Bulk authenticator maintenance

  • Published on Jul 7, 2025
  • 1 minute(s) read
Prev Next

In many environments, unnecessary authenticator data can accumulate over time. For instance, when using multi-device licensing (MDL) authenticators a significant number of unused authenticator instances can remain in the database and reduce system performance and security. Such unused authenticator instances can occur due to various reasons:

  • An authenticator instance exists, but the activation was never finished, hence the authenticator instance has no DIGIPASS Push Notification Identifier (PNID) or authenticator BLOB data assigned.

  • An authenticator instance exists and has a PNID assigned, but was never used as newer authenticator instances exist.

  • An authenticator instance exists and has a PNID assigned and a last used date set, but a newer authenticator instance with the same PNID exists and is used.

  • The MDL authenticator was not used for a long time.

The Administration Web Interface provides the Bulk Cleanup DIGIPASS maintenance command to help you to clean up and purge unused authenticator data based on various criteria. It supports the following cleanup strategies:

  • Instances with reused PNID. Deletes all authenticators instances that have a reused DIGIPASS Push Notification Identifier (PNID) assigned. The PNID is considered reused if another authenticator instance for the same authenticator license exists, which uses the same PNID but has a higher sequence number.

  • Instances without PNID. Deletes all authenticator instances that have no DIGIPASS Push Notification Identifier (PNID) assigned and were never used (last authentication time is not set). The PNID is implicitly set when an authenticator instance is bound to a mobile app. The last authentication time is initially set when the authenticator instance is effectively activated. Having no PNID and no last authentication time set for an authenticator instance, indicates very likely that the activation of that particular instance was not completed.

  • Digipass not used for a specified period. Deletes all authenticators and authenticator instances that were not used at least once for a specified number of days (retention period). The usage is determined by the date and time the authenticator was used the last time for a successful authentication. It is only set and updated if the authenticator is assigned and used by the respective user.

Note that authenticator licenses are not processed or deleted by this command.