- 03 Jan 2025
- 1 Minute à lire
- SombreLumière
- PDF
Secure Channel
- Mis à jour le 03 Jan 2025
- 1 Minute à lire
- SombreLumière
- PDF
Secure Channel is an optional feature applicable to authenticators compliant with the multi-device activation process (in the context of multi-device licensing). The optional use of secure channels after activation of an authenticator instance allows to protect the messages that are exchanged between the server side and the client side.
The secure channel will be usable only if the Secure Channel feature has been ordered from and configured by OneSpan at the time of order.
The Secure Channel feature applies a new protocol that uses payload keys to protect the confidentiality and authenticity of the message's payload. A single master payload key is shared among all authenticator instances linked to a certain authenticator license, enabling the end user to transparently use multiple authenticators to answer the transaction request message.
The Secure Channel feature requires the mandatory provisioning of a payload key represented on the server side by a payload key BLOB. In this case, first a payload key will have to be generated once for each authenticator license. The different authenticator instances activated from one authenticator license must share the same payload key. After the activation, the payload key will protect the request and deactivation messages for exchange between the server and the client devices that have been activated using a particular authenticator license (for a particular user account).
The parameters used to generate the request body for Secure Channel messages can be configured via the POLICIES > Secure Channel tab of the Administration Web Interface.
If Secure Channel has not been ordered, OneSpan Authentication Server will not generate and provision any payload key.
Secure Channel–based authentication
The authentication transaction process via Secure Channel is as follows:
- OneSpan Authentication Server generates a request message, based on the transaction details provided via the client application or a custom request body, and delivers it to the client application. The request message is generated by OneSpan Authentication Server upon the Get Secure Challenge and Get Signing Request commands and is bound to the authenticator selected for the relevant transaction.
- The client application generates either a QR code or a color QR code, which represents this request message, and delivers it to the end user.
- The user scans this image, using an authenticator that complies with Secure Channel.
- The authenticator generates a response for this request message, which the end user enters into the client application.
- OneSpan Authentication Server validates this response and returns the result to the client application which completes the signature authentication process.