Mobile Security Suite Product Guide

OneSpan Mobile
Security Suite
Product Guide
Version: 4.31
Copyright Notice
Copyright © 2010–2021 OneSpan North America, Inc. All rights reserved.
Trademarks
OneSpan™, DIGIPASS® and CRONTO® are registered or unregistered trademarks of OneSpan North America Inc.,
OneSpan NV and/or OneSpan International GmbH (collectively "OneSpan") in the U.S. and other countries.
OneSpan reserves all rights to the trademarks, service marks and logos of OneSpan and its subsidiaries.
All other trademarks or trade names are the property of their respective owners.
Intellectual Property
OneSpan Software, documents and related materials (“Materials”) contain proprietary and confidential information.
All title, rights and interest in OneSpan Software and Materials, updates and upgrades thereof, including software
rights, copyrights, patent rights, industrial design rights, trade secret rights, sui generis database rights, and all other
intellectual and industrial property rights, vest exclusively in OneSpan or its licensors. No OneSpan Software or Mater-
ials may be downloaded, copied, transferred, disclosed, reproduced, redistributed, or transmitted in any form or by
any means, electronic, mechanical or otherwise, for any commercial or production purpose, except as otherwise
marked or when expressly permitted by OneSpan in writing.
Disclaimer
OneSpan accepts no liability for the accuracy, completeness, or timeliness of content, or for the reliability of links to
and content of external or third party websites.
OneSpan shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your com-
pany, or any third party arising from the use or inability to use OneSpan Software or Materials, or any third party
material made available or downloadable. OneSpan will not be liable in relation to any loss/damage caused by modi-
fication of these Legal Notices or content.
Reservation
OneSpan reserves the right to modify these Notices and the content at any time. OneSpan likewise reserves the right
to withdraw or revoke consent or otherwise prohibit use of the OneSpan Software or Materials if such use does not
conform to the terms of any written agreement between OneSpan and you, or other applicable terms that OneSpan
publishes from time to time.
Contact us
Visit our website: https://www.onespan.com
Resource center: https://www.onespan.com/resource-center
Technical support and knowledge base: https://www.onespan.com/support
If there is no solution in the knowledge base, contact the company that supplied you with the OneSpan product.
Date: 2021-12-21
Contents
1 Introduction 1
1.1 OneSpan Mobile Security Suite Documentation 3
1.2 About this document 5
2 Terminology 7
2.1 Terms, Definitions, and Abbreviations used in OneSpan Mobile Security Suite 8
3 Compliance with Federal Information Processing Standards (FIPS) 19
4 Digipass SDK 20
4.1 OneSpan Digipass SDK licensing 21
4.2 One-time password generation 29
4.3 E-signature generation 32
4.4 Secure Channel 34
4.5 Score-based authentication 36
4.6 Digipass protection 38
4.7 Digipass properties 45
5 Activation data transfer protection 48
5.1 Secret transfer security with shared secret 49
5.2 OneSpan Digipass Software Advanced Provisioning Protocol (DSAPP) SDK 51
i
Mobile Security Suite Product Guide
6 OneSpan Secure Storage SDK 53
7 OneSpan Device Binding SDK 54
8 OneSpan Root Detection SDK 55
9 Image Scanner SDK and Image Generator SDK 56
10 OneSpan Secure Messaging SDK 58
11 OneSpan Biometric Sensor SDK 60
12 OneSpan Notification SDK 61
13 OneSpan Client Device Data Collector (CDDC) SDK 64
14 OneSpan White-Box Cryptography (WBC) SDK 67
15 Orchestration SDK 70
15.1 Supported platforms and requirements 72
16 FIDO Authentication Solution 73
Index 74
ii
Figures
Figure 1: Premium multi-device licensing (overview) 21
Figure 2: Activation Message transfer between OneSpan Digipass SDK and OneSpan
Authentication Server Framework 22
Figure 3: Single device licensing model (overview) 25
Figure 4: Payload key provisioning between OneSpan Digipass SDK and OneSpan
Authentication Server Framework 34
Figure 5: Score-based response through a Digipass response 36
Figure 6: Activation with delegated protection (overview) 39
Figure 7: Activation with password protection (overview) 40
Figure 8: Securely communicating the Digipass key between client and server 49
Figure 9: Online activation with an activation password (overview) 50
Figure 10: User password transmission with DSAPP (overview) 51
Figure 11: Activation data transfer protection with DSAPP (overview) 52
Figure 12: Cronto image 56
Figure 13: QR code image 57
Figure 14: Transaction message transfer with the OneSpan Secure Messaging SDK 59
Figure 15: Data transfer from server to mobile device (Push Notification) 62
Figure 16: Collect client device data with the CDDC SDK 65
Figure 17: CDDC SDK (Overview) 66
Figure 18: Conversion of clear-text key into obfuscated source code 67
Figure 19: Application without White-Box Cryptography SDK 68
Figure 20: Application with White-Box Cryptography SDK 69
iii
Figure 21: Orchestration example - remote authentication overview 71
iv
Tables
Table 1: Device types received by OneSpan Authentication Server Framework 23
Table 2: Supported signature application settings 29
Table 3: Supported signature application settings 32
Table 4: Supported score-based application settings 37
Table 5: Weak password control with numeric passwords 41
Table 6: Weak password control with alphanumeric passwords 42
Table 7: Weak password control with ATM rule 42
Table 8: Digipass properties 45
Table 9: Application properties 46
v
Introduction 1
Welcome to the OneSpan Mobile Security Suite Product Guide! This document
provides an overview of the different SDKs that are part of the OneSpan Mobile Secur-
ity Suite and its features.
This guide provides information about:
l Biometric Sensor SDK
l CDDC SDK
l Device Binding SDK
l Digipass Bluetooth Token SDK
l Digipass SDK
l DSAPP SDK
l FIDO UAF SDK
l Image Generator SDK
l Image Scanner SDK
l Notification SDK
l Orchestration SDK
l Root Detection SDK
l Secure Messaging SDK
1 Introduction
1
l Secure Storage SDK
l WBC SDK
1 Introduction
2
1.1 OneSpan Mobile Security Suite Documentation
The OneSpan Mobile Security Suite product documentation comprises the following
guides:
l OneSpan Mobile Security Suite Product Guide: Provides an overview of OneSpan

Mobile Security Suite and its components.
l Biometric Sensor SDK Integration Guide: Provides instructions to integrate the

Biometric Sensor SDK.
l Client Device Data Collector SDK Integration Guide: Provides instructions to

integrate the Client Device Data Collector SDK.
l Device Binding SDK Integration Guide: Provides instructions to integrate the

Device Binding SDK.
l DIGIPASS SDK Integration Guide: Provides instructions to integrate the DIGIPASS

SDK.
l Digipass Software Advanced Provisioning Protocol SDK Integration Guide:

Provides instructions to integrate the Digipass Software Advanced Provisioning
Protocol SDK.
l FIDO UAF SDK Developer Guide: Provides instructions to integrate the FIDO UAF
SDK.
l Image Generator SDK Integration Guide: Provides instructions to integrate the

Image Generator SDK.
l Image Scanner SDK Integration Guide: Provides instructions to integrate the

Image Scanner SDK.
l Notification SDK Integration Guide: Provides instructions to integrate the Noti-

fication SDK.
l Orchestration SDK Integration Guide: Provides instructions to integrate the

Orchestration SDK.
l Root Detection SDK Integration Guide: Provides instructions to integrate the

Root Detection SDK.
1 Introduction
3
l Secure Messaging SDK Client Integration Guide: Provides instructions to integ-
rate the Secure Messaging SDK Client.
l Secure Messaging SDK Server Integration Guide: Provides instructions to integ-

rate the Secure Messaging SDK Server.
l Secure Storage SDK Integration Guide: Provides instructions to integrate the

Secure Storage SDK.
l White-Box Cryptography SDK Integration Guide: Provides instructions to integ-

rate the White-Box Cryptography SDK.
1 Introduction
4
1.2 About this document
1.2.1 How to use this document

You can use this document in different ways, depending on your skill and knowledge
level. You can read it from the beginning to the end (highly recommended for novice
users), you can browse through the chapter abstracts and read specifically the
chapters relevant to your needs, or you can search by key words in the index, if you
need to find certain references quickly.
If you need to… Refer to
...get an overview of how to integrate Digipass features and func- 4 Digipass SDK
tionalities
…get an overview of the secure transfer of the Digipass activ- 5 Activation data transfer
ation data protection
…get an overview of storing data securely on a mobile device 6 OneSpan Secure Storage
SDK
…get an overview of creating a unique fingerprint on a platform 7 OneSpan Device Binding
SDK
…learn more about how to detect if an application is running on 8 OneSpan Root Detection
a jailbroken/rooted device SDK
…get an overview of how to integrate QR code and Cronto 9 Image Scanner SDK and
images capturing for a mobile application Image Generator SDK
…get an overview of secure messaging 10 OneSpan Secure Mes-
saging SDK
…learn more about implementing biometric protection 11 OneSpan Biometric
Sensor SDK
…get an overview of how to send push notifications to mobile 12 OneSpan Notification
devices SDK
…learn more about how to aggregate data for analysis purposes 13 OneSpan Client Device
Data Collector (CDDC) SDK
…learn more about how to use white box cryptography 14 OneSpan White-Box
Cryptography (WBC) SDK
...learn more about facilities to orchestrate the mobile applic- 15 Orchestration SDK
ation and authenticate users smartly and securely after a risk
evaluation
...learn about integrating security capabilities to enable strong 16 FIDO Authentication
with FIDO protocol leveraging Solution
1 Introduction
5
1.2.2 Providing feedback
Every effort has been made to ensure the accuracy and usefulness of this document.
However, as the reader of this documentation, you are our most important critic and
commentator. We appreciate your judgment and would like you to write us your opin-
ions, suggestions, critiques, questions, and ideas. Please send your commentary to:
documentation2@onespan.com.
To recognize the particular document you are referring to, please include the fol-
lowing information in your subject header: OMSS-PG-4.31.3en-2021-12-21
Please note that product support is not offered through the above email address.
1 Introduction
6
Terminology 2
When you work with OneSpan Mobile Security Suite you should get yourself acquain-
ted with some terms and abbreviations that you will encounter frequently.
2.1 Terms, Definitions, and Abbreviations used in OneSpan Mobile

Security Suite 8
2 Terminology
7
2.1 Terms, Definitions, and Abbreviations used in
OneSpan Mobile Security Suite
AC
See Activation code.
Activation code
The Digipass secret key in a decimal or hexadecimal character string format, encrypted
with the customer master key in the static vector. It is one of the following: 20 decimal
digits for a single-length secret key; the second part of the key is derived from the first
part. 40 decimal digits for a double-length secret key. 16 hexadecimal characters for a
single-length secret key; the second part of the key is derived from the first part. 32
hexadecimal characters for a double-length secret key. To prevent it from alteration the
activation code ends with a checksum on one digit.
Activation password
Secret data string of up to 64 alphanumeric characters shared between the customer
(server) and the end user prior to registration; used to protect the transfer of sensitive
data during the Digipass activation process. Sometimes also referred to as customer
historical secret.
adb
Android Debug Bridge
Advanced Encryption Standard

Symmetric key encryption algorithm. A block cipher with a fixed block size of 128 bits,
and a key size of 128, 192, or 256 bits.
AES
See Advanced Encryption Standard
Alea
See Nonce.
App Shielding
Security technology that integrates directly into applications to provide proactive
security against a wide range of attacks (tampering, debugging, code injection, code
2 Terminology
8
modification, data theft from the app). It performs different security checks and protects
applications against attacks during runtime.
Authorization code
Data used by the end user to identify to a server to receive the Digipass activation data.
Basic service set identifiers

Unique identifier of a basic service set; 48-bit label that conforms to MAC-48
conventions.
Biometric Sensor SDK

Provides facilities to use fingerprint recognition to increase user convenience during the
identification process while retaining a secure solution. It also provides methods to test
whether fingerprint recognition is supported by the platform and has been enabled by
the user before actually verifying fingerprints.
BSSID
See Basic service set identifiers
CDDC SDK
Provides facilities to aggregate information from various mobile sources for risk
evaluation of mobile transactions by OneSpan Risk Analytics.
CHS
Customer historical secret; see Activation password.
Counter mode
Operation mode of block ciphers. CTR uses the AES block cipher to create a stream
cipher. Data is encrypted and decrypted by XORing with the key stream produced by
AES encrypting sequential counter block values.
CRC
See Cyclic redundancy check.
Cronto
Colorful cryptogram, similar to a QR code; used for visual transaction signing.
CTR
See Counter mode
2 Terminology
9
Customer
OneSpan customer (e.g. a bank) who licenses OneSpan Mobile Security Suite and
distributes it to the end user.
Customer historical secret

See Activation password.
Customer master key

32-hexadecimal-character string. This string is unique for each customer and is
generated (random/fixed) during production by OneSpan logistics. The master key is
also known as “serial code”. It is a Triple DES key embedded in the static vector. See also
Static vector.
Cyclic redundancy check

Data verification method to detect errors and accidental changes to raw data.
Derivation code
Optional code used to carry platform-specific data from client to server in the standard
licensing model; part of the Digipass binding feature.It contains a Digipass response
based on one of the Digipass cryptographic application key and bits extracted from the
fingerprint of the platform where Digipass is running.
Device Binding SDK

Facilitates Digipass application development; it provides a function to generate a unique
identifier for a given mobile device, the device fingerprint. The SDK can be used on a
variety of devices and various supported platforms.
Device code
Mandatory code used to carry platform-specific data from client to server in the
premium licensing model.It contains a Digipass response based on one of the Digipass
cryptographic application key and bits extracted from the fingerprint of the platform
where Digipass is running.
Device fingerprint
A unique identifier; it is a hexadecimal string of 64 characters. It is a securely computed
SHA-256 hash of the device-specific data and hardcoded salts.
Digipass activation
The process in which the Digipass DIGIPASS serial number, parameter set, secret, and
initial seed value for future OTP or e-signature generation are provided. Activation is
2 Terminology
10
successful when the first DIGIPASS response is validated on the server. Once the client
activation is completed, the Digipass instance is ready to generate Digipass responses.
See also Digipass instance.
Digipass instance
The association of a unique Digipass key, serial number, sequence number, a static
vector, and a Digipass secret.
Digipass key
128-bit secret key used by the Digipass algorithm to generate one-time passwords or e-
signatures. The key is provided to the Digipass instance through the activation code. See
also Digipass instance.
Digipass license
See Digipass serial number.
Digipass password
The Digipass password protects the Digipass key against unauthorized use. The
password is used to encrypt the key in the dynamic vector. The password is also known
as user password, static password, or PIN. See also Dynamic vector.
Digipass SDK
Contains functions to activate the Digipass license, generate one-time passwords and e-
signatures, establish a secure channel between Digipass and a server, and enable user-
password management.
Digipass serial number

The unique identifier of a Digipass license. It consists of a 3-alphanumeric-character
prefix set in the static vector, and a 7-digit suffix. The suffix can be provided in the XFAD
or by the user during Digipass activation. See also XFAD, Digipass serial number prefix,
Digipass serial number suffix.
Digipass serial number prefix

Consists of the first three characters of the Digipass serial number. The serial number
prefix is unique per customer.
Digipass serial number suffix

Consists of the last seven decimal digits of the Digipass serial number. The serial number
suffix is unique per end user.
2 Terminology
11
Digipass Software Advanced Provisioning Protocol SDK
Implements the DSAPP protocol to securely transfer the server-side generated Digipass
software activation data to the Digipass software client. The SDK encrypts the activation
data before transferring it to the client application and decrypts it again.
DTF
Data field
DV
See Dynamic vector.
Dynamic vector
Digipass-specific binary data. It is created after successful activation. It is updated by the
OneSpan Digipass SDK at runtime.It contains the following: Digipass status Serial
number suffix PIN information Encrypted Digipass secret Status of the cryptographic
Digipass applications Last-time-used value of the cryptographic Digipass applications
Last-event-used value of the cryptographic Digipass applications
Electronic serial number

Number to uniquely identify mobile devices.
Encrypted event reactivation counter

Event reactivation counter encrypted with the activation password or a session key. See
also activation password.
Encrypted full activation data

Full activation data encrypted with the activation password or a session key. See also
activation password, full activation data.
End user
See User.
ERC
See Event reactivation counter.
ESN
See Electronic serial number.
2 Terminology
12
Event reactivation counter
This is the value to initialize the event-based Digipass counter. It should be provided to
the OneSpan Digipass SDK during the re-activation process to synchronize the event
counter between the Digipass data on the server-side and the Digipass instance on the
client side. See also Digipass instance, Digipass SDK.
FAD
See Full activation data.
FIDO Authentication Solution

Leverages FIDO protocols and allows you to integrate mobile device biometric security
capabilities into your application to enable strong authentication with primary and
second factor authentication using biometrics and hardware authenticators.
Full activation data

Serves to finalize the activation. The full activation data includes the parameter settings
for the OneSpan Digipass SDK activation, the Digipass key, and and the Digipass serial
number. It is the concatenation of the static vector, the activation code, and the serial
number suffix. If the activation code is encrypted by an activation password and/or a
nonce, it becomes encrypted full activation data (XFAD). See also activation code,
Digipass SDK, encrypted full activation data, nonce, serial number suffix.
Image Generator SDK

Provides a native component for a mobile application to integrate QR code and Cronto
image capture.
Image Scanner SDK

Facilitates the Digipass application development by providing you with the image
scanning functionality to capture QR codes and Cronto images.
IMEI
See International Mobile Equipment Identity.
International Mobile Equipment Identity

International Mobile Equipment Identity; unique number to identify valid devices. Used
by GSM networks.
Jailbreak cloaking
Method to hide the root status of an iOS device and to conceal that the mobile device is
compromised.
2 Terminology
13
KCV
See Key checksum value
Key checksum value

Checksum of the key value; used to compare keys without knowing their actual values.
MAC
Message authentication code.
Man-in-the-middle-attack
An attack where the communication of two parties is intercepted by an attacker.
MEID
See Mobile Equipment Identifier.
MITMA
See Man-in-the-middle-attack.
Mobile Equipment Identifier

Globally unique number to facilitate universal mobile equipment identifidcation.
My Term
My definition
Near-field communication
Set of communication protocols between two devices over a short distance.
NFC
See Near-field communication.
Non-volatile storage
see Permanent storage.
Nonce
A 64–hexadecimal-character random number generated by the OneSpan Digipass SDK
host platform. It is part of the one-time-activation process and ensures that no other
SDK-integrated instance can register with the same data.
2 Terminology
14
Notification identifier
Unique hexadecimal string with a maximum length of 2064 characters. The Notification
SDK assigns this identifier to the client application - it is unique to the client device,
regardless of the platform. It must be sent to the back end for later use.
Notification SDK
Provides facilities to send push notifications to mobile applications via Apple, Google,
and Microsoft cloud notification services, and provides an abstraction layer for the
interactions between client and server.
One-time password
A password that is valid for only one authentication process. OTPs can be used only
once, and each authentication process requires a new OTP.
OneSpan Authentication Server

OneSpan Authentication Server is a centralized authentication that offers strong
authentication and validation of transaction signatures. It verifies authentication
requests from individuals trying to access the corporate network or business
applications.
OneSpan Authentication Server Framework

API-based authentication platform that serves as back-end for Digipass strong
authentication and e-signatures.
Orchestration SDK
Enables mobile developers to integrate the main features of OneSpan Mobile Security
Suite in their mobile application; the SDK provides facilities to orchestrate the mobile
application and authenticate users after risk evaluation on the server-side.
OTP
See One-time password.
Permanent storage
Storage that can retrieve stored information even after having been power cycled. Also
non-volatile storage.
Platform fingerprint
Data specific to the platform hosting the OneSpan Digipass SDK.
2 Terminology
15
Post-activation
Optional process after the client activation.
push notification
Push notifications are clickable pop-up messages that are displayed outside an app.
They are pushed from the server the app uses to the end user's device.
PWD
User password
Registration
The process of generating Digipass activation data on the server-side.
RHC
Return host code
Risk Analytics
Fraud detection and management system. It identifies risk at critical steps, predicts risk
levels, and takes action when suspicious activites are identified. It is a product for
monitoring online banking applications and payment processing which helps to protect
against online banking fraud.
Root cloaking
Method to hide the root status of an Android device and to conceal that the mobile
device is compromised.
Root Detection SDK

Detects if an application is running on a jailbroken/rooted device based on residual
traces of the rooting method.
SCC
Signature confirmation code
Secure Channel
Ensures the confidentiality, integrity, and non-repudiation of data exchanged between a
client and a server. The data are encrypted and signed with a key changed during the
activation process. The protected data are embedded in a Secure Channel message for
the transport process.
2 Terminology
16
Secure Messaging SDK
Used to format the transaction message body before encryption by OneSpan
Authentication Server or OneSpan Authentication Server Framework (server SDK), and
parse the transaction message body before decryption by the Digipass SDK (client SDK).
Secure Storage SDK

Provides a generic API to securely store data on a mobile device and masking the way
the information is stored on the platform.
Sequence number
This is the unique identifier of a Digipass instance from a Digipass license. It consists of
two numeric characters from 01 to 99.
Serial number
See Digipass serial number.
Server activation
The validation of the first Digipass response generated after client activation. The server
activation is part of the post-activation process.
Service set identifier

Identifier or network name for a group of wirless network devices.
SSID
See Service set identifier
Static vector
The Digipass parameter set, i.e. customer-specific binary configuration data. It contains
the Digipass serial number prefix, the customer master key and the parameter settings
of the cryptographic application(s). It can be provided independently in clear text format,
or as part of the FAD. See also Customer master key; FAD.
Time step
Time interval when the time seed is constant.
Token seed
See Digipass key.
User
The end user of a Digipass instance (for instance a bank’s customer).
2 Terminology
17
Volatile storage
Storage that requires power to maintain the stored information.
White-Box Cryptography SDK

With the White-Box Cryptography SDK, secret cryptographic keys are kept hidden in the
source code even during runtime. The SDK enables developers to convert key values
with the White-Box Table Generator into obfuscated source code which can be
integrated into their application, instead of adding hardcoded key values in the source
code.
XERC
See Encrypted event reactivation counter.
XFAD
See Encrypted full activation data.
2 Terminology
18
Compliance with Federal
Information Processing
3
Standards (FIPS)
Mobile Security Suite uses cryptographic libraries that are certified according to NIST
FIPS 140-2.
On iOS, Mobile Security Suite uses the Apple native cryptographic libraries, which are
FIPS 140-2-validated. For more information, refer to https://support.apple.com/en-
us/HT202739.
On Android, Mobile Security Suite relies on the Android cryptographic libraries, typ-
ically based on BoringSSL which are also FIPS140-2-validated. For more information,
refer to https://csrc.nist.gov/projects/cryptographic-algorithm-validation-
program/details?product=12750.
3 Compliance with Federal Information Processing Standards (FIPS)

19
Digipass SDK 4
The Digipass SDK contains functions to integrate the following features in your solu-
tions:
l Activate the Digipass license
l Generate one-time passwords and e-signatures (with and without protection

against an MITMA1)
l Establish a secure channel between Digipass and a server
l Enable user-password management
4.1 OneSpan Digipass SDK licensing 21
4.2 One-time password generation 29
4.3 E-signature generation 32
4.4 Secure Channel 34
4.5 Score-based authentication 36
4.6 Digipass protection 38
4.7 Digipass properties 45
1See Man-in-the-middle-attack.
4 Digipass SDK
20
4.1 OneSpan Digipass SDK licensing
The Digipass license (which is the Digipass serial number) is available in two models:
l Premium multi-device licensing (MDL) model
l Standard single-device licensing (SDL) model
4.1.1 Premium multi-device licensing (MDL) model
Figure 1: Premium multi-device licensing (overview)
4 Digipass SDK
21
In the multi-device licensing model, a unique serial number of ten characters is gen-
erated by OneSpan; this unique serial number can be associated with several Digipass
data on the server-side. Each Digipass data is identified by its unique serial number
and a sequence number. On the client-side the Digipass license can thus be instan-
tiated several times. This mode fits the deployment of one Digipass per device of the
same user. Each Digipass of the user shares the same serial number but has a dif-
ferent sequence number.
Activation process
Before you can work with the OneSpan Digipass SDK you need to activate it. Activ-
ating the OneSpan Digipass SDK as the multi-device model consists in providing the
activation data to the OneSpan Digipass SDK binary and includes the parameter set-
tings, the serial number, the sequence number and the Digipass key of a Digipass
authenticator.
CAUTION: Contrary to the activation of Digipass in the single device licensing

model, the activation data is provided in two steps to the OneSpan Digipass SDK: first,
the license is activated, after that the instance is activated. Each step consists in
providing the client-side with the OneSpan Digipass SDK and the server-side with an
activation message generated by OneSpan Authentication Server Framework. This
feature is supported by server solutions using OneSpan Authentication Server Frame-
work as of version 3.13.
Figure 2: Activation Message transfer between OneSpan Digipass SDK and OneSpan
Authentication Server Framework
The transfer of the activation message from the server to the device must be operated
via a secure channel. We recommend to use the DSAPP SDK to establish a secure
channel if the transfer is done in a connected mode. For more information, see 5.2
4 Digipass SDK
22
OneSpan Digipass Software Advanced Provisioning Protocol (DSAPP) SDK. If the
transfer is done in an unconnected mode we recommend using different channels to
transfer the different activation messages.
License activation
The first step to activate a Digipass authenticator in a multi-device licensing mode is
to activate the Digipass license. This step consists in providing the Activation Message
1 generated by OneSpan Authentication Server Framework to the OneSpan Digipass
SDK.
The Activation Message 1 contains the following information used by the OneSpan
Digipass SDK:
l The Digipass license serial number
l The Digipass license key
l The Digipass license parameter settings (optional)
For more information about generating the activation messages, refer to the
OneSpan Authentication Server Framework documentation.
If the parameter settings are not provided as part of the activation message they must
be provided by the application that integrates the OneSpan Digipass SDK.
As a result of the license activation, the OneSpan Digipass SDK generates a device
code which contains a device ID. It is a concatenation of information about the device
type and device-unique data, provided to the OneSpan Digipass SDK by the hosting
application. Both are signed with the license key.
The device code must be provided to OneSpan Authentication Server Framework on

the server-side to generate a Digipass instance for the device for which the license has
been activated.
The following device types can be received by OneSpan Authentication Server Frame-
work in the device code:
Table 1: Device types received by OneSpan Authentication Server Framework
Return device type Value
iOS 3
4 Digipass SDK
23
Table 1: Device types received by OneSpan Authentication Server Framework (con-
tinued)
Return device type Value
Jailbroken iOS 5
Android 7
Rooted Android 9
Windows 17
Linux 19
Mac 21
Instance activation
The second step to activate a Digipass authenticator in a multi-device licensing mode
is to activate the Digipass instance. This step consists in providing the Activation Mes-
sage 2 generated by OneSpan Authentication Server Framework to the OneSpan Digi-
pass SDK.
The Activation Message 2 contains the following information used by the OneSpan
Digipass SDK:
l The Digipass license serial number
l The Digipass instance sequence number
l The Digipass key
As a result of the Digipass instance activation, the OneSpan Digipass SDK generates a
MAC signature with the Digipass instance key. The MAC signature must be provided
to OneSpan Authentication Server Framework on the server-side to confirm the cor-
rect activation of the Digipass instance.
Optionally, and depending on the Digipass parameter settings, the instance activation
process may also require a Digipass password. The password is chosen by the user
and protects the Digipass against unauthorized use. It is set during the instance activ-
ation process but may be changed in the course of the Digipass lifecycle (see 4.6
Digipass protection).
In the multi-device licensing mode, a Digipass instance cannot be reactivated,

OneSpan Authentication Server Framework only generates an Activation Message 2
once. If a Digipass instance cannot be used anymore, it must be replaced with a new
one. The number of instance per Digipass serial number is limited to 99.
4 Digipass SDK
24
4.1.2 Standard single-device licensing (SDL) model
Figure 3: Single device licensing model (overview)
In the single device licensing model, a unique serial number of ten characters is gen-
erated by OneSpan and associated to a Digipass data on the server-side. Digipass can
thus be instantiated on a single device to ensure the symmetry.
4 Digipass SDK
25
Activation process
Before you can work with the OneSpan Digipass SDK, you need to activate it. Activ-
ating the OneSpan Digipass SDK in the single device licensing model consists in
providing the activation data to the OneSpan Digipass SDK binary and includes the
parameter settings, the serial number, and the Digipass key of a Digipass authen-
ticator.
CAUTION: Contrary to the activation of Digipass in the multi-device licensing

model, the activation data is provided in one step to the OneSpan Digipass SDK.
This set of data can be provided applying either of the following methods:
l Offline. The data required to activate Digipass is provided independently.
l The Digipass static vector is provided by OneSpan in a flat file named

export.svf. The static vector must be integrated with the OneSpan Digipass
SDK.
l The DIGIPASS serial number is provided by OneSpan in a flat file named

ACode.log. The serial number must be delivered to the end user.
CAUTION: Instead of entering a serial number, the end user can enter a
serial number suffix. However, this is not recommended, as the serial num-
ber prefix will be retrieved from the static vector and this serial number pre-
fix can differ between the hard-coded static vector in the mobile application
and the DigipassBLOBs used by the server.
l The Digipass activation code is provided by OneSpan with the Digipass serial
number in a flat file named ACode.log. This may also be dynamically gen-
erated by a OneSpan server solution, i.e. OneSpan Authentication Server
Framework, IDENTIKEY, or Digipass as a Service. For more information, refer
to the relevant product documentation. The activation code must be
delivered to the end user in a secure way.
l Online. The data is not provided independently but as part of the full activation
data.
4 Digipass SDK
26
l The Digipass full activation data is generated by a OneSpan server solution,
i.e. OneSpan Authentication Server Framework, IDENTIKEY, or Digipass as a
Service. For more information, refer to the relevant product documentation.
The full activation data must be dynamically provided to the OneSpan Digi-
pass SDK.
Optionally, and depending on the Digipass parameter settings, the activation process
may also require a Digipass password. The password is chosen by the user and pro-
tects the Digipass against unauthorized use. It is set during the activation process but
may be changed in the course of the Digipass lifecycle(see 4.6 Digipass protection).
Digipass reactivation
During the Digipass lifecycle you may want to re-use the Digipass serial number, for
instance when re-installing Digipass to a new host platform (like a new mobile phone)
or when a Digipass protection password has been lost. During the regular activation
process, the event-based Digipass uses an initial event counter set to 0. If Digipass is
activated and used to validate responses, the counters are incremented on the server-
side. By re-activating the same Digipass on a new platform the Digipass counters are
set to 0, while on the server the counters have a different value. By re-activating the
same Digipass on the same platform, the counters are kept unchanged.
To push the value of the Digipass counters as a set on the server-side to the OneSpan
Digipass SDK, the SDK supports the Digipass event reactivation counter for react-
ivation. This data contains the current value of each cryptographic Digipass applic-
ation event counter and is provided by a OneSpan server solution, i.e. OneSpan
Authentication Server Framework, IDENTIKEY, or Digipass as a Service. For more
information, refer to the relevant product documentation.
Binding Digipass to the host platform

To ensure that a Digipass is used only on the platform where it was activated, the
OneSpan Digipass SDK can use data specific to the platform as a diversifier of the Digi-
pass key to generate responses. This data must be provided by the integrating applic-
ation.
CAUTION: The data used to identify the platform must be unique and not pre-
dictable. The OneSpan Device Binding SDK provides this data to identify the platform
host of the integrating application.
4 Digipass SDK
27
The data must be exchanged with the OneSpan server solution to enable the sym-
metric feature on the server-side. It is transferred to the server within the derivation
code, which contains a hash of the platform-specific data authenticated with a Digi-
pass OTP. Once the derivation code is validated on the server-side, the platform-spe-
cific data hash is stored in the Digipass server data. All future OTP validations will be
done against both Digipass and the platform data. If the same Digipass is installed on
another platform, the generated OTP will be rejected.
NOTE: When a platform is replaced, the binding process must be repeated to bind
Digipass to the new platform. On the server-side, the binding can only be cleared by
re-importing the Digipass data from the DPX file.
For more information, refer to your server solution documentation. This feature is sup-
ported by server solutions using OneSpan Authentication Server Framework 3.11.2 or
later.
4 Digipass SDK
28
4.2 One-time password generation
Once Digipass is activated, the SDK can generate one-time passwords compliant with
any OneSpan OTP verification component:
l OneSpan Authentication Server Framework
l IDENTIKEY
l Digipass as a Service
Each Digipass instance using a static vector version 8 supports up to eight cryp-
tographic applications that can be used to generate OTPs. OTPs can be generated
based on the following methods:
l Response-Only (RO): No user or server input is necessary to generate the OTP.
l Challenge/Response (CR): A challenge generated by the server is used to gen-

erate the OTP.
NOTE: With static vectors prior to version 8, only two cryptographic applications
were supported.
Table 2: Supported signature application settings
Oper- Cryp- Return

Respons- Response Check
ating Seeding tographic host
e length format digit
mode algorithm code
RO Time 3DES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
RO Time AES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
RO Time SM3 6 to 10 DECIMAL Y/N NA
RO Event 3DES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
4 Digipass SDK
29
Table 2: Supported signature application settings (continued)
Oper- Cryp- Return

mode algorithm code
RO Event AES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
RO Event SM3 6 to 10 DECIMAL Y/N NA
RO Time + 3DES 6 to 16 DECIMAL Y/N 0 to 10
event
RO Time + AES 6 to 16 DECIMAL Y/N 0 to 10
event
RO Time + SM3 6 to 10 DECIMAL Y/N NA
event
CR Time 3DES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
CR Time AES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
CR Time SM3 6 to 10 DECIMAL Y/N NA
CR Event 3DES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
CR Event AES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
CR Event SM3 6 to 10 DECIMAL Y/N NA
CR Time + 3DES 6 to 16 DECIMAL Y/N 0 to 10
event
CR Time + AES 6 to 16 DECIMAL Y/N 0 to 10
event
CR Time + SM3 6 to 10 DECIMAL Y/N NA
event
RO Time OATH TOTP 6 to 10 DECIMAL Y/N NA
RO Event OATH TOTP 6 to 10 DECIMAL Y/N NA
CR No seed- OCRA Num- 6 to 10 DECIMAL Y/N NA
ing meric input
4 Digipass SDK
30
Oper- Cryp- Return

mode algorithm code
CR No seed- OCRA 6 to 10 DECIMAL Y/N NA

ing Alphanum-
meric input
CR Event OATH OCRA 4 to 10 DECIMAL Y/N NA
Nummeric
input
CR Event OATH OCRA 4 to 10 DECIMAL Y/N NA
Alphanum-
meric
CR Time OATH OCRA 4 to 10 DECIMAL Y/N NA
Numeric input
CR Time OATH OCRA 4 to 10 DECIMAL Y/N NA
Alphanumeric
input
CR Time + OATH OCRA 4 to 10 DECIMAL Y/N NA
event Numeric input
CR Time + OATH OCRA 4 to 10 DECIMAL Y/N NA
event Alphanumeric
input
4 Digipass SDK
31
4.3 E-signature generation
Once the Digipass is activated, the SDK can generate e-signatures compliant with any
OneSpan e-signature verification component:
l OneSpan Authentication Server Framework
l IDENTIKEY
Each Digipass instance using a static vector version 8 supports up to eight cryp-
tographic applications that can be used to generate e-signatures. Each cryptographic
application can sign up to 8 data fields of up to 16 hexadecimal characters, or up to 8
data fields of up to 8 alphanumeric characters. The number and size of the data fields
supported by an application are defined in the Digipass static vector.
NOTE: Lowercase characters are automatically converted into uppercase before the
signature is processed.
ABcdEF, abcdef, and ABCDEF will produce the same response if used as a data field.
Table 3: Supported signature application settings
Oper- Cryp- Return

mode algorithm code
SG Time 3DES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
SG Time AES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
SG Time SM3 6 to 10 DECIMAL Y/N NA
SG Event 3DES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
SG Event AES 6 to 16 DECIMAL / Y/N 0 to 10
HEXADECIMA-
L
4 Digipass SDK
32
Oper- Cryp- Return

mode algorithm code
SG Event SM3 6 to 10 DECIMAL Y/N NA

SG Time + 3DES 6 to 16 DECIMAL Y/N 0 to 10
event
SG Time + AES 6 to 16 DECIMAL Y/N 0 to 10
event
SG Time + SM3 6 to 10 DECIMAL Y/N NA
event
4 Digipass SDK
33
4.4 Secure Channel
4.4.1 Description
The Secure Channel ensures the confidentiality, integrity, and non-repudiation of data
exchanged between a client and a server. The data are encrypted and signed with a
key changed during the activation process. The protected data are embedded in a
secure channel message for the transport process.
The Secure Channel feature of the OneSpan Digipass SDK is only available if Digipass
has been activated in the premium multi-device licensing activation model.
In the multi-device licensing activation model, Digipass can be activated with a sym-
metric key for secure channel in addition to the keys dedicated to the generation of
Digipass responses. The key dedicated to the secure channel is the payload key. It is
generated on the server-side and is sent during the activation process to the OneSpan
Digipass SDK in the Activation Message 2.
Figure 4: Payload key provisioning between OneSpan Digipass SDK and OneSpan
Authentication Server Framework
When a Digipass instance has been activated with a payload key, it can decrypt the
secure transaction message sent by the server and encrypt the information message
sent to the server. For more information about the secure messaging process, see 10
OneSpan Secure Messaging SDK.
NOTE: The OneSpan Digipass SDK is agnostic of the channel used to transfer the
message, or of the content of the message.
4 Digipass SDK
34
The OneSpan Secure Messaging SDKs provide functionalities to convert hexadecimal
raw data into a body message that can be used in the context of the Secure Channel
feature with the OneSpan Digipass SDK (see 10 OneSpan Secure Messaging SDK).
The Image Generator SDK and the Image Scanner SDK provide functionalities to
transfer the message into an image format from the server to the integrating applic-
ation (see 9 Image Scanner SDK and Image Generator SDK).
4 Digipass SDK
35
4.5 Score-based authentication
In addition to the OTP, the Digipass response based on a challenge or the e-signature
generation, the OneSpan Digipass SDK can generate a Digipass response which
includes scoring information from the hosting platform.
The principle of a score-based response is to send information about the status of the
hosting platform or the context of the OneSpan Digipass SDK usage to the authen-
tication server through a Digipass response.
Figure 5: Score-based response through a Digipass response
For more information about the OneSpan Authentication Server Framework score-
based response validation service, refer to the OneSpan Authentication Server Frame-
work Programmer's Guide.
4 Digipass SDK
36
Table 4: Supported score-based application settings
Oper- Cryp- Return

mode algorithm code
Score- Time AES [7;16] DECIMAL / Y/N [4;10]

based RO
HEXADECIM-
AL
Event AES [7;16] DECIMAL / Y/N [4;10]
HEXADECIM-
AL
Time+eve- AES [7;16] DECIMAL Y/N [4;10]
nt
based CR
HEXADECIM-
AL
HEXADECIM-
AL
nt
based SG
HEXADECIM-
AL
HEXADECIM-
AL
nt
Score- AES [7;16] DECIMAL N 0
based
Activation
Score- AES [7;16] DECIMAL N 0
based Mes-
sage Sig-
nature
4 Digipass SDK
37
4.6 Digipass protection
The Digipass dynamic vector contains Digipass secrets that must be protected
against attackers. The SDK provides two methods to protect the sensitive Digipass
data:
l delegated protection with an external dynamic vector-encrypting key
l Digipass password protection
If the Digipass configuration does not include password protection and, you do not
use a dynamic vector-encrypting key when integrating the Digipass SDK, a default
password based on the static vector master key will be used internally to protect the
secret. If a password is provided to any Digipass SDK entry point, an error will be pro-
duced.
Protection starts after the activation process, once the secret has been extracted from
the activation code and stored in the dynamic vector.
Neither the encrypting key nor the Digipass password is stored by the Digipass SDK in
the dynamic vector.
4.6.1 Delegated protection
The 3DES key used to protect the Digipass secret in the dynamic vector is provided by
the application that integrates the Digipass SDK. The management of this key is del-
egated to you when integrating the Digipass SDK.
4 Digipass SDK
38
Figure 6: Activation with delegated protection (overview)
In Figure 6, the application integrating the SDK manages its own dynamic vector-
encrypting key. This key must be provided during the activation process and after-
ward for each call to the SDK. Without this key, the dynamic vector cannot be used,
and the Digipass needs to be reactivated.
The dynamic vector-encrypting key is not controlled by the Digipass SDK. Thus, an
invalid encrypting key will lead to an incorrect decryption of the Digipass secret and,
consequently, to an invalid response. The Digipass SDK does not manage a lock mech-
anism if it is integrated with delegated protection.
This dynamic vector-encrypting key ensures that only the application owning the key
is able to use the Digipass authenticator.
All API entry points supporting a third-party encrypting key are suffixed with WithKey.
Example of routines for delegated protection:
l C/C++/Objective C: DPSDK_GenerateSignatureWithKey
l Swift: generateSignature
l Java: generateSignatureWithKey
4.6.2 Password protection
With Digipass password protection, the usage of the application is protected via a
password; it is required for every OTP and signature generation, as well as for
4 Digipass SDK
39
changing the password. The password is chosen by the user in the course of the activ-
ation process and it is part of the dynamic vector encryption key calculation. This key
is derived from the password provided by the user, and from the Digipass serial num-
ber according to the following algorithm:
Key = PBKDF2 (PRF, PIN||Serial Number||Device Data, salt, c, sekLen)
The PBKDF2 parameters must be:
l PRF: SHA-256
l PIN||Serial number||Device data: Concatenation of the user’s PIN, the Digipass

serial number and the device-specific data
l Salt: Fixed data
l C: Configurable number of iterations
l sekLen: Key length: 32 bytes
Figure 7: Activation with password protection (overview)
In Figure 7, the dynamic vector is protected by a password provided by the Digipass

owner. The control of the password fully relies on the Digipass SDK. Only the owner of
the password will be able to use the Digipass authenticator.
Once a user password protects the secret in the dynamic vector, any operation
involving the secret will require the validation of the user password. This password
4 Digipass SDK
40
validation is done by the Digipass SDK according to the password security level
defined in the static vector.
The user password can be entered as a string or as a byte array. When entered as a
byte array, the password can be reset to avoid security issues.
Weak password control
NOTE: Weak PIN rules have been updated in Mobile Security Suite 4.21.2
If weak password control is configured for the Digipass authenticator, the detection
rules for weak passwords are:
l The difference between consecutive digits of the password must vary.
Example: 12345 is a weak password because the difference between the con-
secutive digits is always +1.
l A row of 0s (N-1 0s for a PIN of N digits) followed by a number (e.g. 00003) or a

number followed by a row of 0s (e.g. 2000) are not valid. (This is the ATM mimic.)
l When the password is changed, the new password must be different from the
old password.
Weak password control is used during the activation process and on password
change.
Table 5: Weak password control with numeric passwords
Password Steps suite Control result
123456 11111 FAIL

111111 00000 FAIL
678901 1 1 1 -9 1 SUCCESS
02468 22222 FAIL
876543 -1 -1 -1 -1 -1 FAIL
123467 11121 SUCCESS
415263 -3 4 -3 4-3 SUCCESS
4 Digipass SDK
41
Table 6: Weak password control with alphanumeric passwords
Password Decimal Value Steps suite Control result
ABCDEF 65,66,67,68,69,70 11111 FAIL

tsrqpo 116, 115, 114, 113, 112, 111 -1 -1 -1 -1 -1 FAIL
Table 7: Weak password control with ATM rule
Password Control result
000005 FAIL
200000 FAIL
007000 SUCCESS
Password security level

The password security level determines how the Digipass SDK validates the password.
The Digipass SDK supports the following security levels for password validation:
l No password check. Each password is used as-is to decrypt the Digipass secret.
Only the password provided during the Digipass activation to encrypt the Digi-
pass secret will generate a correct OTP or signature. Other passwords will gen-
erate invalid responses. This method fully relies on the server lock functionality,
which can be activated in the settings of the OneSpan server solution. For more
information, refer to the OneSpan server solution documentation.
l Checksum. During the activation process, a checksum of the password is stored

on 1 byte in the dynamic vector. In the course of the Digipass lifecycle, passwords
will be tested against that checksum so that only those matching it will be used
to decrypt the secret.
The checksum allows wrong password collision. Wrong passwords with a valid
checksum will be used to decrypt the secret but will generate invalid responses.
Compared to the no–password-check level, more passwords are rejected but a
large number still generates wrong responses.
NOTE: In case of a password change, a wrong old password with a correct

checksum will collide with the current password. The decryption of the Digipass
secret will not be correct and the incorrect secret will be encrypted with the new
4 Digipass SDK
42
password. The result is a definitive Digipass secret corruption. The Digipass
authenticator must be re-activated or replaced.
l Hash. During activation, a hash of the password is stored on 4 bytes in the

dynamic vector. In the course of the Digipass lifecycle, passwords will be tested
against this hash so that only those matching it will be used to decrypt the
secret. As the hash is on 4 bytes, fewer passwords are matching than with the 1-
byte checksum. Compared to the checksum feature, a lot of passwords are rejec-
ted and only a few generate wrong responses.
NOTE: To avoid brute-force attacks, OneSpan strongly recommends using the

checksum level. With checksum validation, a wrong password may be accepted,
which leads to an incorrect decryption of the Digipass keys.
4.6.3 Password penalty
The password fatal counter is decremented every time a wrong password is entered,
and reset on correct password submission. When the counter is consumed, the Digi-
pass SDK applies a penalty.
NOTE: If the password security level is set to checksum or hash, wrong passwords
matching the security level will also reset the counter. Setting the fatal counter value
to 3 triggers the penalty when the user attempts a fourth time to enter the wrong
password.
Reset key penalty

The reset-key penalty consists in resetting the Digipass secret in the dynamic vector.
The secret is deleted and the Digipass instance needs to be reactivated. The event-
counters are not reset. The Digipass status is set to locked.
Generate invalid OTP penalty

The generate–invalid-OTP penalty consists in generating an OTP, regardless whether
the entered password is correct or not. Only the right password, that is, the one used
during the activation, will generate a correct OTP.
4 Digipass SDK
43
With this penalty, if the submitted password matches the password security level but
is not the correct password, the following will happen:
l On OTP/signature generation, the dynamic vector-encrypting key calculated

from the wrong password will be incorrect, and therefore the decrypted Digipass
key will be incorrect as well. As a result, the generated OTP/signature will be
invalid. Even if the dynamic vector-encrypting key is incorrect, the original Digi-
pass key is not changed as it is not re-encrypted. If a valid password is entered,
the Digipass SDK resets the password fatal counter in the dynamic vector to its
initial value (set in the static vector). The application status is reset from generate
invalid OTP to activated.
l On password change, the dynamic vector-encrypting key calculated from the

wrong password will be incorrect, and the decrypted Digipass key will be incor-
rect as well. The dynamic vector-encrypting key calculated from the new pass-
word will encrypt a wrong Digipass key that is not correct, which will
compromise the key.
CAUTION: In this case, the Digipass key is lost and the application needs to be
re-activated.
4 Digipass SDK
44
4.7 Digipass properties
For easier Digipass management, the Digipass properties are described in Table 8 and
Table 9.
Table 8: Digipass properties
Property Description
Version This is the version of the static vector used to configure the
Digipass authenticator.
Status The Digipass status can be one of the following:
l Not activated. The Digipass authenticator has not

been activated.
l Activated. The Digipass authenticator is activated and

generates valid OTPs.
l Locked. The reset penalty has been applied, the Digi-

pass authenticator must be re-activated
l Generate invalid OTP. The Generate-invalid-OTP pen-

alty has been applied.
Serial number Serial number of the Digipass instance.
Sequence number Sequence number of the Digipass instance activated in
multi-device mode.
Password minimum length Minimum length of the password to use for password pro-
tection.
Password maximum length Maximum length of the password to use for password pro-
tection.
Weak password control Indicates if weak passwords are rejected.
Password check level Validation level applied to Digipass passwords: no check,
checksum, or hash.
Password penalty Penalty applied once the password penalty counter is
reached: reset secret or generate invalid OTP.
Password penalty initial value Initial value of the penalty counter.
Password penalty counter Number of remaining wrong password entries before the
password penalty is applied.
Token derivation supported Indicates if the Digipass authenticator supports the token
derivation feature.
High security Indicates if the Digipass authenticator uses a single-length
or double-length activation code.
4 Digipass SDK
45
Table 8: Digipass properties (continued)
Activation code format Indicates if the activation code uses a decimal or hexa-
decimal character set.
Activation code checksum Indicates if the activation code uses a checksum.
Number of cryptographic applic- Indicates the number of cryptographic applications sup-
ations ported by the Digipass authenticator.
Digipass UTC time Indicates the UTC time as retrieved by the Digipass authen-
ticator from the host.
Password Mandatory Indicates if the Digipass authenticator must be protected
by a user’s password.
Password Protected Indicates if the Digipass authenticator is protected by a
user’s password.
Secure Channel enabled Indicates if the Digipass authenticator has been activated
with a payload key.
Device Type Indicates the type of the platform used to activate the Digi-
pass authenticator.
Device ID Bits number Indicates the number of bits from the platform fingerprint
used in the device code.
Table 9: Application properties
Index Index of the applications from 1 to 8.

Name Name of the application as defined in the Digipass con-
figuration.
Status Status Indicates if the application is enabled or disabled.
Only enabled applications of an activated Digipass instance
can generate responses.
Response length Length of the response generated by the cryptographic
application.
Response check digit Indicates if the response uses a check digit.
Return host code length Length of the host code generated by the cryptographic
application.
Number of data fields sup- Number of data fields used by the application.
ported
Data field minimum length Minimum length of each data field.
Data field maximum length Maximum length of each data field.
Event value Event counter value of the last generated response.
Last time used Time value of the last generated response.
4 Digipass SDK
46
Table 9: Application properties (continued)
Digipass time-based Indicates if the Digipass authenticator uses time-based

applications.
Digipass event-based Indicates if the Digipass authenticator uses event-based
applications.
4 Digipass SDK
47
Activation data transfer protection 5
The Digipass Software Advanced Provisioning Protocol (DSAPP) is used to securely
transfer the server-side generated Digipass software activation data to the Digipass
software client.
5.1 Secret transfer security with shared secret 49
5.2 OneSpan Digipass Software Advanced Provisioning Protocol

(DSAPP) SDK 51
5 Activation data transfer protection

48
5.1 Secret transfer security with shared secret
Regardless of the activation method, the Digipass activation code containing the Digi-
pass key must be securely transferred. To secure the Digipass key communication
between the client and the server, it is recommended to use shared data, that is, the
Digipass activation password.
Figure 8: Securely communicating the Digipass key between client and server
The Digipass activation password encrypts (server-side) and decrypts (client-side) the
activation code. Decrypting the Digipass key from the activation code ensures that
only the owner of the Digipass activation password is able to obtain the Digipass key.
5.1.1 Integrate the activation password based protection

When an activation password is used, this password must be shared between the
server and the user prior to the activation process. This means, the activation data is
user-dependent. The full activation data or the activation code encrypted by the user’s
activation password can only be used by the application run by this specific user.

49
Figure 9: Online activation with an activation password (overview)
CAUTION: The activation password is the encryption key of the full activation data
or the activation code. It must be transferred to the user via a different secure chan-
nel than the one used to exchange the activation data (for instance a sealed letter or
a text message).
It is advised to use the same activation password only once but if it must be reused for
any reason, it is advised to use a nonce (alea) to diversify the XFAD encryption. The
nonce is generated by the device and sent in the first request. OneSpan Authentic-
ation Server Framework will use the alea in combination with the activation password
to encrypt the FAD into the XFAD.
Even if a nonce is used, the strength of the XFAD encryption is the strength of the
activation password. Digipass Software Advanced Provisioning Protocol has been
designed to improve the strength of the XFAD encryption.

50
5.2 OneSpan Digipass Software Advanced
Provisioning Protocol (DSAPP) SDK
The Digipass Software Advanced Provisioning Protocol (DSAPP) is used to securely
transfer the server-side generated Digipass software activation data to the Digipass
software client.
The DSAPP SDK, i.e. the implementation of the protocol, consists of a server com-
ponent and a client component: the server component encrypts the activation data
before transferring it to the client application. The client component decrypts the
activation data.
DSAPP relies on the encryption of the activation data with a 256-bit AES session key
negotiated between the DSAPP SDK client component and the DSAPP SDK server
component. This session key negotiation uses the Secure Remote Password (SRP) pro-
tocol. With this protocol, the secret shared between the server and the client – the
user password – is not transmitted through the network.
The user password must be generated by using the DSAPP SDK server component
and bound to a unique identifier, i.e. the user identity. The user password must be
securely transmitted to the user via a separate channel outside the network. The user
will then enter their user password in the mobile client application.
Figure 10: User password transmission with DSAPP (overview)
By using the shared user password and exchanging the dynamically generated public
keys, the client and the server negotiate a session key that is used to encrypt the activ-
ation data.

51
Figure 11: Activation data transfer protection with DSAPP (overview)
For more detailed information about the DSAPP SDK and integration instructions,
refer to the Digipass Software Advanced Provisioning Protocol Integration Guide.

52
OneSpan Secure Storage SDK 6
The OneSpan Secure Storage SDK provides a generic API to securely store data on a
mobile device and mask how information is stored on the platform. It provides stor-
age facilities to read, write, or delete storage and to add, get, or remove data.
The SDK can create one or more independent storages, identified by their names.
Data read from or written to the storage is handled through unique identifiers. For
more information about obtaining platform-unique data, see 7 OneSpan Device Bind-
ing SDK.
NOTE: You can protect the storage with secure hardware to set up very strong bind-
ing between the storage and the mobile device. Supported secure hardware pro-
cessors or processor areas are for example Trusted Execution Environment (TEE) or
Secure Element (SE) on Android, and Secure Enclave on iOS.
For more detailed information about the SDK and integration instructions, refer to the
Secure Storage SDK Integration Guide.
6 OneSpan Secure Storage SDK

53
OneSpan Device Binding SDK 7
With the OneSpan Device Binding SDK a unique identifier for a given mobile device
can be generated. This unique identifier, called Device fingerprint1 in the API, is a
hexadecimal string of 64 characters. It is a securely computed SHA-256 hash of the
device-specific data and hardcoded salts.
As an integrator, you must provide a salt which will be used to diversify the generation
of the device fingerprint.
The OneSpan Device Binding SDK supports the following platforms:
l iOS 12.0 and later
l Android 5.0 and later
Device Binding SDK Integration Guide.
1A unique identifier; it is a hexadecimal string of 64 characters. It is a securely computed SHA-256

hash of the device-specific data and hardcoded salts.
7 OneSpan Device Binding SDK

54
OneSpan Root Detection SDK 8
The OneSpan Root Detection SDK detects if an application runs on a rooted Android
device or on a jailbroken iOS device based on residual traces of the rooting method.
The traces to detect are listed in an encrypted and signed signature file which is
delivered with the SDK package. The OneSpan Root Detection SDK is limited to trace
detection. It does not provide active answers to detection.
As input, the SDK uses a file that contains a list of evidence of the rooting process. This
file is signed and encrypted. The file is updated with each release of the OneSpan
Mobile Security Suite package if new evidence or new rooting methods have been
identified.
The Root Detection SDK can be used on a variety of devices and supports the fol-
lowing platforms:
l iOS 12.0 and later, CPU with support for arm64
Root Detection SDK Integration Guide.
8 OneSpan Root Detection SDK

55
Image Scanner SDK and Image
Generator SDK
9
The OneSpan Image Scanner SDK provides a native component for a mobile applic-
ation to integrate QR code and Cronto1 image capture.
Figure 12: Cronto image
The Cronto image contains up to 1070 hexadecimal characters.
NOTE: If the Cronto image is supposed to be scanned with a OneSpan device (e.g.
Digipass 760, Digipass 780), the data must be limited to 200 hexadecimal characters.
Specific APIs must be called to generate compatible Cronto images. For more inform-
ation, refer to the Image Generator SDK Integration Guide.
1Colorful cryptogram, similar to a QR code; used for visual transaction signing.
9 Image Scanner SDK and Image Generator SDK

56
Figure 13: QR code image
The QR Code image contains up to 4296 characters.
The Image Scanner SDK can be used on a variety of devices and supports the fol-
lowing platforms:
The Image Generator SDK can be used on a variety of devices and supports the fol-
lowingplatforms:
l Image Generator SDK Java edition: Java-enabled platforms (JDK 1.6 and later)
l Image Generator SDK .NET edition: ..NET Framework 2.0 and later
For more detailed information about each SDK and integration instructions, refer to
the Image Generator SDK Integration Guide and the Image Scanner SDK Integration
Guide.
9 Image Scanner SDK and Image Generator SDK

57
OneSpan Secure Messaging SDK 10
The OneSpan Secure Messaging SDK facilitates Secure Channel integration. It is
divided into a server SDK and a client SDK.
The Secure Messaging SDK Server generates messages and converts raw data into a
Secure Channel1 message request body, before the data is encrypted by OneSpan
Authentication Server Framework2 or OneSpan Authentication Server3. (OneSpan
Authentication Server Framework uses the AAL2GenMessageRequest function of the
OneSpan Authentication Server Framework software version; OneSpan Authentic-
ation Server uses the SOAP signature interface command genRequest, where the
request body is used as the SIGNFLD_REQUEST_BODY parameter of the command).
The OneSpan Secure Messaging SDK Server can also forge messages for OneSpan
Mobile Security Suite or for hardware devices such as Digipass 760 (Cronto image
scanner) or Digipass GO 215 (Bluetooth device).
The Secure Messaging SDK Client decrypts message requests that are generated on
the server-side by the OneSpan Digipass SDK. The OneSpan Secure Messaging SDK
Client parses a secure message body, which is decrypted by the OneSpan Digipass
SDK and extracts the raw data sent by the server. The information messages the client
sends to the server are created and encrypted directly by the OneSpan Digipass SDK;
1Ensures the confidentiality, integrity, and non-repudiation of data exchanged between a client
and a server. The data are encrypted and signed with a key changed during the activation pro-
cess. The protected data are embedded in a Secure Channel message for the transport process.
2API-based authentication platform that serves as back-end for Digipass strong authentication
and e-signatures.
3OneSpan Authentication Server is a centralized authentication that offers strong authentication
and validation of transaction signatures. It verifies authentication requests from individuals trying
to access the corporate network or business applications.
10 OneSpan Secure Messaging SDK

58
the the OneSpan Secure Messaging SDK is not used. For more information about
information message management with the OneSpan Digipass SDK, refer to the Digi-
pass SDK Integration Guide.
Figure 14: Transaction message transfer with the OneSpan Secure Messaging SDK
NOTE: The secure messaging feature is independent of the media used to transfer
the message from the server to the client.
The Secure Messaging SDK Client and Secure Messaging SDK Server can be used on a
variety of devices and support the following platforms:
l Secure Messaging SDK Client Java: Android 5 and later, Java Development Kit
(JDK) 6 and later
l Secure Messaging SDK Client C++: iOS 12.0 and later
l Secure Messaging SDK Server Java edition: Java-enabled platforms (Java Devel-
opment Kit (JDK) 6 and later)
l Secure Messaging SDK Server .NET: .NET Framework 2.0 and later
Secure Messaging SDK Client Integration Guide and the Secure Messaging SDK
Server Integration Guide.
10 OneSpan Secure Messaging SDK

59
OneSpan Biometric Sensor SDK 11
The OneSpan Biometric Sensor SDK provides facilities to use biometric authentication
for secure user identification. This increases user convenience during the iden-
tification process, yet maintains solution security. The SDK also provides methods to
test whether biometric authentication is supported by the platform and if the user
enabled it on the device before the actual biometric verification. This means that the
device should have registered at least one fingerprint, face, or iris before the authen-
tication.
The OneSpan Biometric Sensor SDK can be used on devices with biometric sensors. It
supports the following platforms:
l Android devices: 6.0 and later
l iOS devices: 12.0 and later
Biometric Sensor SDK Integration Guide.
11 OneSpan Biometric Sensor SDK

60
OneSpan Notification SDK 12
The OneSpan Notification SDK provides facilities to send push notifications to mobile
applications via Apple, Google, and Microsoft cloud notification services.
NOTE: To activate the notification service, integrators need to configure their

developer accounts as described in the Notification SDK Integration Guide before the
integration of the OneSpan Notification SDK
12 OneSpan Notification SDK

61
Figure 15: Data transfer from server to mobile device (Push Notification)
CAUTION: Cloud notification service providers do not give a warranty for successful
delivery of notifications to mobile devices.
The OneSpan Notification SDK comprises the following components:
l Notification SDK Client: to receive the notifications and obtain the unique iden-
tifier the server requires to send the notification to the intended application on
the correct mobile device.
l Notification SDK Server: used to send raw-data messages to the Notification SDK
Client based on a previously received unique identifier.
On the client-side, the registration process is platform-dependent. On the server-side,

you can send notifications with a simple function, independent of the target platform.

62
The Notification SDK Client can be used on a variety of devices and supports the fol-
lowing platforms:
The OneSpan Notification SDK is agnostic of the sent data. The size of the data is lim-
ited - these limitations are platform-specific:
l Android: max. 2048 Bytes
l iOS: max. 3072 Bytes
Notification SDK Integration Guide.

63
OneSpan Client Device Data
Collector (CDDC) SDK
13
The OneSpan Client Device Data Collector (CDDC) SDK provides facilities to aggregate
information from various mobile sources for risk evaluation of mobile transactions by
OneSpan Risk Analytics1. To mitigate the risks associated with mobile transactions,
the CDDC SDK retrieves contextual information, such as the device model and the cur-
rent position from the client device, and uses it to create end user behavior profiles.
The CDDC SDK provides an API to aggregate the relevant client device information in
RA-readable messages. Risk Analytics2 uses these CDDC messages to evaluate the
risk of mobile transactions.
1Provides a generic API to securely store data on a mobile device and masking the way the inform-
ation is stored on the platform.
2Fraud detection and management system. It identifies risk at critical steps, predicts risk levels,
and takes action when suspicious activites are identified. It is a product for monitoring online
banking applications and payment processing which helps to protect against online banking
fraud.
13 OneSpan Client Device Data Collector (CDDC) SDK

64
Figure 16: Collect client device data with the CDDC SDK
The OneSpan Mobile Security SuiteSecure Channel1 feature can be used to securely
transfer the collected data from the client to the server to ensure the confidentiality,
integrity, and non-repudiation of the data. For more information about the Secure
Channel feature, see 4.4 Secure Channel or refer to the Digipass SDK Integration
Guide.
1Ensures the confidentiality, integrity, and non-repudiation of data exchanged between a client
and a server. The data are encrypted and signed with a key changed during the activation pro-
cess. The protected data are embedded in a Secure Channel message for the transport process.

65
Figure 17: CDDC SDK (Overview)
The CDDC SDK can be used on a variety of devices and supports the following plat-
forms:
l iOS 12.0 or later
Client Device Data Collector SDK Integration Guide.

66
OneSpan White-Box Cryptography
(WBC) SDK
14
The purpose of the White-Box Cryptography SDK (WBC SDK) is to keep secret cryp-
tographic keys hidden in the source code, even during runtime. To achieve this, applic-
ation developers can convert key values into obfuscated source code. This source code
is ready to be integrated into the application, instead of hardcoding the key values
into the source code. The key values are converted into source code by the White-Box
Table Generator.
Figure 18: Conversion of clear-text key into obfuscated source code
During runtime, the White-Box Cryptography SDK uses the source code that rep-
resents the key for encryption and/or decryption; the key is based on an AES1 128-bit
block cipher that runs in counter (CTR2) mode.
1Symmetric key encryption algorithm. A block cipher with a fixed block size of 128 bits, and a key
size of 128, 192, or 256 bits.
2Operation mode of block ciphers. CTR uses the AES block cipher to create a stream cipher. Data
is encrypted and decrypted by XORing with the key stream produced by AES encrypting sequen-
tial counter block values.
14 OneSpan White-Box Cryptography (WBC) SDK

67
If white-box cryptography is not used, cryptographic keys can be extracted from the
source code as clear-text assets. Figure 19 and Figure 20 illustrate the difference
between an application that does not use white-box cryptography and one that does.
Figure 19: Application without White-Box Cryptography SDK

68
Figure 20: Application with White-Box Cryptography SDK
The WBC SDK can be used on a variety of devices and supports the following plat-
forms:
l White-Box Cryptography SDK Java: Android 2.3 and later; Java Development Kit
(JDK) 6 and later
l White-Box Cryptography SDK C++: iOS 12.0 and later
White-Box Cryptography SDK Integration Guide.

69
Orchestration SDK 15
The OneSpan Orchestration SDK enables mobile developers to integrate the main fea-
tures provided by OneSpan Mobile Security Suite in their mobile application with a
minimum effort:
l Two-factor authentication
l Transaction signing
l Secure provisioning
l Secure Channel
l Secure storage
l Password protection
l Biometric recognition
l Multi-device management
Very few calls are required to leverage major security features in a mobile application.
In addition, the Orchestration SDK provides facilities to orchestrate the mobile applic-
ation and authenticate users smartly and securely after a risk evaluation is performed
on the server-side.
Figure 21 illustrates an example of orchestration. It provides an overview of the

Remote Authentication feature. If there is a risk for a given login request (e.g.
unknown computer), can dynamically request a step-up authentication on the mobile
15 Orchestration SDK
70
application using an authentication method (e.g. biometric recognition) that has been
previously defined for that type of risk.
Figure 21: Orchestration example - remote authentication overview
For more information about OneSpan Orchestration SDK features and funcionalities,
refer to the OneSpan Orchestration SDK Standalone Integration Guide.
All data exchanged between the mobile application and the application server is
encapsulated into orchestration commands, to hide the complexity .
The orchestration commands are encoded as hexadecimal strings and are protected
by the Secure Channel feature to ensure the confidentiality, integrity, and non-repu-
diation of the exchanged data. For more information about Secure Channel, see 4.4
Secure Channel.
NOTE: OneSpan Orchestration SDK does not handle the communication layers
required to exchange the orchestration commands with the server (e.g. network,
push notification messages, or image scanning). This part must be handled by the
mobile application integrating the Orchestration SDK.
71
15.1 Supported platforms and requirements
For more detailed information about OneSpan Orchestration SDK features and func-
tionalities, refer to the OneSpan Orchestration SDK Standalone Integration Guide.
72
FIDO Authentication Solution 16
The OneSpan FIDO Authentication Solution allows your application to take advantage
of the security capabilities of modern devices such as fingerprint biometrics, face
recognition and others. The suite provides a unified infrastructure that allows you to
integrate these capabilities in a simple manner to enable strong authentication that is
both more user friendly and more secure than passwords. It leverages FIDO protocols
for strengthening modern authentication supporting both primary and second factor
authentication using biometrics and hardware tokens.
FIDO Authentication Solution Guide.
16 FIDO Authentication Solution

73
Index
. B
.NET biometric authentication 60
supported versions, Image Gen- Biometric Sensor SDK
erator SDK 57 supported platforms 60
biometric sensors 60
A
C
activation data transfer
with DSAPP SDK 51 C++
with shared secret 49 supported platforms, Secure Mes-
Android saging SDK 59
rooted device, Root Detection supported platforms, White-Box
SDK 55 Cryptography SDK 69
supported versions, Biometric CDDC SDK
Sensor SDK 60 client device information, aggreg-
supported versions, CDDC SDK 66 ation 64
supported versions, Device Binding mobile transactions, risk
SDK 54 evaluation 64
supported versions, Image Scanner supported platforms 66
SDK 57 Cronto image capture 56
supported versions, Notification
SDK Client 63
supported versions, Root Detection D
SDK 55 data transfer, secure 65
supported versions, Secure Mes- delegated Digipass protection 38
saging SDK 59 Device binding 54
supported versions, White-Box Device Binding SDK
Cryptography SDK 69 cryptographic algorithms, see SHA-
application properties 46 256 54
list 46 supported platforms 54
unique device identifier, see device
fingerprint 54
Index
74
device fingerprint F
computation, Device Binding
SDK 54 features
DIGIPASS activation OneSpan Mobile Security Suite 70
offline 26 Fingerprint recognition 60
online 26 functions
DIGIPASS binding 27 Digipass protection, C/C++ 39
derivation code 28 Digipass protection, Java 39
Digipass integration utilities Digipass protection, Swift 39
Biometric Sensor SDK 60
Client Device Data Collector
(CDDC) SDK 64 G
Device Binding SDK 54 generate invalid OTP penalty 43
Image Scanner SDK and Image caution note 44
Generator SDK 56
Notification SDK 61
Root Detection SDK 55 I
Secure Messaging SDK 58
image capture via QR code and
Secure Storage SDK 53
Cronto image 56
White-Box Cryptography SDK 67
Image generating 56
Digipass properties 45
Image Generator SDK
list 45
supported platforms 57
Digipass protection 38
Image Scanner SDK
delegated protection, workflow 38
supported platforms 57
functions, C/C++ 39
Image scanning 56
functions, Java 39
iOS
functions, Swift 39
jailbroken device, Root Detection
password protection, workflow 39
DIGIPASS reactivation 27 SDK 55
Digipass SDK supported versions, Biometric
introduction 20 Sensor SDK 60
DIGIPASS Software Advanced Pro- supported versions, CDDC SDK 66
visioning Protocol SDK 48, 51 supported versions, Device Binding
SDK 54
supported versions, Image Scanner
E SDK 57
supported versions, Notification
e-signature
SDK Client 63
generation 32
supported versions, Root Detection
evaluating risks, CDDC SDK 64
SDK 55
supported versions, Secure Mes-
Index
75
saging SDK 59 one-time password (OTP) 29
supported versions, White-Box Challenge/Response 29
Cryptography SDK 69 Response-Only 29
OneSpan Mobile Security Suite
features 70
J online activation 26
activation password 49
Java
DIGIPASS password 27
supported platforms, Secure Mes-
full activation data 27
saging SDK 59
orchestration
supported platforms, White-Box
example 70
Cryptography SDK 69
orchestration command 71
supported versions, Image Gen-
Orchestration SDK
erator SDK 57 overview 70
M P
message request decryption, Secure password penalty 43
Messaging SDK Client 58 generate invalid OTP 43
reset key 43
password protection 39
N password penalty 43
notification delivery, caution password security level 42
notice 62 weak password control 41
Notification SDK password security level 42
push notifications 61 checksum 42
push notifications, size hash 43
limitations 63 no password check 42
Notification SDK Client Push Notification, sending noti-
supported platforms 63 fications to app 61
Notification SDK Client, SDK com-
ponent 62
Notification SDK Server, SDK com- Q
ponent 62 QR code image capture 56
O R
offline activation 26 remote authentication
activation code 26 overview 70
serial number suffix 26 reset key penalty 43
static vector 26
Index
76
Risk evaluation and information U
aggregation 64
Root detection 55 unique identifier, Notification SDK Cli-
Root Detection SDK ent 62
supported platforms 55 unique identifier, Notification SDK
Server 62
user behavior profiles, CDDC SDK 64
S
secret transmission W
DIGIPASS activation password 49
Secure Channel 71 weak password control 41
integration, Secure Messaging detection rules 41
SDK 58 examples 41
Secure Channel feature 65 White-box cryptography 67
secure hardware 53 White-Box Cryptography SDK
Secure messaging 58 supported platforms 69
Secure Messaging SDK workflows
supported platforms 59 Digipass protection, delegated pro-
Secure Storage SDK tection 38
API 53 Digipass protection, password pro-
information masking 53 tection 39
mobile device, storing data
securely 53
storage facilities 53
storing data securely, mobile
device 53
SHA-256, device fingerprint com-
putation, Device Binding SDK 54
storage facilities 53
supported platforms
Biometric Sensor SDK 60
CDDC SDK 66
Device Binding SDK 54
Image Generator SDK 57
Image Scanner SDK 57
Notification SDK Client 63
Root Detection SDK 55
Secure Messaging SDK 59
White-Box Cryptography SDK 69
Index
77

Mobile Security Suite Product Guide

Uploaded by

Copyright:

Available Formats

Mobile Security Suite Product Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mobile Security Suite Product Guide

Uploaded by

Copyright:

Available Formats

OneSpan Mobile

1.1 OneSpan Mobile Security Suite Documentation 3

1.2 About this document 5

2.1 Terms, Definitions, and Abbreviations used in OneSpan Mobile Security Suite 8

3 Compliance with Federal Information Processing Standards (FIPS) 19

4.1 OneSpan Digipass SDK licensing 21

4.2 One-time password generation 29

5 Activation data transfer protection 48

5.1 Secret transfer security with shared secret 49

5.2 OneSpan Digipass Software Advanced Provisioning Protocol (DSAPP) SDK 51

7 OneSpan Device Binding SDK 54

8 OneSpan Root Detection SDK 55

9 Image Scanner SDK and Image Generator SDK 56

10 OneSpan Secure Messaging SDK 58

11 OneSpan Biometric Sensor SDK 60

12 OneSpan Notification SDK 61

13 OneSpan Client Device Data Collector (CDDC) SDK 64

14 OneSpan White-Box Cryptography (WBC) SDK 67

15.1 Supported platforms and requirements 72

16 FIDO Authentication Solution 73

Figure 1: Premium multi-device licensing (overview) 21

Figure 3: Single device licensing model (overview) 25

Figure 5: Score-based response through a Digipass response 36

Figure 6: Activation with delegated protection (overview) 39

Figure 7: Activation with password protection (overview) 40

Figure 9: Online activation with an activation password (overview) 50

Figure 10: User password transmission with DSAPP (overview) 51

Figure 11: Activation data transfer protection with DSAPP (overview) 52

Figure 12: Cronto image 56

Figure 13: QR code image 57

Figure 17: CDDC SDK (Overview) 66

Figure 18: Conversion of clear-text key into obfuscated source code 67

Figure 19: Application without White-Box Cryptography SDK 68

Figure 20: Application with White-Box Cryptography SDK 69

Table 1: Device types received by OneSpan Authentication Server Framework 23

Table 2: Supported signature application settings 29

Table 3: Supported signature application settings 32

Table 4: Supported score-based application settings 37

Table 5: Weak password control with numeric passwords 41

Table 6: Weak password control with alphanumeric passwords 42

Table 7: Weak password control with ATM rule 42

Table 8: Digipass properties 45

Table 9: Application properties 46

This guide provides information about:

l Biometric Sensor SDK

l Device Binding SDK

l Digipass Bluetooth Token SDK

l FIDO UAF SDK

l Image Generator SDK

l Image Scanner SDK

l Root Detection SDK

l Secure Messaging SDK

l OneSpan Mobile Security Suite Product Guide: Provides an overview of OneSpan

l Biometric Sensor SDK Integration Guide: Provides instructions to integrate the

l Client Device Data Collector SDK Integration Guide: Provides instructions to

l Device Binding SDK Integration Guide: Provides instructions to integrate the

l DIGIPASS SDK Integration Guide: Provides instructions to integrate the DIGIPASS

l Digipass Software Advanced Provisioning Protocol SDK Integration Guide:

l Image Generator SDK Integration Guide: Provides instructions to integrate the

l Image Scanner SDK Integration Guide: Provides instructions to integrate the