Authenticators

  • Published on Jan 26, 2026
  • 5 minute(s) read
Prev Next

An authenticator is a device for providing one-time password (OTP) and electronic signature functionality to a user.

An organization can provide its users with authenticators to ensure that the users log in to secure systems via strong authentication. The authenticator provides the OTP values and the users can use these OTP values instead of or in addition to a static password for the logon. With devices that support this functionality, authentication transactions can be performed via secure channel feature of OneSpan Authentication Server and authenticators (see Secure channel).

In addition, an authenticator can also be used to sign transaction data. Here, the user manually enters key details of the transaction into the authenticator or, with devices that support this functionality, scans an image—either a QR code or a color QR code—provided on the transaction page, and receives a signature. The user then enters that signature into a transaction confirmation page to confirm that the transaction is authorized.

Virtual Mobile Authenticator is a mechanism where an OTP is generated by the server and sent to the user's mobile phone or email account. In this case, a physical authenticator device is not needed.

A software authenticator may be installed as an authenticator application onto an existing non-OneSpan platform (such as a computer, smart phone, or other mobile device). It can be used to generate an OTP or a signature in the same way as a physical hardware authenticator.

Authenticator application types

Each authenticator is programmed with at least one authenticator application and a unique secret. The authenticator application uses this unique secret when it generates one-time password (OTP) values or an electronic signature.

Each type of authenticator application generates OTP values or signatures from different data, and in slightly different ways:

Response-only

Creates an OTP, either based on the current date and time or on the number of uses (i.e. events).

Challenge/response

Creates an OTP (also referred to as a response) based on a numerical challenge given on a logon page. This challenge may be either one of the following:

  • Custom-created challenge for the specific authenticator

  • Randomly-created challenge

The OTP may also be based on the date and time.

Signature

Electronic signature applications are typically used in online banking. The authenticator creates a unique code—i.e. an electronic signature—based on a number of transaction data fields entered plus (optionally) the date and time or events.

Multi-mode

A multi-mode authenticator can be used on all of the above modes.

Hardware authenticators

A hardware authenticator is a device specifically designed to create OTP values and digital signatures. Each hardware authenticator can be used for the following authenticator application types:

  • Response-only

  • Challenge/response

  • Signature

Hardware authenticator types

E-signature authenticators

Authenticator devices of this type are typically capable of supporting more than one authenticator application. Some of these authenticators can be programmed so that a PIN must be typed before they generate a one-time password (OTP) or an electronic signature.

Examples: Digipass 760, Digipass 785

Single-button authenticators

This is the simplest authenticator type. An authenticator without a keypad has a triggering mechanism—typically an action, e.g. pressing a button. That action triggers the generation of a one-time password (OTP). Single-button authenticators only have one authenticator application, which is always Response-Only.

Example: Digipass GO 7

DIGIPASS smart card readers

DIGIPASS smart card readers provide two-factor authentication based on smart card technology in a similar way to other hardware authenticator devices. The smart card itself provides the secret used to generate a one-time password (OTP) and electronic signature.

Example: Digipass 870

Software authenticators

Software authenticators are software versions of authenticators that provide authentication and signature functions for mobile devices and web browsers. They generate a one-time password (OTP) or electronic signature in the same way as hardware authenticators (see Hardware authenticators).

A software authenticator may be installed as an authenticator application on an existing non-OneSpan platform (such as a computer, smartphone, or other mobile device). This effectively makes the device emulate a hardware authenticator. The user then accesses the installed authenticator application to obtain a one-time password or electronic signature.

To be ready for use, a software authenticator requires:

  • Software installed on the client device

  • A unique activation code

Once installed on a host device, software authenticators need to be activated via an activation code. Once activated, the device can then be used to generate OTP values and electronic signatures. Software delivery and activation of the software authenticator is done during the provisioning process (see Software authenticator provisioning).

A software authenticator typically supports the following authenticator application types:

  • Response-only

  • Challenge/response

  • Signature

Software authenticator types

The following software authenticator types are supported by the Provisioning function in OneSpan Authentication Server:

Mobile Authenticator Studio

Mobile Authenticator Studio is a customizable mobile app facilitating two-factor authentication as well as e-signature generation to address the security risks of mobile and online applications. It is available for Android and iOS mobile devices.

OneSpan Mobile Authenticator

OneSpan Mobile Authenticator is a two-factor authenticator for one-time password (OTP) generation. The OTP displayed by the OneSpan Mobile Authenticator app can be used as back-up authentication mode when the push notifcation–based authentication does not succeed. The app is activated with a color QR code, and can be protected either with fingerprint recognition or a PIN code, depending on the available mobile device functionalities. It can contain multiple authenticator instances and can be installed on several mobile devices, allowing the use of multiple devices for the logon process. For more detailed information, refer to the OneSpan Mobile Authenticator Getting Started Guide.

The OneSpan Mobile Authenticator app is used for push notification–based authentication (see Push notifications via the OneSpan Mobile Authenticator app and Push notification–based authentication). For detailed information about the push notification solution, required components, and its setup with OneSpan Authentication Server, refer to the Push Notification Solution Guide.

OneSpan Mobile Security Suite

OneSpan Mobile Security Suite is a software development kit (SDK) to natively integrate application security, two-factor authentication, and electronic signatures into mobile applications developed by OneSpan customers. It consists of a library of dedicated APIs to strengthen mobile application security and facilitate mobile transactions across multiple user devices. Mobile Security Suite supports Android, iOS, and Windows Phone. For more detailed information, refer to the OneSpan Mobile Security Suite documentation suite.

Hybrid authenticators: Digipass 760

Digipass 760 is a hybrid device, composed of a hardware and a software component.

Virtual Mobile Authenticator

Virtual Mobile Authenticator can be used instead of a primary hardware authenticator, or as a backup mechanism when users lose their hardware authenticators.

Using Virtual Mobile Authenticator means that a user may receive a one-time password (OTP) via:

  • Email

  • SMS (over a mobile phone)

  • Voice message (over a landline or mobile phone)

There are two forms of Virtual Mobile Authenticator:

  • Primary Virtual Mobile Authenticator. Treated by OneSpan Authentication Server almost identically to hardware and software authenticators. A record of each primary Virtual Mobile Authenticator must be imported into the data store, and may then be assigned to a user automatically or manually. Users will typically log on with their user ID and static password, have an OTP sent to their phone or email account, and then enter the received OTP in the second stage of their logon process.

  • Backup Virtual Mobile Authenticator. This feature allows users to request an OTP sent to their phone or email account if they do not have their usual authenticator at hand. It may be limited by number of uses or days of use, e.g. users may be limited to 2 days usage, after which they will again need to use their primary authenticator to log on.