Password protection
  • 23 Oct 2024
  • 3 Minutes to read
  • Dark
    Light

Password protection

  • Dark
    Light

Article summary

With Digipass password protection, the usage of the application is protected via a password. This is required for every OTP and signature generation, and for changing the password. The user chooses the password in the course of the activation process and it is part of the calculation of the dynamic vector encryption key. This key is derived from the password provided by the user and from the Digipass serial number according to the following algorithm:

Key = PBKDF2 (PRF, PIN||Serial Number||Device Data, salt, c, sekLen)

The PBKDF2 parameters must be:

  • PRF: SHA-256

  • PIN||Serial number||Device data: Concatenation of the user’s PIN, the Digipass serial number and the device-specific data

  • Salt: Fixed data

  • C: Configurable number of iterations

  • sekLen: Key length – 32 bytes

Activation with password protection (overview)

In Activation with password protection (overview), the dynamic vector is protected by a password which the Digipass owner provides. The control of the password fully relies on the Digipass SDK. Only the owner of the password will be able to use the Digipass authenticator.

Once a user password protects the secret in the dynamic vector, any operation involving the secret will require the validation of the user password. This password validation is done by the Digipass SDK according to the password security level defined in the static vector.

The user password can be entered as a string or as a byte array. When entered as a byte array, the password can be reset to avoid security issues.

Weak password control

Weak PIN rules have been updated in Mobile Security Suite 4.21.2

If weak password control is configured for the Digipass authenticator, the detection rules for weak passwords are:

  • The difference between consecutive digits of the password must vary.

    Example: 12345 is a weak password because the difference between the consecutive digits is always +1.

  • A row of 0s (N-1 0s for a PIN of N digits) followed by a number (e.g. 00003) or a number followed by a row of 0s (e.g. 2000) are not valid. (This is the ATM mimic.)

  • When the password is changed, the new password must be different from the old password.

Weak password control is used during the activation process and password change.

Weak password control with numeric passwords

Password

Steps suite

Control result

123456

1 1 1 1 1

FAIL

111111

0 0 0 0 0

FAIL

678901

1 1 1 -9 1

SUCCESS

02468

2 2 2 2 2

FAIL

876543

-1 -1 -1 -1 -1

FAIL

123467

1 1 1 2 1

SUCCESS

415263

-3 4 -3 4-3

SUCCESS

Weak password control with alphanumeric passwords

Password

Decimal Value

Steps suite

Control result

ABCDEF

65,66,67,68,69,70

1 1 1 1 1

FAIL

tsrqpo

116, 115, 114, 113, 112, 111

-1 -1 -1 -1 -1

FAIL

Weak password control with ATM rule

Password

Control result

000005

FAIL

200000

FAIL

007000

SUCCESS

Password security level

The password security level determines how the Digipass SDK validates the password. The Digipass SDK supports the following security levels for password validation:

  • No password check.  Each password is used as-is to decrypt the Digipass secret. Only the password provided during the Digipass activation to encrypt the Digipass secret will generate a correct OTP or signature. Other passwords will generate invalid responses. This method fully relies on the server lock functionality, which can be activated in the settings of the OneSpan server solution. For more information, refer to the OneSpan server solution documentation.

  • Checksum. During the activation process, a checksum of the password is stored on 1 byte in the dynamic vector. In the course of the Digipass lifecycle, passwords will be tested against that checksum so that only those matching it will be used to decrypt the secret.

    The checksum allows wrong password collision. Wrong passwords with a valid checksum will be used to decrypt the secret but will generate invalid responses. Compared to the no–password-check level, more passwords are rejected but a large number still generates wrong responses.

    In case of a password change, a wrong old password with a correct checksum will collide with the current password. The decryption of the Digipass secret will not be correct and the incorrect secret will be encrypted with the new password. The result is a definitive Digipass secret corruption. The Digipass authenticator must be re-activated or replaced.

  • Hash. During activation, a hash of the password is stored on 4 bytes in the dynamic vector. In the course of the Digipass lifecycle, passwords will be tested against this hash so that only those matching it will be used to decrypt the secret. As the hash is on 4 bytes, fewer passwords are matching than with the 1-byte checksum. Compared to the checksum feature, a lot of passwords are rejected and only a few generate wrong responses.

    To avoid brute-force attacks, OneSpan strongly recommends using the checksum level. With checksum validation, a wrong password may be accepted, which leads to an incorrect decryption of the Digipass keys.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant