Event-based algorithms

  • Published on Mar 19, 2026
  • 3 minute(s) read
Prev Next

When event-based authenticator applications are used and because secrets are static, Digipass needs to feed its crypto-engine with both an internal event value and secrets to generate a dynamic password (or a signature).

Ideally, the host and Digipass authenticator events are perfectly synchronized (identical). In this case, the host could only consider the current event value corresponding to one dynamic password, and other dynamic passwords could be rejected. All the passwords generated by Digipass would have to be presented and validated on the host to remain perfectly synchronized.

Because the host and Digipass events are likely to vary in real situations, Authentication Suite Server SDK provides a transparent mechanism to synchronize the authenticator application internal event value and the host event value stored into the authenticator application BLOB.

The maximum gap between the authenticator application and the host event values is called the event window and can be customized with the EventWindow kernel parameter. By default, this parameter value is set to 100.

With an event-based authenticator application, Authentication Suite Server SDK is not able to detect code replay attempts or chronological signature errors in case of signature validation.

For OTP or signature validation in online mode, Authentication Suite Server SDK will only iterate on events greater than the current event. Consequently, a replay attempt will be rejected by Authentication Suite Server SDK, but the error code returned will be error "Code or signature not verified" rather than error "201: Code replay attempt" or error "206: Chronological signature error".

Online mode

One-time passwords and digital signatures are presented to the host in the order they were generated.

Three OTPs are generated with the events e=1, e= 2, and e=3. The OTP generated with e=2 has to be submitted before the one with e=3. Presenting the OTP generated with e=1 after the one generated with e=3 would cause an authentication failure.

In this mode, the lower window boundary is:

Lower boundary = Current event value + 1

The upper window boundary is:

Upper boundary = Current event value + window event

Authentication Suite Server SDK will consider all OTPs with a value that is within these boundaries as valid. After a successful validation, the event value in the authenticator application BLOB is updated with the authenticator application event value used to generate the OTP.

One-time passwords are always validated in online mode. Signatures are only validated in online mode if the OnlineSG kernel parameter is equal to 1 or 2. Signature validation in online mode is recommended in most cases.

Offline mode

This mode only applies to the signature validation operating mode.

A typical use case is for example if signatures are not presented to the host in the order they were generated.

Three signatures are generated with the event e=1, e=2, and e=3. Presenting the signature generated with e=1 after or before e=3 will succeed.

In this mode, the lower event window boundary is:

Lower boundary = Current event value – (window event / 2) + 1

The upper window boundary is:

Upper boundary = Current event value + (window event / 2)

Authentication Suite Server SDK will consider all signatures with an event value within these boundaries as valid. After a successful validation, the event value in the authenticator application BLOB will be updated if the authenticator application event value used to generate the signature is greater than the event value stored in the authenticator application BLOB.

In this operating mode, there is no way for Authentication Suite Server SDK to detect code replay inside the event window. It is up to the calling application to manage the code replay functionality.

With the Digipass Management Service, it is possible to retrieve both the current event value and the event value of the latest valid signature from the authenticator application BLOB.

To re-validate an event-based signature to ensure non-repudiation, the calling application has to store all the transaction data and the event value used to generate this signature.

Signatures are only validated in offline mode if the kernel parameter OnlineSG is set to 0 or 3.