AAL2SyncTokenAndHost

Function prototype

aat_int32 AAL2SyncTokenAndHost (TDigipassBlob*   DPData,
                                TKernelParms*    CallParms,
                                aat_ascii*       Password1,
                                aat_ascii*       Challenge1,
                                aat_ascii*       Password2,
                                aat_ascii*       Challenge2);

Description

Based on two contiguous Digipass responses, this function synchronizes

• the host time with the Digipass time and/or
• the host event counter with the Digipass event counter.

This function can be used for

• time-based only algorithm
• event-based only algorithm
• time and-event-based algorithms

Time synchronization is no longer limited to 1 second per 6 hours (4 seconds per day). AAL2GetTokenProperty can be used to retrieve the algorithms TIME BASED, EVENT BASED, TIME AND EVENT BASED.

For time-based Challenge/Response Digipass authenticators, the CheckChallenge kernel parameter must be set to 4 for the synchronization (i.e. to allow two consecutive authentication requests in the same time step).

Time-based only algorithm

This function can be called to fix the following scenarios:

• A valid password (response) generated by a Digipass authenticator is rejected because the Digipass authenticator has not been used for a long period of time.
• A valid password (response) generated by a Digipass authenticator is rejected because the Digipass clock has drifted too far and is now outside the time synchronization window.

After calling AAL2SyncTokenAndHost, the new time drift is stored in the authenticator application BLOB, and a valid password will be accepted again.

With VACMAN Controller 3.7.10 and later/Authentication Suite Server SDK, this function will use the SyncWindow kernel parameter instead of iTimeWindow as a reference for the synchronization time window limit.

Event-based only algorithm

This function can be called to fix the following scenario:

1. The Digipass authenticator generates a password (response) based on event 1000.
2. A validation is performed on the host with this password so that this event is stored in the authenticator application BLOB.
3. The Digipass user then generates another ten passwords without a validation on the host.
4. The Digipass authenticator generates a password based on event 1011.
5. A validation is attempted on the host with this password.
6. The event window is too small and the host rejects this valid password because it is outside the event synchronization window.

After calling AAL2SyncTokenAndHost, the event used to generate the last of the two contiguous responses is stored in the authenticator application BLOB, and a valid password will be accepted again.

For event-based Digipass authenticators to work properly, AAL2SyncTokenAndHost must be used with the EventWindow kernel parameter greater than with the validation with AAL2VerifyPassword. If the same EventWindow is used, the synchronization will fail for the same reasons as the authentication (Digipass event outside the event synchronization window).

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the two consecutive passwords, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2SyncTokenAndHost) for more details.

Parameters

Return codes