One-time password and e-signature generation

As part of the OneSpan authentication product lines, Mobile Authenticator Studio can be used to generate one-time passwords (OTPs) and e-signatures. The following options are available:

• OTP generation can be time-based, event-based, or time- and event-based.

• OTPs can be processed in Response-Only or Challenge/Response mode.

  • For Challenge/Response mode, the challenge and response requests can be entered manually or by scanning a QR code or colored QR code (Cronto image). See Request approval with manual Challenge/Response.

  • Generation of an OTP in Challenge/Response mode is only supported in single-device licensing integrations.

• Digital signature (“e-signature”) generation can be time-based, event-based, or time- and event-based.

• In single-device licensing integrations, the e-signature request can be approved manually or by scanning a QR code or colored QR code (Cronto image).

Cryptographic applications for OTP or e-signature generation

Mobile Authenticator Studio supports up to eight cryptographic applications for OTP or e-signature generation. A cryptographic application is a set of parameters that defines how authenticator responses are generated. The following parameters determine the setup of a cryptographic application:

• Operating mode

• OTP time step

• Secret type

• Cryptographic algorithm

• Response format

• Response length

• Response check digit

• Host confirmation code

The supported character set for the signature data is:

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ%&'()*+,-./:;<=>?_

SPACE (0x20) is included.

Lowercase characters are automatically converted into uppercase before the signature is processed.

ABcdEF, abcdef, and ABCDEF will produce the same response if used as a data field.

Cryptographic algorithm

The algorithm for OTP or e-signature generation may be either of the following:

• Time-based

  A time seed provided by the device running the app is used to generate OTPs. Time-based authenticators may have a time step of 8*2n, where n can be between 0 and 15 (e.g. from 8 seconds to 3 days).

• Event-based

  A counter is used to generate OTPs. The counter is created by the app and stored on the device.

• Time- and event–based

  A time seed and a counter are used to generate OTPs.

To generate an OTP, the algorithm processes the seed which is encrypted by a cryptographic algorithm based on a secret called authenticator key. Each cryptographic authenticator application can share the same authenticator key, or use its own key.

The following cryptographic algorithms are supported:

• Triple DES

• AES

• OATH

Check digit and host confirmation code

The generated OTP or e-signature can have between 4 and 16 decimal or hexadecimal characters. A check digit may be added, which increases the OTP length by 1 character.

Mobile Authenticator Studio may sign up to 8 data fields of up to 16 digits each. The supported minimum and maximum data field length is specified in the cryptographic application’s parameter set, which is part of the authenticator's static vector.

In addition to OTP or e-signature generation, Mobile Authenticator Studio also supports host confirmation code (HCC) generation. It is a string of up to 10 decimal or hexadecimal characters which identifies the authentication server. After validating an OTP, the server generates and returns the HCC, which the user can compare with the code displayed on the mobile device. Thus, the user can be sure that the OTP was validated by the correct authentication server.

Request approval methods

Mobile Authenticator Studio offers the following methods for the user to enter data and approve requests:

• Manual request approval

  The user manually enters data to be signed and either manually approves the request or by scanning a QR code or Cronto image.

• Request approval with manual Challenge/Response

  The user can sign the transaction by manually entering the challenge in the Mobile Authenticator Studio app or by scanning a QR code or  Cronto image containing the challenge you provide.

Manual request approval

With manual request approval, the user can manually enter the data they want to sign both on the client- and server-side directly in the Mobile Authenticator Studio app. Upon selecting Approve request manually, the app displays the specified number of input fields to enter data. The user can verify their entries and approve or deny the request. For request approval, the user can either manually approve it, or by scanning a QR code or Cronto image.

These two features, i.e., scan to manually sign a request vs. manually approve the transaction, are mutually exclusive.

Manual request approval is available in single-device licensing mode and is supported online and offline.

To manually approve a request

After account activation, the user needs to perform the following steps:

1. On the Home page, the user taps Approve request manually to navigate to the Approve request screen.

2. The user enters the data in the input fields which they want to sign on both the client- and server-side.

3. After verifying their data entries, the user taps Approve.

4. The user authenticates with the configured authentication method (PIN or biometry).

5. Offline mode:

   1. Upon successful authentication, the app displays the created signature code for signing the transaction, and the user is prompted to enter this code into the third-party application or web page.

   2. The user taps Done to complete to return to the Home screen.

6. Online mode:

   1. Upon successful authentication, the app sends the signature to the server and displays the Request approved screen to the user.

   2. The user taps Done to complete to return to the Home screen.

To manually approve a request with a QR code or Cronto image

After account activation, the user needs to perform the following steps:

1. On the Home page, the user taps Scan request code to navigate to the Approve request screen.

2. The user enters the data in the input fields which they want to sign on both the client- and server-side.

3. After verifying their data entries, the user taps Approve.

4. The user authenticates with the configured authentication method (PIN or biometry).

5. Offline mode:

   1. Upon successful authentication, the app displays the created signature code for signing the transaction, and the user is prompted to enter this code into the third-party application or web page.

   2. The user taps Done to complete to return to the Home screen.

6. Online mode:

   1. Upon successful authentication, the app sends the signature to the server and displays the Request approved screen to the user.

   2. The user taps Done to complete to return to the Home screen.

Request approval with manual Challenge/Response

In the request approval with manual Challenge/Response, the user can sign the transaction by manually entering the challenge in the Mobile Authenticator Studio app or by scanning a QR code or Cronto image containing the challenge you provide. This is only available in offline mode.

These two features, i.e., scan to manually sign a request vs. approve a transaction with the manual Challenge/Response flow, are mutually exclusive.

This feature can be configured in two different ways with the customization of your Mobile Authenticator Studio integration:

• Include both manual Challenge/Response and manual request approval

  For this configuration, the app home screen displays the Approve request manually option where the user taps Enter request details to manually enter the data and then approves and signs the transaction with the Challenge/Response flow.

• Prescribe either Manual Challenge/Response or Manual request approval

  For this configuration, only one manual action is possible - either manually approve the request or apply the manual Challenge/Response flow, and the Mobile Authenticator Studio app performs the configured action when the user taps on Approve request manually.

To approve a transaction with manually entered data by Challenge/Response

After account activation, the user needs to perform the following steps:

1. On the Home page, the user taps Approve request manually.

2. On the Approve request screen in the input field, the user enters the challenge received from the server they want to sign on both the client- and server-side.

3. After verifying their data entries, the user taps Approve.

4. The user authenticates with the configured authentication method (PIN or biometry).

5. Upon successful authentication, the app displays the created signature code for signing the transaction, and the user is prompted to enter this code into the third-party application or web page.

To approve a transaction with manually entered data by scanning a QR code or Cronto image

After account activation, the user needs to perform the following steps:

1. On the Home page, the user taps Scan request code.

2. The user points and clicks device camera at the QR code or Cronto image from the third-party application or web page.

3. The user is taken to the Request details screen and can verify the displayed challenge.

4. The user taps Approve.

5. The user authenticates with the configured authentication method (PIN or biometry).

6. The Mobile Authenticator Studio app displays the response, e.g. a one-time-password (OTP).

7. The user enters the response in the third-party application or web page.

8. The user taps Done to complete the transaction.

9. After the transaction is approved, the user is taken back to the Home screen.