Software Digipass Activation Service

Description

The Software Digipass Activation Service allows the standard activation (one-step activation) of compliant Digipass authenticators in offline or online mode. When the software authenticator is activated, settings and secrets are written into the authenticator.

The standard software Digipass activation is a different process from the Digipass multi-device activation. The standard activation process requires compliant software Digipass devices and compliant DPX files (in the context of single-device licensing; for more information, refer to Single-device licensing).

The settings include the static vector and serial number suffix, which is part of the Digipass serial number. The encrypted Digipass secret is called activation code. The concatenation of the static vector, the serial number suffix, and the activation code constitutes the full activation data (FAD).

This data is encrypted in case it is processed via an insecure connection. The encrypted data is referred to as encrypted full activation data (XFAD).

The Software Digipass Activation Service provides two modes to generate data for software Digipass:

• Offline mode: The activation code is generated, sent to the end user, for example via e-mail, and entered manually into the authenticator.
• Online mode: The full activation data is generated and pushed onto the authenticator without user involvement.

The activation data is the concatenation of:

• the secret with one or two levels of encryption
• the authenticator parameter settings
• the authenticator serial number suffix (optional)

Consequently, the data the software Digipass receives can have the following formats:

• the activation code in an offline activation
• the activation code and the Digipass serial number (e.g. activation with OneSpan Authentication Server)
• the full activation data with online activation (e.g. Digipass for Web activation)

  In case of an offline activation scheme, it’s also possible to directly use the software Digipass offline activation data (activation codes) generated and provided by OneSpan (activation codes provided together with the software Digipass DPX files). In this case, Authentication Suite Server SDK will not be involved in the provisioning process (the Software Digipass Activation Service will not be used).

The function AAL2GenActivationCodeEx generates [X]FAD (or the [encrypted] activation code).

Software Digipass event counter synchronization

Software authenticators can be also reactivated. When a software Digipass is activated or reactivated, settings and secrets are written into Digipass (the settings include the same data described here). In case of event-based software Digipass authenticators, the reactivation process requires event synchronization between the server and the client.

The event reactivation counter (ERC) is used to synchronize the event counter with the server. This event reactivation counter is encrypted in case of online reactivation. The encrypted counter is referred to as encrypted event reactivation counter (XERC).

The function AAL2GenActivationCodeXErc extends the former AAL2GenActivationCodeEx function and generates in addition XERC (or ERC) allowing event counter synchronization in case of software Digipass reactivation, but can be also used for the first activation.

Since VACMAN Controller 3.11.1.0, the function AAL2GenActivationCodeEx is deprecated. OneSpan recommends using the function AAL2GenActivationCodeXErc for both, software Digipass first activation or software Digipass reactivation.

Software Digipass activation with random key generation

Since VACMAN Controller 3.11.2, the Software Digipass Activation Service is enhanced with a new functionality able to generate software Digipass activation data (FAD , XFAD, or [encrypted] activation code, XERC or ERC) with random key for the software Digipass to activate (or reactivate). The generated [encrypted] activation code (or [X]FAD) will be related to the new software Digipass key, and the resulting authenticator application BLOBs will be updated with the new software Digipass key.

The function AAL2GenActivationDataRndKey generates [X]FAD (or [encrypted] activation code) with random keys generated on the fly during the function call. It generates also XERC (or ERC).

Functionalities

The Software Digipass Activation Service relies on the software Digipass activation data generation functionalities.

Workflows

Online activation workflow

Figure:  Software Digipass online activation workflow example

Regarding XFAD and XERC in Figure: Software Digipass online activation workflow example - the generation and usage of an encrypted event reactivation counter (XERC) is optional for the first activation. It will be mandatory for reactivation of event-based software Digipass authenticators.

Offline activation workflow

Figure:  Software Digipass offline activation workflow example

Regarding ERC in Figure: Software Digipass offline activation workflow example - the generation and usage of an event reactivation counter (ERC) is optional for the first activation. It will be mandatory for reactivation of event-based software Digipass authenticators.