Secure Channel (multi-device licensing)
  • 19 Oct 2024
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Secure Channel (multi-device licensing)

  • Dark
    Light
  • PDF

Article summary

The Secure Channel feature uses a randomly generated symmetric key to encrypt the communication between the server and the authenticator account. This symmetric key is the payload key. It is provisioned with the authenticator key during the activation process.

The payload key can only be provisioned in the authenticator account if this has been activated following the two-step activation process.

The secure channel is a one-way channel. Mobile Authenticator Studio only receives transaction messages encrypted by Authentication Server Framework.

To use the Secure Channel feature with Mobile Authenticator Studio, at least one secure channel cryptographic application must be selected in the Mobile Authenticator Studio Parameter Sheet.

The transaction message contains the information about the serial number of the authenticator. Mobile Authenticator Studio uses the serial number to select the authenticator account to use and decrypt the transaction message with the payload key to get the transaction message body. If the authenticator's serial number in the message does not match a serial number loaded in Mobile Authenticator Studio, a message indicating that the transaction message is not dedicated to this authenticator is displayed.

The transaction message body contains the following information:

  • The index of the authenticator's cryptographic application to sign the message.

  • The transaction information to be displayed, formatted as a free text or a list of key-value pairs with the corresponding title. The display format of the transaction information is chosen during the message generation on the server.

The result of the transaction message signature is displayed to the user.

The body of the transaction message is generated by the OneSpan Secure Messaging SDK integrated on the server. For more information on the Secure Messaging SDK integration, refer to the Mobile Authenticator Studio Integration Guide.

To use the secure channel between Authentication Server Framework and Mobile Authenticator Studio, either a Secure Channel action is enabled in the configuration file or the Secure Channel message is sent to Mobile Authenticator Studio by a third-party application.

Secure Channel action

With the Secure Channel action, the user can scan Cronto images containing transaction messages. The transaction messages are encrypted by the payload key provisioned during the activation of the authenticator and shared between Mobile Authenticator Studio and the server. The images carrying the transaction messages are generated by the Image Generator SDK integrated on the server. For more information on the Image Generator SDK integration, refer to the Mobile Authenticator Studio Integration Guide.

In addition to transaction messages, the Secure Channel action can be configured to support activation messages as well. In this case, the Secure Channel action can be used to replace an activated authenticator account without having to delete it first.

App-to-app communication

With the app-to-app communication, a third-party application or web page invokes the Mobile Authenticator Studio app with a Secure Channel message. The Mobile Authenticator Studio app then calls back the third-party application or web page with the signature of the Secure Channel message.

Mobile Authenticator Studio is invoked from a URL that has the following format:

${scheme}://app2app_secure_channel?x-success=thirdpartyapp://...&x-error=thirdpartyapp://...&x-cancel=thirdpartyapp://...&secure_message=0000C3E40F4

  • ${scheme} is a string specified in the course of the Mobile Authenticator Studio application customization, according to the iOS and Android scheme policies.

  • x-success is the callback URL invoked by Mobile Authenticator Studio in case of success. The signature of the Secure Channel transaction message is concatenated to this URL..

  • x-error is the call-back URL invoked by Mobile Authenticator Studio in case of error. The error code is concatenated to this URL.

  • x-cancel is the call-back URL invoked by Mobile Authenticator Studio in case of process interruption by the user.

  • secure_message is the Secure Channel message string provided by Authentication Server Framework.

To prevent the call-back URL from being compromised, it is checked against a URL white list defined in the Mobile Authenticator Studio configuration file.

For more information about supported actions and parameters, refer to the Mobile Authenticator Studio Integration Guide.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant