Version 3.28 (January 2026)

This release of OneSpan Authentication Server Appliance includes the following:

• OneSpan Authentication Server 3.28.1

• Web Administration Service 3.28.1

Software libraries

OneSpan Authentication Server now fully supports and uses 256-bit keys for storage data keys to encrypt sensitive data at rest. The Administration Web Interface now allows you to create and manage 256-bit keys.

You can now set up the Administration Web Interface to integrate with an OpenID Connect (OIDC) provider, such as Microsoft Entra ID, to use that as an external authentication method for single sign-on (SSO). This allows administrative users to authenticate and sign in to the Administration Web Interface via OIDC.

The reporting system has been enhanced in several ways:

• You can now natively create CSV reports for list analysis reports using a new built-in CSV report format. This new format is especially useful if you need create very large reports (1 GB or bigger). If you want to create CSV data for other report types or a different set of data, you can still create a custom report template and use XSLT transformation.

• You can now create any report in background regardless of the report format (previously only PDF).

• You can now download any report after it has been created regardless of the report format (previously only PDF).

• Report files now use correct file extensions depending on the used report format.

• Report files now use more meaningful file names, including a timestamp and a random suffix.

• To prevent large report files from freezing the browser tab, the Administration Web Interface now allows to open report files only if they do not exceed a certain size limit. This size limit can be configured via the web application configuration file.

• The download of report files has been improved to greatly minimize the memory overhead by streaming the report data.

Breaking change

These improvements require that you now have the View Task and the View Report File privileges (additionally to the Run Report privilege) to run a report immediately or with default values.

The system dashboard of the Administration Web Interface has been enhanced:

• It now includes a Transaction Count section that shows metrics for the number of transactions (including their completion status) grouped by transaction type. You can select the range to view, for example, to show only transactions from the last 24 hours.

• You can now expand and collapse each section of the system dashboard. The view state, including the time range selected for the transaction count, is stored in the browser’s local storage.

• The data of each section is now cached. Each section can be individually refreshed on demand without blocking the system dashboard.

The system dashboard is an experimental feature and subject to be changed and vastly extended and enhanced in upcoming releases.

A new cleanup strategy for the Bulk Cleanup DIGIPASS wizard has been added. The new Instances without PNID strategy deletes all authenticator instances that have no DIGIPASS Push Notification Identifier (PNID) assigned and were never used (last authentication time is not set). The PNID is implicitly set when an authenticator instance is bound to a mobile app. The last authentication time is initially set when the authenticator instance is effectively activated.

The Bulk Cleanup DIGIPASS wizard now allows to perform a test run. If selected, the command is executed but only searches for authenticators and authenticator instances that match the strategy without deleting any data.

An overview of the items that would be deleted is stored in the status information of the respective server task when completed. The server task also generates a CSV report to provide a complete and detailed summary of the items that would be deleted. That report can be downloaded via the Task Management page.

In previous versions, the start time and the expiration time of an authenticator license was only propagated to the linked authenticator instance once, specifically when you created a new instance via provisioning (multi-device licensing). If you changed the start time or the expiration time of an authenticator license explicitly, existing authenticator instances were not affected. Hence, such authenticator instances would remain valid, even if the respective authenticator license’s expiration time was set to an earlier date and had already passed.

The new global Propagate expiration time setting allows you to configure this behavior in general and determine whether the start time and the expiration time of the linked authenticator instances should also be updated when you update the start time and/or the expiration time an authenticator license in the authenticator properties or set them explicitly using Set Expiration.

The user interface to enter various encryption key values has been enhanced to improve usability. On the Upload File page of the Import DPX wizard, the transport key is now automatically formatted into groups of four characters to facilitate data entry. On the SERVERS > Create new key page, the Key Value field is also formatted into groups of four characters and restricted to the maximum key length permitted depending on the selected key usage. Furthermore, it provides an option to automatically generate a random key value of the maximum key length.

The Find/manage DIGIPASS page now allows to refine search queries and filter the results based on the last authentication time. The new Last Authenticated options allow to find all authenticators that where used after/before a specific time, respectively, or within a specific time range. You can also search for authenticators that where never used before at all (and have no last authentication time set).

To help investigating issues with stale database connections, the OneSpan Authentication Server trace file now includes the number of used connectors as well as the total number of connectors when it attempts to establish a new ODBC connection. The number of used connectors are given for the current node, for example, ODBC, the total is the number of available connectors.

If a connection cannot be established and the number of used and total connectors are equal, then all configured connectors are valid and currently used. If a connection cannot be established, but the number of used connectors is lower than the total connectors, then some bad connectors exist that OneSpan Authentication Server cannot use.

If you deploy the Administration Web Interface via the provided setup package, the embedded Apache Tomcat web application server is now pre-configured to provide a health check endpoint:

https://was_host:was_port/health

This endpoint can also be used to respond to cloud orchestrator health checks.

Description: In some environments, after an upgrade of an existing OneSpan Authentication Server Appliance deployment from version 3.26 to 3.27, the LDAP authentication does no longer work. Administrative logons to are unsuccessful and indicated by a "Standard Template Library exception has occurred. Access Violation" error message in the trace file.

Affects: OneSpan Authentication Server Appliance 3.27

Status: This issue has been fixed.

Description: Some fields of the Administration Web Interface can be misused to execute code by entering specially prepared data. This issue cannot be triggered by using a direct link.

Affects: OneSpan Authentication Server Appliance 3.27

Status: This issue has been fixed.

Description: When the OneSpan Authentication Server daemon receives a burst of invalid TLS connection attempts from a client on the SOAP port (8888 by default), the daemon becomes unresponsive on all other SOAP connections. The SOAP clients receive a connection reset by peer error.

Affects: OneSpan Authentication Server Appliance 3.27

Status: This issue has been fixed.

Description: Several issues with the support of some RADIUS protocols have been identified:

• The MPPE send key length (MS-MPPE-Send-Key attribute) in response packets sent by OneSpan Authentication Server are incorrect.

• The server terminates unexpectedly in some cases during the authenticator response generation.

• The EAP message identifiers are set to random values instead of following the sequence requested by the RADIUS client.

• RADIUS packets include unnecessary empty Reply-Message attributes.

Furthermore, several issues with RADIUS fast reconnect (fast re-authentication) have been identified:

• The respective TLS sessions were incorrectly flagged as not resumable, effectively preventing RADIUS fast reconnect from working at all.

• The server terminates unexpectedly in some cases during the TLS session resumption approval.

• Changing the TLS session expiry policy parameters have no effect on the expiration of existing sessions.

• The TLS session lifetime parameter value is always subtracted by 60 seconds.

Affects: OneSpan Authentication Server Appliance 3.22–3.27

Status: The listed issues have been fixed. Additionally, the following improvements were implemented:

• Additional TLS session Id logging during fast reconnect was added.

• The thread safety of the TLS sessions cache was improved.

These fixes effectively enable RADIUS fast reconnect by default, which was not working before. Note that you cannot currently block fast reconnect for individual devices that have been stolen or compromised, and such devices continue to successfully perform fast reconnect even after the user credentials are changed. For more information about this security concern and how to mitigate it, see Fast reconnect.

Description: To reduce the amount of processed data and speed up the server data migration process after an upgrade, the data version is tracked for each database table individually. Under some circumstances, a database table that is already considered as being up-to-date may contain individual records that are not yet migrated. This can happen, for example, if replication is enabled and updates records with an older data schema version in an otherwise already migrated table (newer data schema version). Such records are ignored and not processed by the data migration task.

Affects: OneSpan Authentication Server Appliance 3.23–3.27

Status: This issue has been fixed. If the server detects data records that are not migrated yet, although the table data version indicates it, the stored table data version is ignored and the records are properly processed.

Description: Some fields on the Create New Client page and the Create New Back-End Server page are not properly verified and can be potentially exploited for cross-site scripting (XSS) attacks.

Affects: OneSpan Authentication Server Appliance 3.22–3.27

Status: This issue has been fixed.

Description: When you attempt to upload a custom report format template to an existing report via the REPORTS page in the Administration Web Interface, you receive an error message that you need to specify a valid file to upload. However, uploading a custom report format template during the creation of a report with the Define Report wizard works.

Affects: OneSpan Authentication Server Appliance 3.27

Status: This issue has been fixed.

Description: When you attempt to update the settings for an authenticator, for example, setting a grace period, and the last authentication time value of that authenticator is already set, the operation fails with a "Cannot Validate -Field is not an input for this command. <object:command><Digipass:3>, field<name:type><Last Authentication Time:DATETIME>" error message. This issue only occurs if you use the Administration Web Interface for the update.

Affects: OneSpan Authentication Server Appliance 3.27.2

Status: This issue has been fixed.

Description: Several issues with the support of some RADIUS protocols have been identified:

• OneSpan Authentication Server responds with invalid Microsoft Point-to-Point Encryption (MPPE) keys to EAP-TTLS/PAP and PEAP/EAP-MSCHAPv2 access requests.

• OneSpan Authentication Server responds with invalid authenticator response content to PEAP/EAP-MSCHAPv2 access requests.

• OneSpan Authentication Server does not respond or terminates unexpectedly when receiving EAP-TTLS/PAP and PEAP/EAP-MSCHAPv2 access requests.

• OneSpan Authentication Server is unable to authenticate users with passwords that contain Unicode characters using PEAP/EAP-MSCHAPv2. Note that MSCHAPv2 only supports passwords representable by the UCS-2 encoding, i.e. the Basic Multilingual Plane (BMP) code point set.

Affects: OneSpan Authentication Server Appliance 3.22–3.27.2

Status: This issue has been fixed.

Description: In some environments with a lot of concurrent, inactive connections (open, but not sending data), the OneSpan Authentication Server daemon does not detect pending data. This can impede other, also active, connections and lead to longer response times in general.

Affects: OneSpan Authentication Server Appliance 3.22–3.27

Status: This issue has been fixed.

Description: An issue has been identified that can happen in environments where Windows user name translation is enabled and the case conversion for user IDs and domains is set to Convert to lowercase (ODBC settings). If a user authenticates with a user account that is stored in uppercase in Active Directory, the user ID is correctly converted to lowercase and the authentication succeeds. However, the user ID is incorrectly written to the audit log in uppercase.

This behavior does not impact user authentication functionally, but because the user ID in the audit messages use an incorrect character casing, user authentication operations are not included in the recent activity of the affected users (User Dashboard).

Affects: OneSpan Authentication Server Appliance 3.22–3.27

Status: This issue has been fixed.

Description: When running a list report that includes authenticators and users as data source, for example, the DP per User report, and in the unlikely case that an authenticator and a user have the same identifier, the OneSpan Authentication Server daemon can terminate unexpectedly due to a memory access violation while processing the data group levels.

Affects: OneSpan Authentication Server Appliance 3.22–3.27

Status: This issue has been fixed.

Description: Two problems with the user selection when doing a manual assignment were reported:

1. When you search for users in a particular domain who do not have an authenticator assigned via the Find/Manage User page, and then manually assign an authenticator to a user, you are automatically redirected back to the User list after completing the assignment. However, the User list now incorrectly indicates one selected user, although no user is selected (since the originally selected user has now an authenticator assigned).

2. The second problem occurs if you continue after the first problem: if you now attempt to do another assignment, the Assign DIGIPASS wizard will list authenticators from all domains, not only from the originally selected one.

Affects: OneSpan Authentication Server Appliance 3.22–3.27

Status: This issue has been fixed.

Description: OneSpan User Websites can be configured to use additional, optional client components—for example, UWS MDL Provisioning—to allow different policies to be applied depending on the management operation. However, if you create and edit such client components in the Administration Web Interface, they incorrectly show a License tab, although they neither require nor allow licenses to be applied.

Affects: OneSpan Authentication Server Appliance 3.22–3.27

Status: This issue has been fixed. Optional client components for OneSpan User Websites no longer show a License tab. Furthermore, to simplify the configuration, you can now select them as pre-defined client components in the Client > Client Type list.

Description: Attempting to log into the Configuration Tool can sometimes fail if shared sessions are enabled. A possible workaround was to log in to the OneSpan Authentication Server Administration Web Interface and then switch to the OneSpan Authentication Server Appliance Configuration Tool.

Status: This issue has been fixed.

Description: Under some circumstances, if the SOAP option is disabled in the license, an incorrect error that the _system user account is not working can appear.

Status: This issue has been fixed.

Description: The NTP clock stability has been improved. It is automatically synched during a restart.

Description: The certificates and time zone data have been upgraded.

EMV-CAP is no longer supported. Its functionality and any references to EMV-CAP in the code base, UI, and documentation have been completely removed.

The PDF documentation has been completely removed from the OneSpan Authentication Server product deliverable. You can view the OneSpan Authentication Server user documentation exclusively online on the OneSpan documentation portal, available at https://docs.onespan.com/sec/docs/onespan-authentication-server-appliance.

Description: Chinese characters are not correctly displayed in XML and PDF reports.

Affects: OneSpan Authentication Server Appliance 3.12 and later

Status: This issue has been fixed for XML reports in OneSpan Authentication Server Appliance 3.21. The issue can still occur in PDF reports in case they contain characters that are not defined in the used PDF font. Workaround for PDF reports: Generate an HTML report and print it to PDF.

Description: The Assign DIGIPASS wizard allows you to assign authenticators to users. Although you can select multiple authenticators and multiple users, you can only assign exactly one authenticator to one user at a time. For instance, if you select two authenticators in the wizard, you need to specify two different user accounts, one user to assign each one authenticator.

Affects: OneSpan Authentication Server Appliance 3.21 and later

Status: No fix available. To assign additional authenticators to a user, you need to run the Assign DIGIPASS wizard again.

Description: The Assign DIGIPASS wizard allows you to explicitly select the authenticators to assign to multiple users (by selecting Search now to select DIGIPASS to assign in the Search DIGIPASS page). However, the Select DIGIPASS page may also show authenticators that are actually inaccessible to assign to the respective users, because they are in another domain than the users. If you select such an authenticator and continue, you will receive a "Failed to find available token for assignment." error.

This issue does not occur if you only select one user to assign an authenticator. In this case, the Select DIGIPASS page correctly shows only authenticators in the same domain as the user account.

Affects: OneSpan Authentication Server Appliance 3.21 and later

Status: No fix available. Ensure to explicitly select only authenticators that are in the same domain as the users you selected to assign an authenticator.

Description: When the Timeshift feature of Mobile Authenticator Studio is used, it causes the offline data to become invalid. The option to set a timeshift for Mobile Authenticator Studio authenticators is no longer supported. This feature is outdated and has become obsolete because mobile devices are now correctly synchronized with OneSpan Authentication Server Appliance at shorter intervals.

Affects: OneSpan Authentication Server Appliance 3.6 and later

Status: Do not use the Mobile Authenticator Studio Timeshift feature to avoid the offline data to become invalid.

Description: OneSpan Authentication Server Appliance allows for the configuration of two RADIUS authentication ports and two RADIUS accounting ports. By default, one authentication and one accounting port is specified. If you want to edit the second ports, contact support.

Affects: OneSpan Authentication Server Appliance 3.5 and later

Status: If a second authentication and/or a second accounting port for the RADIUS Communicator will be used, contact support.

Description: Deployments of OneSpan Authentication Server Appliance with Thales ProtectServer HSM only support HSMs that run in Normal mode. If the HSM is run in High Availability or Workload Distribution mode, the installation of OneSpan Authentication Server Appliance fails.

Affects: OneSpan Authentication Server Appliance 3.6 and later

Status: The Thales ProtectServer HSM must be run in Normal mode, i.e. ET_PTKC_GENERAL_LIBRARY_MODE must be set to NORMAL.

Description: When trying to configure email delivery with SSL/TLS using a self-signed certificate created using Microsoft Internet Information Services (IIS) and converted to PEM format using OpenSSL, MDC cannot recognize a valid self-signed certificate and displays an error message. This is caused by the OpenSSL library. In some circumstances, the OpenSSL application itself may display an "Unable to get local issuer certificate (20)" error message.

Affects: All platforms.

Status: No fix available. This is a compatibility issue between OpenSSL and Microsoft IIS. Do not use self-signed certificates generated using Microsoft IIS.

Description: On systems that have a very high log production, you may experience problems when browsing logs with the built-in Audit Viewer. The reason is that OneSpan Authentication Server Appliance queries logs per day, and if there is a great amount of data, this can take longer than the 30-second web browser timeout.

Affects: OneSpan Authentication Server Appliance environments that produce a lot of data per day.

Status: No fix available.