication Server service has not processed the request for 20 seconds, the service will be restarted. With this, it is always possible to update OneSpan Authentication Server settings also on high-load systems.

Description: The OneSpan Authentication Server Appliance Administrator Reference contains incorrect information about the supported SSL cipher suites.

Status: The documentation has been updated.

Description: By default, OneSpan Authentication Server Appliance scans for new audit logs once per minute. A maximum number of 1000 logs are copied per attempt.If a large backlog of audit messages is found, fast-copy mode is triggered to synchronize both OneSpan Authentication Server Appliance instances as fast as possible without causing performance issues.

Due to a bug, fast-copy is not always activated. For customers with a great number of logs, a brief outage would result in an unsurmountable backlog that would take days or weeks to sync.

Status: This issue has been fixed. The fast-copy mode is now triggered correctly, and audit copying will replicate messages as fast as the system alows.

Description: According to the OneSpan Authentication Server Appliance documentation, the highest administrator level is 255. For OneSpan Authentication Server Appliance, administrator levels above 100 are reserved, with 100 being the highest administrator level that a customer can assign.

Status: The documentation has been updated.

Description: The following documents have been updated and rebranded:

• OneSpan Authentication Server Virtual Appliance Microsoft Hyper-V Guest Installation Guide

• OneSpan Authentication Server Virtual Appliance VMware Workstation Guest Installation Guide

• OneSpan Authentication Server Virtual Appliance VMware vSphere Guest Installation Guide

• OneSpan Authentication Server Virtual Appliance Citrix XenServer Guest Installation Guide