Description
The Digipass Management Service provides facilities for the Digipass management. It is used for help desk and administration purposes.
Functionalities
The Digipass Management Service involves the following functions:
Digipass unlocking
Digipass static PIN management
Digipass authenticator and host synchronization
Digipass authenticator data synchronization
Digipass protection key management
Digipass information management
Digipass properties management
The Digipass unlocking functionality is for keypad authenticators (authenticator local PIN) and enables administrators to unlock a PIN-locked authenticator, if the feature is supported. There are two ways to unlock a user’s Digipass authenticator:
The administrator generates an unlock code from the user’s authenticator application BLOB, passing the unlock challenge displayed by the PIN-locked Digipass authenticator.
The administrator generates an unlock authorization code that they forward to the user by a secure third-party mechanism such as SMS or phone call. During the unlock phase, to obtain the final unlock code, the user has to provide both the unlock challenge displayed by the PIN-locked Digipass authenticator and the unlock authorization code.
There are two different versions of the DPX file to handle the unlock function. The old version uses an 8-byte DES key to create the unlock code. This key is stored with each authenticator application BLOB. The new version uses a more secure 16-byte 3DES or AES, 20-byte OATH, or 16-byte SM3 key to create the unlock code.
The old unlock mechanism uses the same authenticator application BLOB as the Digipass authentication application (RO, CR, SG or MM).
The new unlock mechanism Unlock V2 (for compliant Digipass authenticators only) uses a dedicated Unlock V2 application BLOB. If supported by Digipass, the Unlock V2 application BLOB must be imported like the other authenticator application BLOBs (this Unlock V2 application BLOB has the authentication mode UL), and must be used when calling the unlock APIs instead of the Digipass authentication BLOB (RO, CR, SG or MM).
The Digipass static PIN management functionalities enable administrators to change static PINs on a mandatory basis or to allow the user to provide a new static PIN for the next authentication. These functionalities are applicable only for authenticator applications supporting the Server static PIN feature.
The Digipass authenticator and host synchronization functionality allows the synchronization of Digipass authenticators and authenticator application BLOBs on the host server.
Synchronizing a Digipass authenticator with the host server involves updating the counters (time and/or event) stored in the authenticator application BLOB with the Digipass authenticator counters. There are several reasons why the counters may be out of synchronization:
Time-based authenticator application:
if Digipass has not been used for a long period of time
if the Digipass clock has drifted too far and is now outside the validation time window
Event-based authenticator application: if Digipass generates several OTPs which are not submitted to the host and are therefore outside the validation event window.
The Digipass authenticator data synchronization functionality allows the synchronization of several authenticator application BLOBs (from the same Digipass authenticator) with one another.
Synchronizing authenticator application BLOBs with one another makes sure that if a Digipass authenticator has been programmed with several time-based applications, the time drift information is passed on to all application BLOBs. It can also be used to upgrade BLOBs with specific features, as for example the virtual authenticator feature.
The Digipass protection key management functionality allows administrators to change the value of the software derivation keys (derive vector and storage derive keys) used to encrypt/decrypt an authenticator application BLOB.
The Digipass information management functionalities allow administrators to retrieve information from an authenticator application BLOB (see Table: Overview of available information in Digipass Information Management), and also allow administrators to reset the error counter stored in an authenticator application BLOB. In addition, after the reset, the initial synchronization time window will be used for the next authentication.
| Available information | Meaning |
|---|---|
| Token model | The Digipass type, for example, Digipass 300, Digipass GO 3 etc. For more information, refer to Digipass type. |
| Usage count | The number of successful authentications since the last reset operation. |
| Last time used | Date and time of the last successful authentication. |
| Last time shift | Shift between the host and the Digipass clock of the last authentication, indicated in seconds. |
| Error count | Error counter value. |
| Codeword | Codeword value. |
| Triple DES | Indicates if 3DES is used for the OTP generation. |
| Maximum input fields | The maximum number of challenges or data fields. |
| Response length | Length of the response. |
| Response type | Type of the response (decimal or hexadecimal). |
| Response checksum | Indicates whether the response contains a checksum. |
| Time step | Value of the time step used. |
Through the Digipass properties management functionalities, administrators can retrieve or modify properties of an authenticator application BLOB (see Table: Overview of available properties in Digipass Properties Management).
| Available property | Get | Set | Meaning |
|---|---|---|---|
| Token status | ✓ | Enables or disables the primary and/or backup authenticator and sets the virtual mode if needed. | |
Is primary token enabled? | ✓ | Indicates whether the primary authenticator is enabled. | |
Is virtual token supported? | ✓ | Indicates whether the virtual authenticator is supported. | |
Is virtual token enabled? | ✓ | Indicates whether the virtual authenticator is enabled. | |
| Virtual token type | ✓ | The type of virtual authenticator, i.e., PRIMARY or BACKUP. | |
| Virtual token grace period | ✓ | ✓ | Gets or sets the date when the virtual authenticator expires. |
| Virtual token remaining use | ✓ | ✓ | Gets or sets the number of remaining virtual authenticator uses, allowed number of virtual authentications. |
Is static PIN supported? | ✓ | Indicates whether the authenticator application supports the server static PIN feature. | |
| PIN minimum length | ✓ | ✓ | Sets or gets the minimum length authorized for a server static PIN. |
| PIN length | ✓ | Current length of the server static PIN. | |
Is PIN change mode on? | ✓ | Indicates whether the user can change their server static PIN. | |
Is PIN change forced? | ✓ | ✓ | Sets or indicates whether the server static PIN has to be changed at the next logon attempt. |
Is PIN feature enabled? | ✓ | ✓ | Sets or indicated whether the server static PIN feature is enabled. |
| Token model | ✓ | The type of Digipass authenticator. | |
| Use count | ✓ | The number of successful authentications. | |
| Last time used | ✓ | ✓ | Gets or sets the date and time of the last successful authentication. |
| Last time shift | ✓ | ✓ | Gets or sets the shift between the host and the Digipass clock in seconds. |
Is time-based algorithm? | ✓ | Indicates whether die authenticator application has a time-based algorithm. | |
Is event-based algorithm? | ✓ | Indicates whether the authenticator application has an event-based algorithm. | |
Is unlock supported? | ✓ | Indicates whether the authenticator application supports the unlock feature. | |
| Last response type | ✓ | The last valid response type, i.e., PRIMARY or BACKUP. | |
| Error count | ✓ | ✓ | Gets or sets error count, can only be set to 0. |
| Event value | ✓ | ✓ | For event-based algorithms, the current event value stored in the authenticator application BLOB. Indicates the greatest event value received for a valid verification, not necessarily of the latest valid verification performed (for non-sequential signature presentation). |
| Last event value | ✓ | For event-based algorithms, event value of the last valid verification (used for non-sequential signature presentation). | |
Is synchronization window used? | ✓ | Indicates whether the initial synchronization time window will be used to perform the next validation for the authenticator application. | |
| Codeword | ✓ | Application codeword. The codeword provides information on the algorithm used by the authenticator application. | |
| Authentication mode | ✓ | RO, CR, SG, MM or UL. | |
| OCRA suite | ✓ | Indicates the OCRA Suite string (for OCRA applications only). | |
Is derivation supported? | ✓ | Indicates whether Digipass data derivation is supported by the authenticator application. | |
Maximum DTF number | ✓ | Maximum number of data fields supported. | |
DTF1 to DTF8 min length | ✓ | Minimum length of the data field (for DTF1 to DTF8). | |
DTF1 to DTF8 max length | ✓ | Maximum length of the data field (for DTF1 to DTF8). | |
DTF1 to DTF8 check digit | ✓ | Indicates whether the data field use a check digit (for DTF1 to DTF8). | |
| Response length | ✓ | Length of the response. | |
| Response format | ✓ | Type of the response (decimal or hexadecimal) | |
| Response check digit | ✓ | Indicates whether the response contains a checksum | |
| Time step | ✓ | Value of the timestep used | |
Is Triple DES used? | ✓ | Indicates if the application uses the 3DES algorithm. | |
Is secure channel message signature supported? | ✓ | Indicates whether the secure channel message signature validation is supported by the authenticator application. | |
Is offline data block generation supported? | ✓ | Indicates whether the offline data block generation (for offline authentication with the OneSpan Authentication Suite Server SDK Offline Module) is supported by the authenticator application. | |
Encryption algorithm | ✓ | Algorithm used to encrypt the respective authenticator BLOB data (AES, 3DES). |