- 23 Oct 2024
- 2 Minutes à lire
- SombreLumière
Online activation
- Mis à jour le 23 Oct 2024
- 2 Minutes à lire
- SombreLumière
During the online activation, the Mobile Authenticator Studio application automatically connects to the server that provides the activation service, and requests the activation data.
The application may use a registration identifier by which end users are identified on the server. Based on this identifier, the server delivers the corresponding activation data, which consists of the configuration data (static vector), the authenticator license ( serial number), and the key of the authenticator (activation code). The identifier needs to be an alphanumeric ASCII string of up to 40 characters.
Online registration request
The registration identifier is generated and managed by the Mobile Authenticator Studio integrator. It is stored and remains in the authenticator application storage. It cannot be changed.
To prevent activation data from being delivered to a wrong user, the registration identifier can be combined with an authorization code. The combination of authorization code and registration identifier ensures that the authenticator data is delivered to the correct user. The authorization code needs to be a string of up to 40 characters.
The authorization code can contain all the ASCII characters between 0x20 (SPACE) and 0x7E (~).
The authorization code is configured in the online activation section of the Mobile Authenticator Studio configuration file. To increase security during the delivery process, the activation data is protected by an encryption protocol based on the activation password (customer historical secret), i.e. a secret shared between the server and the end user. Using the authorization code for data delivery is optional.
To avoid typing errors, the authorization code and activation password can use a checksum based on a Luhn-10 algorithm and can be generated using the Digipass Software Advanced Provisioning Protocol (DSAPP) library. This library is part of the Mobile Authenticator Studio integration sample. For each data item, the DSAPP library can generate a numeric or alphanumeric, case-sensitive or case-insensitive character string with or without checksum.
The registration identifier, the authorization code, and the activation code can be delivered in a text format. This enables the end user to either manually input these in Mobile Authenticator Studio, or they can be delivered in an image format and the end user scans them with the Mobile Authenticator Studio app. A device unique identifier can be added to the online request to check if the end user installs the Mobile Authenticator Studio application on the same or on a new device. The presence of the device identifier in the request is indicated by the device identifier mask in the URL that is set in the application configuration file. For more information about how to send the device unique identifier to the provisioning server, refer to the Mobile Authenticator Studio Integration Guide.
Advanced encryption
The advanced encryption protocol uses an encryption key based on a Diffie-Hellman shared secret, which the server and the application derive from their private keys and the public key of the other party. Key pairs are generated according to an ECDH mechanism based on a NIST P-256 curve.
Online activation with advanced encryption
The activation data is generated by Authentication Server Framework. The server key pair generation, the decryption of the client public key, the session key derivation, and the encryption of the activation data are managed by the DSAPP library. For more information about how to integrate the advanced provisioning protocol with Mobile Authenticator Studio, refer to the Mobile Authenticator Studio Integration Guide and the Mobile Authenticator Studio Integration Samples Specification.
If the activation password is incorrect, an error message will be displayed, and Mobile Authenticator Studio will not be activated.