- 15 Nov 2024
- 4 Minutes to read
- DarkLight
Multi-device license activation
- Updated on 15 Nov 2024
- 4 Minutes to read
- DarkLight
Contrary to the activation of a standard license in the Mobile Authenticator Studio app, the activation of a multi-device license model follows a process that is divided into two steps: the activation of the authenticator license and the authenticator account (i.e., an instance of the authenticator). This feature is supported by server solutions using Authentication Server Framework as of version 3.13.
The transfer of the activation message from the server to Mobile Authenticator Studio is done via a QR code or a Cronto image between Mobile Authenticator Studio and the server hosting Authentication Server Framework. If no camera is available on the device, there is no backup solution proposed. The user will see a message indicating that the app cannot be used without a camera.
Exchanging activation messages via images
The conversion of the activation messages into images is performed with the OneSpan Image Generator SDK, based on the expected image format. For more information on the Image Generator SDK, refer to the Image Generator SDK Integration Guide.
This type of activation process is also required outside the context of the authenticator license instantiation on several devices, if the Secure Channel feature of the authenticator is used.
Activate an authenticator
The authenticator activation consists of activating the authenticator license and the authenticator account (i.e., an instance of the authenticator).
License activation:
Activation Message 1 is generated on the server with Authentication Server Framework from the authenticator activation BLOB. This message is identical for every license activation. Activation Message 1 contains the following information:
the license serial number of the authenticator
the license key of the authenticator
(OPTIONAL) the license parameter settings of the authenticator
The parameter settings used by the Mobile Authenticator Studio app to activate the authenticator is the static vector set in the Mobile Authenticator Studio configuration file.
As a result of the license activation, Mobile Authenticator Studio generates a device code which contains the device ID. This ID is a concatenation of information about the device type and device-unique data. Both are signed with the license key.
The device code must be provided to Authentication Server Framework for the server-side to generate an authenticator account for the device for which the license has been activated. Mobile Authenticator Studio can send the device code directly to a server or, alternatively, display it to the user who is in charge of submitting this code manually to the server.
Account activation:
Activation Message 2, generated by Authentication Server Framework, is provided to Mobile Authenticator Studio. This message contains the following information used by Mobile Authenticator Studio:
license serial number of the authenticator
account sequence number of the authenticator
secret key of the authenticator
As a result of the authenticator account activation, Mobile Authenticator Studio generates a MAC signature with the account key of the authenticator. The MAC signature must be provided to Authentication Server Framework for the server-side to confirm the correct activation of the authenticator account.
If the activation process is interrupted before the account of the authenticator is activated (after the scan of Activation Message 2 or after the PIN validation), the information on the license is not stored. The dynamic vector associated with the license is destroyed.
In the multi-device licensing mode, an account of the authenticator cannot be reactivated. Authentication Server Framework only generates Activation Message 2 once. If an authenticator license cannot be used anymore, it must be replaced by a new one. The number of accounts for each authenticator serial number is limited to 99.
To confirm the authenticator activation to the server in the post-activation process, a Secure Channel app must be mandatorily defined in the Mobile Authenticator Studio Parameter Sheet.
Offline account activation
If a new user is added and activates their license, the user must authenticate. Depending on the configured authentication method, the user will either be prompted for the selected biometric authentication method, or they must enter a PIN as the PIN is not automatically read from the internal storage. This applies to the following scenarios:
The user adds a new account from the Manage accounts screen for the activation and reactivation of a single account.
The user already has an account, adds another and activates or reactivates this additional account(s).
The user tries to manually activate an existing account.
The user removes an account.
The following workflow describes the steps a user must take to activate their third-party application or web page for the first time.
To activate an account offline
The user is presented with the authenticator home screen and taps Scan Code to initiate the activation process.
The user points and clicks camera at the Cronto image on the third-party application or web page to begin linking the device to their account. A code appears. The user is prompted to enter this code into the third-party application or web page.
The user scans the QR code or Cronto image.
The user chooses a PIN.
The user confirms the PIN.
The user chooses their preferred authentication method for future access:
Use FaceID
Use Touch ID
Skip to use PIN instead of biometric authentication
If the user selects to skip setting up biometric authentication at this stage, they can enable this feature anytime later via the Mobile Authenticator Studio menu. For more information, see Biometric authentication.
The user gives Mobile Authenticator Studio permission to use Face ID or Touch ID.
The user's biometric authentication is collected.
The user enters a code into the third-party application or web page to activate the authentication account.
(Optional, if notifications are enabled in the app configuration) The user gives Mobile Authenticator Studio permission to send notifications from the third-party application or web page by tapping Allow notifications.
When the activation is successful, the user is presented with the authenticator home screen displaying the following options:
Pending requests
Scan Code
One-time Password
If the process is interrupted, the user will see these screens:
If at any time the user taps Cancel they will see a cancel confirmation screen and can restart the activation process.
If something goes wrong, the user will be notified with an error message and tapping Start over will restart the activation procedure from the beginning.