Standard license activation

This type of activation with single-device licensing (SDL) has been deprecated and will be removed in a future version of Mobile Authenticator Studio 5.x!

Mobile Authenticator Studio supports the following activation modes for standard licenses:

• Manual offline activation and reactivation

• Offline activation and reactivation with image (QR code or Cronto image)

Once Mobile Authenticator Studio has been activated locally, the server must receive the information to ensure that both parties are synchronized. This is a Mobile Authenticator Studio post-activation process.

Manual offline activation

Offline activation consists in providing the activation data. With this type of activation, the activation data is split. The configuration data resides in the Mobile Authenticator Studio app, whereas the key of the authenticator is entered by the user through the activation code. Therefore, the serial number and activation code need to be securely delivered to users prior to the activation (e.g. in a sealed letter).

In addition to the activation code, users need to provide the serial number, which is necessary to rebuild the key of the authenticator from the activation code. The authenticator's serial number and activation code are delivered to the integrator in the DPX file, as specified in theMobile Authenticator Studio Parameter Sheet.

If a new user is added and activates their license, the user must authenticate. Depending on the configured authentication method, the user will either be prompted for the selected biometric authentication method, or they must enter a PIN as the PIN is not automatically read from the internal storage. This applies to the following scenarios:

• The user adds a new account from the Manage accounts screen for the activation and reactivation of a single account.

• The user already has an account, adds another and activates or reactivates this additional account(s).

• The user tries to manually activate an existing account.

• The user removes an account.

Instead of entering a serial number (e.g. FDM1280189), the user could enter a serial number suffix (e.g. 1280189). However, this is not recommended because the serial number prefix will be retrieved from the static vector. Thus the serial number prefix can differ from the static vector that is hardcoded in the mobile app (e.g. FDL) and the authenticator BLOBs used by the server (e.g. FDM). In this case, the authenticator account (i.e., an instance of the authenticator) will be properly activated, but the generated authenticator responses (i.e. OTP and signature) will be invalid.

If reactivation with event reactivation counter (ERC) is enabled, a field to enter the ERC will be displayed in the offline activation screen (see Reactivation of a standard license).

Activation via QR code or Cronto image

For this type of activation, the activation data is provided either in a QR code or a Cronto image. This type of activation uses the same data as offline activation, in the following format:

• Activation with QR code

  <QRCode>
   <SN>SERIAL_NUMBER</SN>
   <AC>ACTIVATION_CODE</AC>
  </QRCode>

• Activation with Cronto image

  <Cronto>
   <SN>SERIAL_NUMBER</SN>
   <AC>ACTIVATION_CODE</AC>
  </Cronto>

Additional data can be set in the QR code or Cronto image. For more information, see Mobile Authenticator Studio Integration Guide.

As with offline activation, the configuration data resides in the Mobile Authenticator Studio app, whereas the authenticator key is included in the QR code or Cronto image via the activation code. In addition, the QR code or Cronto image needs to contain the authenticator serial number, which is necessary to rebuild the authenticator key from the activation code. Therefore, the serial number and activation code need to be securely delivered to users prior to the activation (e.g. in a sealed letter).

The serial number and activation code of the authenticator are delivered with the DPX file, as specified in the Mobile Authenticator Studio Parameter Sheet.

QR codes can be generated with any barcode generator implementing the formats supported by Mobile Authenticator Studio.OneSpan also provides a generator for QR codes and Cronto images.

After scanning a QR code, if Mobile Authenticator Studio is not protected (PIN code, biometry), the user can immediately access the main screen of the app. With protection enabled, the user needs to set their protection method (set PIN code and optionally enroll biometric protection method).

If the reactivation feature is enabled, the QR code may contain the event reactivation counter. For more information, see Reactivation of a standard license.

Reactivation of a standard license

During the Mobile Authenticator Studio life cycle, users may have to reactivate the app for various reasons. Reactivation may be necessary in the following scenarios:

• A user has lost their app PIN code. Because the authenticator key cannot be used without the local password, the app can no longer generate valid OTPs or e-signatures.

  The user can reactivate the app via the Manage Accounts screen by activating the account with the Scan code button.

• A user has lost the device, and the app on the new device should have the same configuration and secret.

  The user needs to reinstall the app and activate it with the parameters provided by the server.

Similar to activation, reactivation can take place offline, manually, with a QR code, or a Cronto image. It consists in re-pushing the authenticator secret and, with event-based apps, the event of the last validated OTP from the authentication server to the Mobile Authenticator Studio app.

Manual offline reactivation

For the offline reactivation, Mobile Authenticator Studio can be configured in such a way that the user needs to enter the event reactivation counter (ERC). This parameter contains the event counter that will be used by the app. The event is only formatted, not encrypted. Similar to other parameters used for offline activation or reactivation, the ERC must be securely exchanged with the server prior to the operation.

As with activation, and depending on the selected Mobile Authenticator Studio app, the server may receive an OTP confirming the successful reactivation. And also as with activation, if the user reactivates a license, the user must authenticate. Depending on the configured authentication method, the user will either be prompted for the selected biometric authentication method, or they must enter a PIN as the PIN is not automatically read from the internal storage.

Reactivation via QR code or Cronto image

From a user’s point of view, QR code reactivation is the same as QR code activation. The data in the QR code is, however, different. In addition to the configuration data and the authenticator secret, the counter used to validate the last OTP is exchanged. This happens in a parameter called event reactivation counter (ERC).

• QR code activation:

  <QRCode>
      <SN>SERIAL_NUMBER</SN>
      <AC>ACTIVATION_CODE</AC>
  </QRCode>

• QR code reactivation:

  <QRCode>
      <SN>SERIAL_NUMBER</SN>
      <AC>ACTIVATION_CODE</AC>
      <ERC>EVENT_REACTIVATION_COUNTER</ERC>
  </QRCode>

As with activation, and depending on the selected Mobile Authenticator Studio app, the server may receive an OTP confirming the successful reactivation.