Integration of Offline User Registration and Authenticator Activation

This type of registration is used to activate an authenticator that supports Cronto (e.g. the Digipass 7xx series). Once the device is activated, it can be used to generate a one-time password (OTP) to log in or a signature for transaction validation.

As prerequisite for the offline registration and activation you need to have an authenticator that supports Cronto in your tenant’s domain.

Sequence of an offline activation

1. The user initiates the registration. They provide the serialNumber and activationType parameters as offlineMDL parameter in the payload with a userRegister call. The response includes the following parameters:

   • registrationID

   • activationPassword.

2. The activationPassword parameter is sent to the Visual Codes service to display a Cronto image to the user.

3. When the user scans the Cronto image, they receive a device code on their device (e.g. hardware Digipass from the 7xx series) or any software authenticator.

4. To add the device to the Authenticator Provisioning service, use the registration ID obtained in step 1 and the device code obtained in step 3.

5. Send Activation Message 2 from the output to the Visual Codes service to get the second Cronto image.

6. The user scans this Cronto image to obtain the signature on the Cronto device.

7. To activate the device, use the registration ID obtained in step 1, the device code obtained in step 3, and the signature obtained in step 6.

The POST /users/register endpoint validates if a license activation is available for the multi-device licensing (MDL) provisioning process of an authenticator. If there are not enough activations available for the MDL license, the endpoint returns the following error message: 409 License activation limit reached..

To avoid replay attacks, you can restrict the maximum number of authenticators assigned to a user for specific authenticator types. This applies to single-device licensing (SDL) and multi-device licensing (MDL) authenticators, and authenticator instances (MDL only). For more information, see Authenticator management.

For a complete description of the required input and/or output data of the relevant operations see the following:

• user registration (input and output): POST /users/register.

• visual codes (input): GET /visualcodes/render.

• provisioning (input): POST /registrations/{registrationID}/add-device.