AAL2VerifyPassword

Function prototype

aat_int32 AAL2VerifyPassword (TDigipassBlob*   DPData,
                              TKernelParms*    CallParms,
                              aat_ascii*       Password,
                              aat_ascii*       Challenge);

Description

This function authenticates the Digipass user by verifying if a given Digipass-generated dynamic password is valid for a specified authenticator application described by its authenticator application BLOB (DPData). Optionally, the previously generated challenge is also passed to this function.

Integration specifics of one-button authenticators (e.g. Digipass GO series)

This function can also be used for static PIN management for Digipass GO devices supporting the server static PIN. In this case, a password may have different formats.

Password formats
Regular password authentication request: 89574526. No static PIN.
Same authentication request in combination with static PIN usage: 123489574526. The static PIN is entered before the dynamic password. AAL2VerifyPassword will first evaluate the static PIN and then the dynamic password.
Same authentication request in combination with static PIN usage and a request for PIN change: 12348957452643214321. The static PIN is entered before the dynamic password, and both the new PIN and new PIN confirmation are entered afterwards. AAL2VerifyPassword will first evaluate the static PIN and then the dynamic password. After this, the request for a PIN change is processed.

For a list of the characters that can be used for the new static password, see Supported new static password charset.

Virtual Mobile Authenticator

If Virtual Mobile Authenticator is supported for the given authenticator application BLOB, this function can be used to perform Virtual Mobile Authenticator one-time password validation.

When both backup and primary authenticator are activated, Authentication Suite Server SDK will automatically detect whether the given dynamic password is from a backup or primary authenticator application. After a successful validation it is possible to retrieve the given dynamic password type (primary/backup) by calling AAL2GetTokenProperty.

Score-based Digipass

For Digipass devices that integrate the score-based algorithm, Authentication Suite Server SDK performs a score-based authentication which allows retrieving the Digipass scoring value. Once Authentication Suite Server SDK has successfully validated the password, it returns either SUCCESS or SUCCESS with the relevant scoring warning code. See the list of return codes in Table: Return codes (AAL2VerifyPassword) for more details.

Parameters

Table: Parameters (AAL2VerifyPassword)
Type	Name	Use	Description
TDigipassBlob *	DPData	I/O	authenticator application BLOB. Upon return from the function call, this BLOB must be rewritten to the application database to reflect changes.
TKernelParms *	CallParms	I	Structure of runtime parameters to use during this function call.
aat_ascii *	Password	I	String of up to 17+24 numeric or hexadecimal characters, left-justified, null-terminated or right-padded with spaces. This is the dynamic password generated by the Digipass authenticator.
aat_ascii *	Challenge	I	String of up to 17 numeric or hexadecimal characters, left-justified, null-terminated, or right-padded with spaces. This parameter holds the challenge that was proposed to the user to generate the password. If no challenge was generated, this parameter should be NULL.

Return codes

Table: Return codes (AAL2VerifyPassword)
Code	Meaning	Code	Meaning
0	Success	603	Invalid Gordian stimulus information
10001	Success with context warning[1]	802	Change password mandatory
10002	Success with user warning[1]	803	New password too short
10003	Success with user & context warning[1]	804	New password too long
10004	Success with platform warning[1]	1039	Invalid response length with DP algorithm
10005	Success with platform & context warning[1]	1040	Invalid host code length with DP algorithm
10006	Success with platform & user warning[1]	1103	Unlock Version 2 not supported
10007	Success with platform & user & context warning[1]	1116	Response check digit not allowed
1	Code not verified	1117	Challenge check digit not allowed
2	Static password validation failed	1118	Unsupported BLOB
130	Invalid response pointer	-101	Challenge too short
131	Missing required challenge	-102	Challenge too long
132	Unsupported token type	-103	Challenge check digit wrong
140	Challenge corrupted	-105	Challenge minimum length not allowed
201	Code replay attempt	-106	Challenge maximum length not allowed
202	Identification error threshold reached	-107	Challenge number wrong
205	Inactive days reached	-108	Challenge character invalid
208	Application disabled	-201	Response length out of bounds
412	Invalid checksum	-202	Response too short
413	Invalid Base64 format	-203	Response too long
510	Invalid Digipass data pointer	-204	Response check digit wrong
600	Invalid Gordian root information	-205	Response character not decimal
601	Invalid Gordian today information	-206	Response character not hexadecimal
602	Invalid Gordian tomorrow information	-207	Response character set not specified

Specific score-based authentication code (see Score-based DIGIPASS)