Contrary to the activation of a standard license in the Mobile Authenticator Studio app, the activation of a multi-device license model follows a process that is divided into two steps: the activation of the authenticator license and the authenticator account (i.e., an instance of the authenticator).
This feature is supported by server solutions using Authentication Server Framework as of version 3.13.
This type of activation process is also required outside the context of the authenticator license instantiation on several devices, if the Secure Channel feature of the authenticator is used.
The transfer of the activation message from the server to Mobile Authenticator Studio is done via a QR code or a Cronto image between Mobile Authenticator Studio and the server hosting Authentication Server Framework. If no camera is available on the device, there is no backup solution proposed. The user will see a message indicating that the app cannot be used without a camera. The conversion of the activation messages into images is performed with the OneSpan Image Generator SDK, based on the expected image format. For more information, see the Image Generator SDK Integration Guide.
Exchanging activation messages via images
In the multi-device licensing mode, an account of the authenticator cannot be reactivated. Authentication Server Framework only generates Activation Message 2 once. If an authenticator license cannot be used anymore, it must be replaced by a new one. The number of accounts for each authenticator serial number is limited to 99.
To confirm the authenticator activation to the server in the post-activation process, a Secure Channel app must be defined in the Mobile Authenticator Studio Parameter Sheet!
License activation
Activation Message 1 is generated on the server with Authentication Server Framework from the authenticator activation BLOB. This message is identical for every license activation. Activation Message 1 contains the following information:
the license serial number of the authenticator
the license key of the authenticator
(OPTIONAL) the license parameter settings of the authenticator
The parameter settings used by the Mobile Authenticator Studio app to activate the authenticator is the static vector set in the Mobile Authenticator Studio configuration file.
As a result of the license activation, Mobile Authenticator Studio generates a device code which contains the device ID. This ID is a concatenation of information about the device type and device-unique data. Both are signed with the license key.
The device code must be provided to Authentication Server Framework for the server-side to generate an authenticator account for the device for which the license has been activated. Mobile Authenticator Studio can send the device code directly to a server or, alternatively, display it to the user who is in charge of submitting this code manually to the server.
Account activation
Activation Message 2, generated by Authentication Server Framework, is provided to Mobile Authenticator Studio. This message contains the following information used by Mobile Authenticator Studio:
license serial number of the authenticator
account sequence number of the authenticator
secret key of the authenticator
As a result of the authenticator account activation, Mobile Authenticator Studio generates a MAC signature with the account key of the authenticator. The MAC signature must be provided to Authentication Server Framework for the server-side to confirm the correct activation of the authenticator account.
If the activation process is interrupted before the account of the authenticator is activated (after the scan of Activation Message 2 or after the PIN validation), the license information is not stored. The dynamic vector associated with the license is destroyed.