Version 3.27 (Upcoming 2025)

A new bulkCleanupDigipass command has been added to the SOAP administration interface to delete authenticators and/or authenticator instances based on a cleanup strategy. This allows you to clean up and purge unused authenticator data regularly to maintain clarity and avoid performance degradation issues.

Currently supported cleanup strategies are to delete (a) all authenticator instances with reused PNID or (b) all authenticators and authenticator instances that were not used at least once for a specified number of days.

The command schedules a server task that processes the authenticators and authenticator instances in a specified search range.

OneSpan Authentication Server supports new methods for authentication and signature validation based on Cronto images:

• Scan and login is an authentication method where users are presented a Cronto image, scan that image and complete authentication on their mobile device.
• Scan and sign is a signature validation method where users are presented a Cronto image, scan that image and complete signature validation on their mobile device.

The following commands have been extended to support the new workflows and the respective new policy settings:

• authSignatureRequest
• authUser
• genRequest
• getSecureChallenge
• policyExecute
• policyQuery

You can now configure OneSpan Authentication Server to always strictly validate Message-Authenticator attributes of incoming packets received from client components and RADIUS back-end servers.

The following commands of the SOAP administration interface have been extended accordingly:

• backendExecute and backendQuery support BACKENDFLD_RADIUS_MSG_AUTHENTICATOR_VALIDATION as new input/output attribute.
• componentExecute and componentQuery support COMPONENTFLD_RADIUS_MSG_AUTHENTICATOR_VALIDATION as new input/output attribute.

Usually, the activation data type for multi-device licensing (MDL) authenticators is determined by the initial configuration parameters set in the DPX file, either online or offline activation data is required.

Beginning with this version, you can now explicitly set the activation data type for the PROVISIONCMD_MDL_REGISTER and the dsappSRPRegister command, by using the PROVFLD_ACTIVATION_TYPE and the activationType attribute, respectively.

By default, the activation data is derived from the initial configuration in the DPX.

The date and time when an authenticator was used the last time for a successful authentication is stored in the BLOB data of the respective authenticator. This information is now additionally stored in the database to retrieve it directly and efficiently without decoding the BLOB data.

The following SOAP commands now support the new DIGIPASSFLD_LAST_AUTH_TIME attribute:

• digipassExecute:DIGIPASSCMD_UPDATE (output only)
• digipassExecute:DIGIPASSCMD_VIEW (output only)
• digipassQuery (input and output)

Note that this value is only set and updated if the authenticator is assigned and used by the respective user.

Description: An encoding issue with special characters, such as Eastern European characters, used in the message title (SIGNFLD_TRANSACTION_TITLE) and data fields (SIGNFLD_DATA_FIELD_*) passed to sig:genRequest was detected, caused by the policy's font table index being ignored. When the client attempts to decrypt the request it fails with an error, such as –4840 on iOS, 4841 on Android, or 4821.

Affects: OneSpan Authentication Server SDK 3.22–3.26

Status: This issue has been fixed.

Description: If you enable Windows group check, you need to specify a list of the Windows groups to be considered in the policy. This list has a size limit of 1024 characters, which can be too small if you have a lot of Windows groups defined.

Affects: OneSpan Authentication Server SDK 3.21–3.26

Status: The size of the Windows group list (POLICYFLD_GROUP_LIST) has been increased to 4000 characters.

Description: The status code reference does not include entries for 1091 and 1092.

Status: The documentation has been updated. The missing status codes for STAT_MDC_DELIVERY_FAILED (1091) and STAT_ONE_OR_MORE_DELIVERY_METHODS_HAVE_FAILED (1092) were added. The descriptions of STAT_INVCONFIG (–30) and STAT_NOTAVAIL (–400) were extended to clarify the messages in more detail.

Description: The OneSpan Authentication Server SDK SOAP Reference does not include a description of or usage information about the DIGIPASSFLD_DEVICE_PNID attribute (used for the DIGIPASS Push Notification Identifier (PNID)). This attribute can be used with the digipassExecute:DIGIPASSCMD_VIEW and the digipassQuery commands.

Affects: OneSpan Authentication Server SDK 3.21–3.26

Status: The documentation has been updated.

EMV-CAP is no longer supported, and its functionality has been removed. If you attempt to use commands related to EMV-CAP authentication, you will receive an EMV not supported error.

Any remaining references to EMV-CAP in the code base and the documentation will be removed in a future release of OneSpan Authentication Server (currently planned for 3.28).

You can view the user documentation of most OneSpan products online already at https://docs.onespan.com/, and we plan to shift exclusively to online documentation.

This means that PDF documentation will be completely removed in future major releases of OneSpan Authentication Server SDK (currently planned for 3.28).