Version 3.27 (May 2025)

  • Published on Jul 8, 2025
  • 16 minute(s) read
Prev Next

Welcome to OneSpan Authentication Server Appliance 3.27!

This is a service release of OneSpan Authentication Server Appliance, which contains numerous enhancements and other product updates. For more information about new features and fixed defects, refer to the respective chapters in this document.

This article covers the following topics:

  • New features and enhancements

  • Fixes and other updates

  • Deprecated components and features

  • Known issues

For more information about configuring and using OneSpan Authentication Server Appliance, refer to the respective documentation.

Release information

Software versions

This release of OneSpan Authentication Server Appliance includes the following:

  • OneSpan Authentication Server 3.27.2

  • Web Administration Service 3.27.2

OneSpan authentication platform

OneSpan Authentication Server 3.27 integrates and uses Authentication Suite Server SDK 4.0.1 (formerly OneSpan Authentication Server Framework).

This version is a major upgrade and introduces breaking changes. Once BLOB data is processed by this version, it cannot be processed by any earlier version anymore.

Other new third-party products

Software libraries

The software library lists are not exhaustive, but include the most notable and critical updates only. For a complete overview, refer to the third-party dependency files included with the installed product.

OneSpan Authentication Server Appliance now includes the following (updated) third-party libraries:

New features and enhancements

New authentication and signature validation based on Cronto images

OneSpan Authentication Server supports new methods for authentication and signature validation based on Cronto images:

  • Scan and login is an authentication method where users are presented a Cronto image, scan that image and complete authentication on their mobile device.

  • Scan and sign is a signature validation method where users are presented a Cronto image, scan that image and complete signature validation on their mobile device.

Both methods require Mobile Authenticator Studio 5.

Bulk cleanup of unused authenticators and authenticator instances (Web Administration Service)

The Administration Web Interface now provides a new Bulk Cleanup DIGIPASS wizard to delete authenticators and/or authenticator instances based on a cleanup strategy. This allows you to clean up and purge unused authenticator data regularly in bulk to maintain clarity and avoid performance degradation issues.

Currently supported cleanup strategies are to delete (a) all authenticator instances with reused PNID or (b) all authenticators and authenticator instances that were not used at least once for a specified number of days.

The command schedules a server task that processes the authenticators and authenticator instances in a specified search range. Administrators need the new Bulk Cleanup DIGIPASS Data privilege to use the new command.

Improved Message-Authenticator attribute handling (CVE-2024-3596)

The Message-Authenticator RADIUS attribute (according to RFC 2869) is used to sign access requests to prevent request spoofing. OneSpan Authentication Server now always includes Message-Authenticator attributes in all outgoing Access response packets.

Additionally, you can configure OneSpan Authentication Server to always strictly validate Message-Authenticator attributes of incoming packets received from client components and RADIUS back-end servers.

This attribute validation is enabled by default and helps to mitigate a forgery vulnerability in the RADIUS protocol commonly referred to as Blast-RADIUS (see www.blastradius.fail).

Limit concurrent administrative sessions per user

You can now limit the maximum number of interactive administrative sessions allowed to run at one time per user. This option supplements the existing global limit of concurrent interactive sessions. The limit applies to all interactive administrative sessions, e.g. Administration Web Interface and Tcl Command-Line Administration tool, it does not apply to non-interactive service user sessions.

Furthermore, you can also specify what should happen when a new session is initiated but the number of concurrent sessions of a user exceeds the limit (either invalidate the oldest session or deny the logon).

By default, the session limit per user is disabled.

AES encryption of sensitive configuration data (Web Administration Service)

Sensitive configuration data used by the Administration Web Interface, such as the Java keystore password, is encrypted.

To improve security, the encryption algorithm has been changed, sensitive configuration data is now encrypted using AES-256 by default. If you upgrade an existing deployment, the sensitive configuration values, such as the Java keystore password, stored with the old encryption are retained and can still be read. If you change the values after the upgrade, the new values will automatically be encrypted using AES-256.

Last authentication time shown (Web Administration Service)

The date and time when an authenticator was used the last time for a successful authentication is now displayed in the relevant pages of the Administration Web Interface. Note that it is only set and updated if the authenticator is assigned and used by the respective user.

Fixes and other updates

Issue OAS-27484 (Support case CS0184109): Assign DIGIPASS wizard shows authenticators that are already assigned (Web Administration Service)

Description: When you want to assign an authenticator to a user via the Assign DIGIPASS wizard and select the Search now to select DIGIPASS to assign option, the Select DIGIPASS page also incorrectly shows authenticators that are already assigned to a user. If you select such an authenticator, you get an error message when you attempt to complete the wizard.

Affects: OneSpan Authentication Server Appliance 3.26

Status: This issue has been fixed.

Issue OAS-25550: Signature request encoding failure with special characters

Description: An encoding issue with special characters, such as Eastern European characters, used in the message title and data fields was detected, caused by the policy's font table index being ignored. When the client attempts to decrypt the request it fails with an error.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed.

Issue OAS-25359: Windows group check list size limit too small

Description: If you enable Windows group check, you need to specify a list of the Windows groups to be considered in the policy. This list has a size limit of 1024 characters, which can be too small if you have a lot of Windows groups defined.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: The size of the Windows group list has been increased to 4000 characters.

Issues OAS-25060: Restricting allowed authenticators via policy does not work correctly

Description: Some potential issues related to restricting authenticators via policy were detected:

  • The verification against the list of applicable authenticator applications was inaccurate in the sense that authenticator application names could incorrectly be accepted if they evaluate to partial names allowed by the policy. For instance, if the policy allowed VOTP64, an authenticator application named OTP6 would incorrectly be accepted.

    This issue applies to restrictions on authenticator application names and on authenticator types.

  • The tracing message when a policy disallows an authenticator application based on the application name was incorrect.

  • If a response was verified to synchronize the offline authentication data state, the restriction by the policy is not correctly evaluated.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed.

Issue OAS-24864 (Support case CS0170831): High memory usage when running Tcl scripts

Description: When running Tcl scripts with the Tcl Command-Line Administration Tool (dpadmincmd), the memory used is growing excessively. This can lead to an application crash in the worst case, depending on the Tcl script. Affected commands include digipass query, digipass get_info, and sub-commands of user, policy, and component.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed.

Issues OAS-24701, OAS-12229 (Support cases CS0130603, CS0085259): Cannot import PNID or direct assignment flag values via DIGIPASS import file

Description: When you import MDL authenticator instances from a DIGIPASS import file (*.csv), you cannot specify Push Notification Identifier (PNID) values.

Furthermore, the DirectAssignOnly column is not correctly evaluated and incorrectly set in the database. The respective authenticators cannot be used for auto-assignment, and future data migration from that server instance via DMT can fail.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed. You can now specify PNID values when you import from a DIGIPASS import file (via DevicePNId). The DirectAssignOnly column is handled correctly.

Issue OAS-24613: Recent activity does not show authenticator instance deletion (Web Administration Service)

Description: When you delete an authenticator license or authenticator instance, the operation is not shown in the recent activity of the user to whom the authenticator is assigned (User Dashboard).

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed.

Issue OAS-24587: Login page SSRF vulnerability (Web Administration Service)

Description: Recently, a server-side request forgery (SSRF) vulnerability has been identified in the login page of the Administration Web Interface, which allows to redirect login requests to a malicious SOAP server returning forged responses.

Although this vulnerability does not allow to bypass authentication or to gain access to a OneSpan Authentication Server instance, it may facilitate other attacks such as cross-site scripting (XSS) or other injection exploits.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed.

Issue OAS-24430: Invalid DIGIPASS import file creates incorrect entries in database

Description: When you import MDL authenticator licenses from a DIGIPASS import file (*.csv) that contains specific invalid message vector data, the import process may complete but create invalid authenticator parameters in the database (vdsDPSoftParams). As a result, the authenticator license cannot be used to activate authenticator instances afterward.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed. The data and parameter verification has been improved to prevent invalid authenticator license records.

Issues OAS-23693: Inefficient client connection closing

Description: If a SOAP client component requests to gracefully close an active connection by sending a TCP FIN packet, OneSpan Authentication Server unnecessarily initiates a thread (which effectively doesn't do anything), before actually closing the connection.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: The respective SOAP connection handling was improved.

Issue OAS-19803: Email address and phone number validation

Description: Under some circumstances, sending messages to an invalid (ill-formed) email address or phone number can cause problems with the Message Delivery Component (MDC) service, for example, temporary unavailable or bad nodes.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: To prevent such issues, OneSpan Authentication Server and Web Administration Service now strictly validate and accept the following whenever you create or update user accounts:

  • Email addresses are only accepted if they are well-formed. Special characters are not allowed.

  • Phone numbers are only accepted if they comply with ITU-T E.164.

Note that existing user info fields are kept as is and are only revalidated when you attempt to update them.

Issue OAS-17191 (Support case CS0120170): Missing error/status codes (Documentation)

Description: The status code reference does not include entries for 1091 and 1092.

Status: The documentation has been updated. The missing status codes for STAT_MDC_DELIVERY_FAILED (1091) and STAT_ONE_OR_MORE_DELIVERY_METHODS_HAVE_FAILED (1092) were added. The descriptions of STAT_INVCONFIG (–30) and STAT_NOTAVAIL (–400) were extended to clarify the messages in more detail.

Issue OAS-9396 (Support case CS0064817): Incorrect authenticator instance number audited

Description: When using multi-device licensing (MDL) authenticators for signature validation and multiple MDL instances exist, in some circumstances, an incorrect authenticator instance number is written to the audit.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed. For authentication and signature validation using secure channel, the authentication application handling when preparing the respective requests was improved. The data written to the audit log has been unified:

  • If a single authenticator instance exists, the instance number is written to the audit.

  • If multiple authenticator instances exist, the license number is written audit.

  • If multiple authenticator licenses exist and either scan and login or scan and sign is used, a comma-separated list of licenses or instance numbers is written to the audit.

Issue OAS-6088 (Support case CS0043684): Error message when importing users with maker–checker authorization

Description: You cannot import user records from a user import file if maker–checker authorization is enabled for practical reasons (because each imported user would need to be verified by a checker administrator). This is clearly described in the user documentation, but administrators can effectively attempt to import a user import file nonetheless and receive an error message.

Affects: OneSpan Authentication Server Appliance 3.22–3.26

Status: This issue has been fixed. You can no longer select USERS > Import if maker–checker authorization (for creating new user accounts) is enabled.

Issue OAS-3456 (Support case CS0020470): Offline activation decodes ineligible authenticators during auto-assignment

Description: When a user performs an authenticator activation and auto-assignment is activated, OneSpan Authentication Server randomly selects an available authenticator to prevent collisions during parallel assignment of authenticators.

During this process, it decodes the authenticator data to find an authenticator that can be assigned. In case of offline activation, OneSpan Authentication Server unnecessarily processes authenticators that are not applicable for offline activation at all, such as hardware authenticators.

In environments where a lot of hardware authenticators exist in the database, the hardware authenticators are processed before applicable authenticators (MDL) are. This can lead to high server load and higher response times in general.

Status: This issue has been fixed.

Issue RM100901: New error when system user stops working

Description: In some rare circumstances, the OneSpan Authentication Server Appliance system administrator account (_system) stops working.

Status: The OneSpan Authentication Server Appliance Configuration Tool now displays a respective error message if it detects issues with the system administrator account. If you receive this error message, contact OneSpan support.

Issue RM100193: New warning when configured disk is too small

Description: When you set up a new virtual machine and the capacity of the virtual disk is smaller than the recommended minimum size, the setup may be insufficient for a OneSpan Authentication Server Appliance deployment and yield issues if run in a production environment.

Status: The OneSpan Authentication Server Appliance Setup Wizard now displays a warning if the disk capacity is smaller than the recommended minimum size.

Issue RT157680: ICMP requests retrieve exact system time

Description: OneSpan Authentication Server Appliance responds to ICMP timestamp requests by returning the number of milliseconds since midnight. Although this is not a security risk per se, it can be used by malicious attackers to open other attack vectors to defeat time-based authentication schemes.

Status: OneSpan Authentication Server Appliance no longer responds to ICMP timestamp requests.

Support case CS0184234: Default audit data

Description: In some circumstances, having a lot of audit data can lead to heavy system load and decrease performance tremendously.

Status: This issue has been fixed. Only the last hour of audit data is shown by default.

Support case CS0175539: CHANGE POLICY button does not work

Description: The CHANGE POLICY button on the Overview page does not work.

Status: This issue has been fixed.

Deprecated components and features

EMV-CAP support (Disabled)

EMV-CAP is no longer supported, and its functionality has been removed. If you attempt to use EMV-CAP smart card readers or other EMV-CAP functionality, you will receive an EMV not supported error.

Any remaining references to EMV-CAP in the code base, UI, and documentation will be removed in a future release of OneSpan Authentication Server Appliance (currently planned for 3.28).

RADIUS protocol support

The RADIUS protocol support has been consolidated. The following RADIUS protocols are no longer supported:

  • EAP-TTLSv0/CHAP

  • EAP-TTLSv0/MSCHAP

  • EAP-TTLSv0/MSCHAP2

  • EAP-TTLSv0/EAP-MSCHAP2

  • EAP-TTLSv0/EAP-GTC

  • PEAPv0/EAP-MSCHAP2

  • PEAPv1/EAP-MSCHAP2

Furthermore, the custom VASCO-Specific protocol has been removed from the RADIUS policy settings.

PDF documentation (Deprecated)

You can view the user documentation of most OneSpan products online already at https://docs.onespan.com/, and we plan to shift exclusively to online documentation.

This means that PDF documentation will be completely removed in future major releases of OneSpan Authentication Server Appliance (currently planned for 3.28).

Supported platforms, data management systems, and other third-party products

LDAP servers

  • NetIQ eDirectory 8

    NetIQ eDirectory is no longer officially supported, but its functionality has not been removed yet. Any remaining references and features in the code base, UI, and documentation will be removed in a future release of OneSpan Authentication Server Appliance (currently planned for 3.28).

Known issues

Issue OAS-9159 (Support case CS0057804): Usability issues when two reports are started at the same time (Reporting)

Description: When two reports are started at the same time, e.g. with two different browsers, a (nonfunctional) download link for the second report will be available before the report task has even started. The corresponding report results cannot be accessed.

Affects: OneSpan Authentication Server Appliance 3.19 and later

Status: No fix available. To avoid this issue, do not run multiple reports at the same time.

Issue OAS-5605 (Support cases CS0039109, CS0046614): Issues with Chinese characters in XML and PDF reports (Web Administration Service)

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server Appliance 3.12 and later

Status: This issue has been fixed for XML reports in OneSpan Authentication Server Appliance 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.

Issue OAS-4163 (Support case CS0030058): Cannot assign multiple authenticators to a single user in one step (Web Administration Service)

Description: The Assign DIGIPASS wizard allows you to assign authenticators to users. Although you can select multiple authenticators and multiple users, you can only assign exactly one authenticator to one user at a time. For instance, if you select two authenticators in the wizard, you need to specify two different user accounts, one user to assign each one authenticator.

Affects: OneSpan Authentication Server Appliance 3.21 and later

Status: No fix available. To assign additional authenticators to a user, you need to run the Assign DIGIPASS wizard again.

Issue OAS-3761 (Support case CS0024326): Inaccessible authenticators proposed for manual assignment (Web Administration Service)

Description: The Assign DIGIPASS wizard allows you to explicitly select the authenticators to assign to multiple users (by selecting Search now to select DIGIPASS to assign in the Search DIGIPASS page). However, the Select DIGIPASS page may also show authenticators that are actually inaccessible to assign to the respective users, because they are in another domain than the users. If you select such an authenticator and continue, you will receive a "Failed to find available token for assignment." error.

This issue does not occur if you only select one user to assign an authenticator. In this case, the Select DIGIPASS page correctly shows only authenticators in the same domain as the user account.

Affects: OneSpan Authentication Server Appliance 3.21 and later

Status: No fix available. Ensure to explicitly select only authenticators that are in the same domain as the users you selected to assign an authenticator.

Issue 58722: Mobile Authenticator Studio timeshift no longer supported

Description: When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server Appliance at shorter intervals.

Affects: OneSpan Authentication Server Appliance 3.6 and later

Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.

Issue 48452 (Support case PS-144964): Multiple authentication and accounting ports on OneSpan Authentication Server Appliance (RADIUS communicator)

Description: OneSpan Authentication Server Appliance allows for the configuration of two RADIUS authentication ports and two RADIUS accounting ports. By default, one authentication and one accounting port is specified. If you want to edit the second ports, contact support.

Affects: OneSpan Authentication Server Appliance 3.5 and later

Status: If a second authentication and/or a second accounting port for the RADIUS Communicator will be used, contact support.

Issue 46294 (Support case PS-141029): SafeNet HSM mode setup causes installation failure (OneSpan Authentication Server Setup)

Description: Deployments of OneSpan Authentication Server Appliance with Thales ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server Appliance fails.

Affects: OneSpan Authentication Server Appliance 3.6 and later

Status: The Thales ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.

Issue 41616: Self-signed certificates created by Microsoft Internet Information Services (IIS) cannot be used (Message Delivery Component (MDC))

Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.

Affects: All platforms.

Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.

Issue 136844: Audit Viewer is slow

Description: On systems that have a very high log production, you may experience problems when browsing logs with the built-in Audit Viewer. The reason is that OneSpan Authentication Server Appliance queries logs per day, and if there is a great amount of data, this can take longer than the 30-second web browser timeout.

Affects: OneSpan Authentication Server Appliance environments that produce a lot of data per day.

Status: No fix available.