Documentation Index

Fetch the complete documentation index at: https://docs.onespan.com/llms.txt

Use this file to discover all available pages before exploring further.

AAL2VerifyDeviceCodeEx

Prev Next

Availability: Authentication Suite Server SDK 4.0.2 and later

Service: Digipass Multi-Device Activation

Function prototype

aat_int32 AAL2VerifyDeviceCodeEx ( TDigipassBlob *DPMAData, 
                                   TKernelParms *CallParms,
                                   aat_ascii *Challenge,
                                   aat_ascii *SignedMessage,
                                   aat_ascii *DeviceCode,
                                   aat_ascii *DeviceID,
                                   aat_int32 *DeviceIDLength, 
                                   aat_int32 *pDeviceType );

Description

AAL2VerifyDeviceCodeEx() overloads AAL2VerifyDeviceCode(), exposing a new SignedMessage parameter to provide device binding support for FIDO2–capable authenticators, such as DIGIPASS FX2.

This function verifies the device code provided by the Digipass device using the master activation application data. In case of SUCCESS it also extracts the following:

  • Digipass device ID
  • Digipass device type

It is only applicable to hardware or software authenticators compliant with the multi-device two-step activation (in context of multi-device licensing).

It uses different parameters for the validation, depending on the mode:

  • FIDO2 binding mode. In case of a bound FIDO2 device, the signed message (Activation Message 1 generated with the FIDO2 public key and challenge using  AAL2GenMessageActivation1Ex()) is used to validate the device code.  
  • Unbound mode. In any other case, if a challenge has been used to generate the Activation Message 1 (using AAL2GenMessageActivation1Ex()) received by the authenticator, the same challenge is used to validate the device code.

If challenge is not used, the kernel parameter CheckChallenge has to be set to 0 to disable the challenge checking.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication to validate the device code. This allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the device code, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifyDeviceCodeEx) for more details.

Parameters

Table: Parameters (AAL2VerifyDeviceCodeEx)
TypeNameUseDescription
TDigipassBlobDPMADataI/ODigipass master activation application BLOB of the Digipass serial number license that will be used for the activation. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *CallParmsIStructure of runtime parameters to use during this function call.
aat_ascii *ChallengeI

Optional string of 16 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This parameter must hold the challenge that was used initially to generate Activation Message 1. If no challenge was used to generate Activation Message 1, this parameter must be NULL.

aat_ascii *SignedMessageI

The signed message generated by AAL2GenMessageActivation1Ex(). If this parameter is NULL, the function does a standard device code validation using the optional Challenge parameter.

In case of a bound FIDO2 device, the signed message is the Activation Message 1 generated using the FIDO2 public key.

aat_ascii *DeviceCodeI

String of up to 26+1 characters, null-terminated. It contains the device code generated by the Digipass device.

aat_ascii *DeviceIDO

Output string of 8+1 hexadecimal characters, null-terminated. If the device code has been successfully verified, this parameter contains the value of the Digipass device ID.

aat_int32 *DeviceIDLengthI/O

In input, this parameter must indicate the size of the allocated buffer for the DeviceID parameter (recommended 9 bytes). In output, this parameter indicates the length of the DeviceID string (without the null-terminated character).

aat_int32 *pDeviceTypeO

In output, this parameter contains the Digipass device type if the device code has been successfully verified (from 0 to 31).

  Table: List of device type values and definitions
ValueDefinitionValueDefinition
0Hardware device13BlackBerry Native
1Unknown software platform15MIDP2 Platform or BB Java
3iOS17Windows
5Jailbroken iOS19Linux
7Android21Mac
9Rooted AndroidOtherRFU
11Windows Phone  

Return codes 

  Table:  Return codes (AAL2VerifyDeviceCodeEx)
CodeMeaningCodeMeaning
0Success1116Response check digit not allowed
10001Success with context warning[1]1117Challenge check digit not allowed
10002Success with user warning[1]1118Unsupported BLOB
10003Success with user & context warning[1]1263Device ID buffer too small
10004Success with platform warning[1]1264Invalid master application
10005Success with platform & context warning[1]1265Invalid master application data pointer
10006Success with platform & user warning[1]1276Invalid device code pointer
10007Success with platform & user & context warning[1]1277Invalid device ID pointer
1Code not verified1278Invalid device ID length pointer
140Challenge corrupted1280Invalid device type pointer
201Code replay attempt1281Invalid device code length
202Identification error threshold reached1282Invalid device code check digit
205Inactive days reached1283Invalid device code character
208Application disabled1284Invalid device code
412Invalid checksum1285Master key derivation failed
413Invalid Base64 format-102Challenge too long
600Invalid Gordian root information-103Challenge check digit wrong
601Invalid Gordian today information-105Challenge minimum length not allowed
602Invalid Gordian tomorrow information-106Challenge maximum length not allowed
603Invalid Gordian stimulus information-107Challenge number wrong
1000Function does not support EMV-CAP-108Challenge character invalid
1025Buffer too small-201Response length out of bounds
1039Invalid response length with DP algorithm-205Response character not decimal
1040Invalid host code length with DP algorithm-206Response character not hexadecimal
1103Unlock Version 2 not supported-207Response character set not specified
  1. Specific score-based authentication code (see Score-based DIGIPASS)