Integrate activation for multi-device licensing

Mobile Authenticator Studio must be configured to use multi-device licensing to be able to use Secure Channel or multi-device activation (MDA).

Integrating multi-device licensing requires the integration of OneSpan Authentication Server Framework 3.13.1.2 or later.

The multi-device licensing activation process consists of providing Mobile Authenticator Studio with the activation data in the following two steps:

1. Providing Mobile Authenticator Studio with the activation data related to the authenticator license.

   The activation data related to the authenticator license is shared by all authenticators of the same user. This license activation data can be provided to Mobile Authenticator Studio through an image – QR code or Cronto image.

2. Providing Mobile Authenticator Studio with the activation data related to the authenticator instance (i.e., the authenticator account).

   The activation data related to the authenticator instance is unique for each authenticator. This activation data can be provided to Mobile Authenticator Studio through an image, QR code, or Cronto image, if the activation data of the Mobile Authenticator Studio license has been provided in the same way.

The usage of Cronto images requires the integration of the Image Generator SDK as of version 4.3.5.

For the activation of Mobile Authenticator Studio licenses and/or instances, the license activation data from an image can be combined with instance activation data from an image as well as with license activation data from the web service.

License and instance activation data from image

This activation scenario succeeds on the Mobile Authenticator Studio side completely offline, and is fully compatible with the activation of OneSpan hardware authenticators.

Two-step activation – scenario 1 (overview)

Activation scenario (Walkthrough)

1. The integrator imports the authenticator licenses and master activation applications into the database.

2. The integrator assigns an authenticator license to a user. If it is a multi-device licensing configuration, it can be used to generate up to 99 operational authenticator instances for a user. If it is a single-device licensing configuration, only one authenticator instance can be generated per license.

3. The integrator generates Activation Message 1 using the OneSpan Authentication Server Framework API method AAL2GenMessageActivation1().

4. The integrator generates the Cronto image using the Secure Messaging SDK Server API method generateCrontoSign().

5. The integrator must securely send the image containing Activation Message 1.

   Activation Message 1 is highly sensitive as it contains the authenticator license. Disclosure of the authenticator license will compromise any future authenticator activation!

6. The user scans the Cronto image with Mobile Authenticator Studio.

7. The Mobile Authenticator Studio app displays the device code that identifies the platform where the license is loaded.

8. The user must provide the device code to the back-end server.

9. The integrator must validate the device code using the OneSpan Authentication Server Framework API method AAL2VerifyDeviceCode(). This API returns the platform used to activate the authenticator license.

   At this step, the integrator must generate the payload key BLOB to use Secure Channel with Mobile Authenticator Studio. For more information about payload key BLOB management, refer to the OneSpan Authentication Server Framework Product Guide.

10. After the device code is successfully validated, the integration must generate Activation Message 2. It contains the authenticator instance activation data that uses the OneSpan Authentication Server Framework API method AAL2GenMessageActivation2().

11. The integrator generates the Cronto image using the Secure Messaging SDK API method generateCrontSign().

12. The integrator must display activation image 2 to the user.

13. The user must scan activation image 2 with the Mobile Authenticator Studio app.