- 25 Apr 2025
- 2 Minutes to read
- Print
- DarkLight
- PDF
Secure Channel (multi-device licensing)
- Updated on 25 Apr 2025
- 2 Minutes to read
- Print
- DarkLight
- PDF
The Secure Channel feature uses a randomly generated symmetric key to encrypt the communication between the server and the authenticator account. This symmetric key is the payload key. It is provisioned with the authenticator key during the activation process.
The payload key can only be provisioned in the authenticator account if this has been activated following the two-step activation process.
The secure channel is a one-way channel. Mobile Authenticator Studio only receives transaction messages encrypted by Authentication Server Framework.
To use the Secure Channel feature with Mobile Authenticator Studio, at least one secure channel cryptographic application must be selected in the Mobile Authenticator Studio Parameter Sheet.
The transaction message contains the information about the serial number of the authenticator. Mobile Authenticator Studio uses the serial number to select the authenticator account to use and decrypt the transaction message with the payload key to get the transaction message body. If the authenticator's serial number in the message does not match a serial number loaded in Mobile Authenticator Studio, a message indicating that the transaction message is not dedicated to this authenticator is displayed.
The transaction message body contains the following information:
The index of the authenticator's cryptographic application to sign the message.
The transaction information to be displayed, formatted as a free text or a list of key-value pairs with the corresponding title. The display format of the transaction information is chosen during the message generation on the server.
The result of the transaction message signature is displayed to the user.
The body of the transaction message is generated by the OneSpan Secure Messaging SDK integrated on the server. For more information on the Secure Messaging SDK integration, refer to the Mobile Authenticator Studio Integration Guide.
To use the secure channel between Authentication Server Framework and Mobile Authenticator Studio, either a Secure Channel action is enabled in the configuration file or the Secure Channel message is sent to Mobile Authenticator Studio by a third-party application.
Secure Channel action
With the Secure Channel action, the user can scan Cronto images containing transaction messages. The transaction messages are encrypted by the payload key provisioned during the activation of the authenticator and shared between Mobile Authenticator Studio and the server. The images carrying the transaction messages are generated by the Image Generator SDK integrated on the server. For more information on the Image Generator SDK integration, refer to the Mobile Authenticator Studio Integration Guide.
In addition to transaction messages, the Secure Channel action can be configured to support activation messages as well. In this case, the Secure Channel action can be used to replace an activated authenticator account without having to delete it first.