Documentation Index

Fetch the complete documentation index at: https://docs.onespan.com/llms.txt

Use this file to discover all available pages before exploring further.

Digipass Multi-Device Activation Service

Prev Next

Description

The Digipass Multi-Device Activation service groups functionalities for multi-device activation (two-step activation) of compliant authenticator (software or hardware) devices.

The Digipass multi-device activation is a different process from the standard software Digipass activation. The Digipass multi-device activation requires compliant Digipass devices and compliant DPX files (in the context of multi-device licensing).

When a compliant Digipass device is activated, settings and secrets are written into the device.

Multi-device activation global workflow

The multi-device activation process involves a particular authenticator application, the master activation application, which contains an individual master activation key for each Digipass serial number license. Every Digipass serial number license must be linked to a single user account.

The multi-device activation involves two activation messages generated by the customer to guarantee that only the intended end user, and not an adversary who has intercepted one of the messages, can perform the activation:

  • Activation Message 1. The first activation message allows activating a Digipass license in the device. It may be used several times to allow activation of multiple Digipass instances (of a certain Digipass license) on multiple Digipass devices if necessary, or only once if a challenge is used.

  • Activation Message 2. The second activation message allows activating a Digipass instance of a license in the device. It can be used for the effective activation of one Digipass instance only.

Both activation messages should be delivered to the end-user via authentic channels. For instance, the first activation message (Activation Message 1) should be delivered via a secure letter or email. The second activation message (Activation Message 2) should be delivered via the online banking application.

Each serial number license will be used several times for activation of several Digipass instances (in several Digipass devices) of one user account. Only one license will be consumed for the activation of the different Digipass instances for one user account.

For each activation of a new Digipass instance, new authenticator application BLOBs will be generated by Authentication Suite Server SDK. A sequence number will be incremented for each new Digipass instance issued from the same license. The number of instances which can be issued from a license will be limited to a pre-defined threshold between 1 and 99 (configured by OneSpan at time of order).

The different Digipass instances of one user account will have the same serial number but a different sequence number. The keys of the Digipass instance applications will be different for each instance.

The optional Secure Channel feature after activation of a Digipass instance allows protection of the messages exchanged between the server side and the client side. (applicable only for Digipass devices able to perform operations based on the Secure Channel protocol). The Secure Channel will be usable only if the Secure Channel feature has been ordered (configured by OneSpan at time of order).

  • If the Secure Channel feature has been ordered, during the activation process it requires mandatory provisioning of a payload key represented on the server side by a payload key BLOB. In this case, first a payload key will have to be generated once for each Digipass serial number license. The different Digipass instances activated from one Digipass serial number license must share the same payload key. After the activation, the payload key will protect the request messages and deactivation messages to exchange between the server and the client devices that have been activated using a particular Digipass license (for a particular user account).

  • If the Secure Channel feature has not been ordered, no payload key must be generated and provisioned.

To manage an interruption in the process, it should be possible to replay Activation Message 2 until the Activation Message 2 signature is validated by the server. To do so Activation Message 2 should be kept on the server side and deleted once the signature is validated.

Figure: Multi-device activation global workflow

Authentication Suite Server SDK will be involved in the following steps during the multi-device activation process:

  • Step 2: If the Secure Channel feature has been ordered – generation of the payload key BLOB; once per Digipass serial number license.

  • Step 3: Generation of Activation Message 1

  • Step 8: Verification of the device code, extraction of the device ID and the device type

  • Step 9: Generation of Activation Message 2 and of the Digipass instance application BLOBs

  • Step 15: Verification of Activation Message 2 signature with the functionality dedicated to the message signature validation and using the Digipass instance application BLOB corresponding to the crypto application defined into the client Digipass to perform the post-activation. For more information, see Activation Message 2 signature validation workflow.

Steps 4 and 11: Authentication Suite Server SDK will not be involved in the message transformation into an image or other media (for example, the Cronto image is generated with the Image Generator SDK).

Multi-device activation with FIDO2 binding workflow

The Vision FX provisioning protocol is used for authenticators that combine Cronto visual cryptography with FIDO2 hardware-bound credentials, such as DIGIPASS FX2. As such, it incorporates the FIDO2 protocol for user authentication and the Cronto protocol for transaction data signing.

Activation with FIDO2 binding provisioning (overview)

  1. The server and the authenticator perform a FIDO2 provisioning, using the regular WebAuthn client registration protocol.

    The authenticator now contains WebAuthn credentials (public/private key pair) to authenticate to the server, which stores the public key.

  2. The server and the authenticator perform a Cronto provisioning, using an adapted Cronto activation protocol.

    The server allocates a Cronto license to the user account. The Cronto license is identified by a serial number and is linked to a certain activation key.

  3. The server generates Activation Message 1 and presents it to the authenticator as a Cronto image.

    Apart from the regular activation message data, it contains a message authentication code (MAC) of the WebAuthn public key generated with  the activation key.

  4. The authenticator scans the Cronto image that encodes the Activation Message 1.

    If the verification of the Activation Message 1 data is successful, the authenticator stores the Cronto license serial number and the activation key.

  5. The authenticator calculates the device code and sends it to the server.

    The device code consists of an internal device ID and a signature of the Activation Message 1 calculated using the activation key.

  6. The server validates the device code.

    If the validation is successful, the server stores the device ID. Furthermore, it generates one or more authenticator application keys.

  7. The server generates an Activation Message 2 and presents it to the authenticator as a Cronto image.

  8. The authenticator scans the Cronto image that encodes the Activation Message 2.

  9. The authenticator generates an OTP and sends it to the server.

    The OTP is calculated over the Activation Message 2 data and the device ID using the authenticator application key.

  10. The server validates the OTP.

This provisioning process is atomic: either both WebAuthn client registration and Cronto activation are completed successfully, or no registration or activation is done at all. It requires that the Cronto data originates from the same domain used during authentication, that user authentication and transaction data signing are performed using the same authenticator, and that only genuine Vision FX authenticators are used.

Authentication Suite Server SDK will be involved in the following steps:

  • Step 3: Generation of Activation Message 1

  • Step 6: Verification of the device code, extraction of the device ID, generation of the authenticator instance application BLOBs

  • Step 7: Generation of Activation Message 2

  • Step 10: Verification of Activation Message 2 signature

Steps 3 and 7: Authentication Suite Server SDK will not be involved in the message transformation into a Cronto image. These images are generated with the Image Generator SDK.

Functionalities

The Digipass Multi-Device Activation service relies on the following functionalities:

  • Payload key BLOB generation

  • Activation Message 1 generation

  • Device code validation

  • Activation Message 2 and Digipass instance generation

Workflows

Payload key BLOB generation workflow

Figure: Payload key BLOB generation workflow

Activation Message 1 generation workflow

Figure: Activation Message 1 generation workflow

Device code validation workflow

Figure: Device code validation workflow

Activation Message 2 and Digipass instance generation workflow

Figure: Activation Message 2 and Digipass instance generation workflow

Activation Message 2 signature validation workflow

Figure: Activation Message 2 signature validation workflow