Device Management

The Device Management section is grouped with OOB Management, Decoupled Authenticator Management and Risk Management in the Authentication Management section.

This section is used for finding devices, updating device status, uploading hardware token device initialization seed files, and configuring default device parameters.

System Management > Authentication Management > Device Management displays

• A list of recently uploaded device seed files for hardware tokens. By default the system displays the seed files uploaded in the last 10 days.

• Edit Default Device Parameters

• Upload File to schedule a new job

• Find Device to view or edit the details of each device.

Use the following fields to limit the upload files displayed:

• Issuer

• Device Type

• From and To Date

• Refresh button to display the new list.

The following fields and links are displayed:

• Job number link to the Job Details page to view job details including any error message or warnings.

• Issuer name (owner of the devices)

• File Name

• Device type

• When the upload was Started and Finished

• Number of Attempts before the upload was finished

• Status of the job: get the current status by pressing the refresh button

Job Details¶

This page displays details of the seed file upload, including any error messages or warnings, for the job selected on the Upload File page.

System Management > Authentication Management > Device Management > Job Details displays

• Issuer name

• Job number

• Uploaded - date and time when the file was first uploaded

• Device type

• File Name

• Start and Finish date and time the job

• Attempts before the upload was finished

• Status

• Error message, if any.

• Error details

• Warnings

Edit Default Device Parameters¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters

Each device has its own set of device parameters. In the case of hardware tokens, these are manufacturer-defined parameters, such as VASCO, supported by adding additional libraries and installing vendor specific drivers. Other devices, such as SMS and Email are virtual devices natively supported by ActiveAccess.

Device parameters can be customised per issuer. By default this customisation is disabled, such that all issuers use the default device parameters.

Use the following fields to edit default device parameters:

• Device type

  The options are:

  • Backup Device

  • Email

  • OOB (Out of Band)

  • SMS

  • VASCO

SMS¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - SMS

SMS is a virtual device natively supported by ActiveAccess. This is in contrast to some third party devices such as VASCO which are supported by adding additional libraries and installation of vendor specific drivers.

The SMS device can be used as a backup device.

The SMS device parameters page is where the administrator can setup the system for sending SMS messages. ActiveAccess supports SMPP-API-0.3.9.1 (Short Message Peer to Peer) protocol for sending SMS messages to an SMS gateway, also known as an SMSC (Short Message Service Centre). The SMS gateway is normally provided by the business section of your preferred telecommunications company.

The connection to the SMSC must be over TCP/IP. The details of connection to the SMSC will be provided by your telecommunications company.

Use the following fields to edit SMS Device Parameters:

• Device type - SMS

• SMS token type - ActiveAccess can generate two types of SMS tokens:

  • Instant - the system generates one SMS token per authentication. The token is generated and sent to the cardholder's mobile phone, after the verify enrolment request is received by ActiveAccess.

  • Batch - the cardholder receives a batch of SMS tokens beforehand. The batch SMS message contains a batch reference number and a list of generated tokens, each identified by a letter of the alphabet. The cardholder is then asked to enter a token that corresponds with a specific letter of the alphabet as shown on the authentication page. With batch SMS, up to 15 tokens can be sent in a single SMS message and hence reduce the cost of sending SMS tokens. The system generates another set of tokens and sends them to the cardholder when the last token for the current batch is used.

• Batch SMS lifetime - determines the validity period of batch SMS tokens in days (acceptable range is 0 to 365). Batch tokens will be valid for the period specified by this option. The default is 30 days.

• Instant SMS lifetime - determines the validity period of instant SMS tokens in minutes (acceptable range is 0 to 60). Following Instant tokens will be valid for the period specified by this option. The default is 15 minutes. You should consider the mobile network delay for sending SMS messages and provide sufficient time for the cardholder to enter the token.

• SMS token length - determines the number of digits in the token generated (acceptable range is 6 to 10). The default is 6 digits.

• Number of tokens in each batch - determines the number of tokens included in a batch. The default is 10.

  An SMS message on a GSM network may contain up to 160 characters, while the limit for a CDMA network is between 120 to 153 characters. The system limits the maximum number of tokens based on the CDMA's lower limit of 120 characters.

• Maximum unsuccessful attempts to send an SMS - (acceptable range is 0 to 9) if sending an SMS message fails due to network or application errors, such as connection problems to the SMSC or receiving an invalid response from the SMS, the system attempts to resend the SMS message up to the number of times specified by this option. The default value is 5. If all attempts for delivering fail, an error is reported back to the administration user.

• Maximum number of SMSs sent per authentication session - (acceptable range is 0 to 99) determines the number of times that a new SMS OTP can be requested by the cardholder during each authentication session. The default value is 3. If the limit is reached, the authentication fails.

• Accept mobile numbers of - Select the country name that you would like to accept as SMS mobile number. Select 'All' if you would like to accept all international mobile numbers.

• Restrict mobile number - Turn this option on if you want to specify a mobile number format. Enter the required format, eg. ###########, 61#########, 0061#########. Allowed characters are 0-9, '#', '(', ')', '-' and space. Please note that the mobile number, excluding country calling code and trunk code, is checked against the specified patterns. Mobile number patterns should be no longer than 20 characters, including the Country Code.

• Use as backup device - Turn this option on if you would like SMS to be used as a backup device. A backup device can be activated once a cardholder reports a device lost or damaged, or requests the helpdesk to disable the device temporarily.

• OTP and Password - Select this option when an authentication requires the cardholder to enter both a static password and one-time password.

• SMS Centres - Click on the link to view a list of currently configured SMS gateways. You can click on the SMSC name to edit or view the details or you can add or remove an SMSC entry by selecting the corresponding link.

• SMS Templates - Click on the link to Edit Default Templates for Activation During Shopping (ADS), Authentication, Activation via Authentication or Activation/Registration via MIA.

• Apply button to save changes.

SMS Centre¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - SMS > SMS Centres

This section is used to manage and add new SMS Centres. You can select any SMS centre to edit or delete.

• To delete an SMS Centre

  • Choose one or more SMS Centres by clicking the Select checkbox adjacent to the ID
  • Click the Delete button.

  A confirmation message will be displayed.

• To edit an SMS Centre

  • Click the Name hyperlink for the SMS Centre you wish to view or edit details.

  The Edit SMS Centre page is displayed.

• To add a new SMS Centre

  • Click the *New SMS Centre

  The New SMS Centre page is displayed.

Edit SMS Centre¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - SMS > SMS Centres > Edit SMS Centre displays the following fields:

• Device ID is displayed and cannot be changed.

• Name of Service provider (mandatory).

• Domain/IP and Port - If changes are made to Domain name or IP address and Port number, they must correspond to the SMSC provider for connection to SMSC over TCP/IP.

• System ID, System type and Password - if changes are made, they must be specific to the parameters that are required for authentication of the client application (in this case ActiveAccess) to the SMS centre and this generally will be provided by the SMSC provider.

• Sender's mobile number - maximum length of 20 characters, including the Country Code. Allowed characters are A-Z, a-z, 0-9, '(', ')', '-' and space.

• Plus (+) prefix - Dropdown has the two options: Enabled and Disabled. Enable to add trunk code to mobile number.

• Apply button to save changes.

New SMS Centre¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - SMS > SMS Centres > New SMS Centre

Use the following fields to create a new SMS Centre:

• Name - Choose a descriptive and unique name.

  If the SMS Centre is actually an MQ Server that consumes SMPP messages, the Name should be a unique name which will become the prefix of the required parameters in AA_HOME/sms-jms-config.properties for the corresponding SMSviaJMS Client. It is possible to configure as many different SMSviaJMS clients as required for ActiveAccess. For more information regarding the SMSviaJMS configuration parameters, please refer to SMS via JMS.

• Domain/IP and Port - Enter the Domain name or IP address and Port number provided by the SMSC provider for connection to SMSC over TCP/IP.

  ActiveAccess currently supports the following types of the SMPP gateways as SMSC and one as SMSviaSMTP:

  • Real SMPP Compatible SMSC - This is a real world receiver of the SMPP messages. The IP and Port of the designated SMSC need to be specified for this type. SMS maximum length is 160 ASCII characters (70 Unicode characters).

  • SMSviaJMS Module - This acts as an SMSC and receives SMPP messages but relays only the submit_sm messages to the MQ Server, which exclusively consumes submit_sm messages. SMS maximum length is 160 ASCII characters (70 Unicode characters).

  • SMSviaJMS Library - This has been embedded into ActiveAccess itself and acts as a real SMPP client but only submits the submit_sm messages to the MQ Server, which exclusively consumes submit_sm messages. Port can be set to any number as it does not have any usage here. SMS maximum length is 64k ASCII characters (32k Unicode characters).

  • SMSviaSMTP Library - This has been embedded into ActiveAccess itself and acts as an SMTP client, which builds SMS but sends them to the email addresses with a specified template in the Domain/IP field. Port can be set to any number as it does not have any usage for this type. No limitation is applied for the size of the SMS via SMTP.

Some clients have their own SMS switch, which provides all necessary information regarding SMS delivering and billing. These SMS gateways support only SMTP protocol for the incoming messages. As the ACS provides the ability to send OTP over SMTP, a template has been defined for this purpose, in the form of mailto:$DEVICE_SERIAL_NUMBER\@smtp.com.

The SMS sender module replaces the $DEVICE_SERIAL_NUMBER in the Domain/IP field with the registered mobile number of the cardholder and sends the OTP to a generated email account through the SMS switch.

You can also define an email URL instead of an IP address for testing purposes. The email URL must start with mailto:, followed by the destination email address (such as mailto:myemail@mycompany.com). If you specify an email instead of an IP address, ActiveAccess will send the content of the SMS message to the specified email address. You must also ensure that the mail server settings are properly configured in the _System Management > Settings_ page.

Alternatively, SMPPSim, an open source and free SMPP simulator from http://www.seleniumsoftware.com/, can be used for testing.

Before testing with SMS, make sure that SMS has been selected as the authentication device for the issuer and that the SMS custom pages have been loaded for the issuer.

• System ID, System type and Password - These are SMSC specific parameters that are required for authentication of the client application (in this case ActiveAccess) to the SMS centre and should be provided by the SMSC provider. If the SMSC does not require client authentication, leave these fields blank.

• Sender's mobile number - Enter the number to be used as the sender's default mobile number, for all messages sent through the selected SMSC. Maximum length is 20 characters, including the Country Code. Allowed characters are A-Z, a-z, 0-9, '(', ')', '-' and space.

• Plus (+) prefix - Dropdown has the two options: Enabled and Disabled. Enable to add trunk code to mobile number.

• Apply button to create the new SMS Centre.

SMS Template¶

Use this section to edit the default SMS templates for:

• Activation During Shopping (ADS)

• Authentication

• Activation via Authentication

• Activation/Registration via MIA.

System Management > Device Management > Edit Default Device Parameters - SMS > SMS Templates > Edit Default Templates 

Use the following fields to edit an SMS Template:

• SMS

• Template name - the options are:

  • Activation During Shopping (ADS)

  • Authentication

  • Activation via Authentication

  • Activation/Registration via MIA

• Template - Enter the default system message. This message is sent to the cardholder when an SMS authentication is requested.

SMS Template Parameters	Length (char)
$BatchNumber - serial number of the batch SMS sent when using device authentication of 3-D Secure	max 5
$CardExpiryDate - expiry date of the credit card	5
$CardHolderName - cardholder name as specified in the system	max 64
$CardProvider - card scheme name for the credit card	max 21
$CurrencySymbol - the currency symbol for the purchase when using device authentication over 3-D Secure	max 3
$IssuerName - Issuer's name as defined in the system	max 256 *
$MerchantCountry - 3 character country code for the Merchant's country	3
$MerchantName - Merchant's name for purchase using device authentication over	max 25 *
3-D Secure
$MerchantURL - URL of the Merchant's website	max 2048 *
$Pan - credit card number used for device authentication over 3-D Secure	max 19
$LastFourDigitsOfPAN - last 4 digits of credit card number used for device authentication over 3-D Secure	max 4
$PurchaseCurrency - 3 character currency code for the currency of the purchase	max 3
$PurchaseDateTime - date and time of the purchase in the system	22
$PurchaseDescription - description of the purchase when using device authentication over 3-D Secure	max 125 *
$PurchaseDisplayAmount - purchase amount displayed for purchase when using device authentication over 3-D Secure	max 20
$PurchaseXID - merchant's purchase ID when using device authentication over 3-D Secure	28
$RecurringEndDate - end date for a recurring payment	10
$RecurringFrequency - recurring frequency for the purchase in days	max 4
$TokenA - the one time password. Subsequent tokens for the batch SMS can be displayed as $TokenB, $TokenC, $TokenD,...	max 8
$PurchaseRealAmount - indicate the transaction amount	max 20
$tokenlifetime - lifetime of the token	max 5

• The parameter can contain Unicode characters, but presenting Unicode characters will reduce the maximum size allowed from 160 to 70 characters.

Email¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - Email

Email is a virtual device natively supported by ActiveAccess to provide email OTP authentication.

The Email device can be used as a backup device.

The Email device parameters page is where the administrator can setup the system for sending OTP via email.

Use the following fields to edit email Parameters:

• Device type - Email

• Token lifetime - determines the validity period of email tokens in minutes (acceptable range is 0 to 10). Following the sending of an email, the token will be valid for the period specified by this option. The default lifetime of email tokens is 10 minutes. You should consider the network delay for sending email messages and give enough time for the cardholder to enter the token.

• Token length - determines the number of digits in the generated token (acceptable range is 6 to 10). The default size is 6 digits.

• Maximum unsuccessful attempts to send an email - (acceptable range is 0 to 9) if sending an OTP by email fails due to network or application errors such as connection problems to the mail server or receiving a delivery error, the system attempts to resend the email message up to the number of times specified by this option. The default value is 5. If all attempts for delivering an OTP by email fail, an error is reported back to the administration user.

• Mail server address, Mail server port, Mail server username, Mail server password, Mail server protocol and Mail sender - Enter the address of an outgoing SMTP mail server with a valid username and password

  Note

  The sender of the notification messages will be the main administrator user (administrator). Make sure that you have specified a correct email address for this user (use Edit Profile link, while logged in as the administrator).

• Minimum wait before the updated email address can be used (acceptable range is 0 to 9999). 0 to disable this option.

• Use as backup device - Turn this option on if you would like Email to be used as a backup device. A backup device can be activated once a cardholder reports a device lost or damaged, or requests the helpdesk to disable the device temporarily.

• OTP and Password - Select this option when an authentication requires the cardholder to enter both a static password and one-time password.

• Email Templates - Click on the link to Edit Default Templates for Activation During Shopping (ADS), Authentication, Activation via Authentication or Activation/Registration via MIA.

• Send Test Email - Click on the link to send a test email.

  Note

  The sender of the test emails will be the main administrator user (administrator). Make sure that you have specified a correct email address for this user (use Edit Profile link, while logged in as the administrator).

• Apply button to save changes.

Email Template¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - Email > Email Templates > Edit Default Templates

Use this section to edit the default email templates for:

• Activation During Shopping (ADS)

• Authentication

• Activation via Authentication

• Activation/Registration via MIA

• Subject of Activation During Shopping (ADS)

• Subject of Authentication

• Subject of Activation via Authentication

• Subject of Activation/Registration via MIA.

Use the following fields to edit an Email Template:

• Type - Email (this cannot be changed)

• Template name , the options are:

  • Activation During Shopping (ADS)

  • Authentication

  • Activation via Authentication

  • Activation/Registration via MIA

  • Subject of Activation During Shopping (ADS)

  • Subject of Authentication

  • Subject of Activation via Authentication

  • Subject of Activation/Registration via MIA.

• Content type - Plain or HTML !!! note This field is only available for templates of the email body.

• Template - Enter the default content for the email to be sent to the cardholder when email OTP authentication is requested.

* The parameter can contain Unicode characters.

OOB¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - OOB

OOB (Out of Band) is an API developed by the issuer to authenticate cardholders using devices that are not supported by ActiveAccess.

Use the following fields to edit OOB Device Parameters:

• OTP and Password - Select this option when an authentication requires the cardholder to enter a static password and complete the OOB authentication.

Backup Device¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - Backup Device

The backup device is a standalone backup token, which is software generated. It can be used multiple times, as configured in the Backup Device Parameters.

Use the following fields to edit Backup Device Parameters:

• Device type - Backup Device

• Backup device lifetime (acceptable range is 0 to 365 days)

  A value of 0 disables the device.

• Max usage limit - the maximum number of times the backup device can be used as (acceptable range is 0 to 9).

  A value of 0 disables the device.

• OTP and Password - Select this option when an authentication requires the cardholder to enter both a static password and a one-time password.

• Apply button to save changes.

VASCO¶

System Management > Authentication Management > Device Management > Edit Default Device Parameters - VASCO

VASCO Parameters:

• Device type - VASCO

The following manufacturer fields are available for configuration by default

• CHECKCHALLENGE, CHKINACTDAYS, DERIVEVECTOR, DIAGLEVEL, EVENTWINDOW, GMTADJUST, HSMSLOTID, ITHRESHOLD, ITIMEWINDOW, ONLINESG, STHRESHOLD, STIMEWINDOW, STORAGEDERIVEKEY1, STORAGEDERIVEKEY2, STORAGEDERIVEKEY3, STORAGEDERIVEKEY4, STORAGEKEYID, SYNCWINDOW, TRANSPORTKEYID and MODE (Response only or Challenge response) (acceptable range for field values is displayed in field hints, where appropriate).

• OTP and Password - Select this option when an authentication requires the cardholder to enter both a static password and one-time password.

• Apply button to save changes.

Upload File¶

System Management > Authentication Management > Device Management > Upload File

This page is used to enter the details of the device seed file you wish to upload and to schedule the upload date and time.

The seed file is provided by the device manufacturer.

Use the following fields to upload a file:

• Issuer

• Device type

• Click the Choose File / Browse… button, adjacent to File name, to locate and select a device seed file to upload.

  The No file chosen message will then be replaced by the File name of the file to be uploaded.

• Key value - The device manufacturer may provide a key for decrypting the seed file. Enter the key as provided by the device manufacturer.

• Schedule Date and Time when you want the uploaded data to be processed.

  Uploaded files scheduled to run in the past are set to run immediately.

  You may also leave these fields blank if you wish to process the uploaded data as soon as possible.

  Note

  The data upload may take a long time to complete depending on the file size and line speed.

• Apply button to create the upload job file.

Find Device¶

System Management > Authentication Management > Device Management > Find Device

Find Device can be used to search for an authentication device based on a number of criteria such as serial number, range of serial numbers, creation data and type of device.

Use the following to find a device:

• Issuer

• Creation date and time (dd/mm/yyyy HH:MM) or specify a date and time range for the search result by entering dates and times in the From and To fields. The date and time format is dd/mm/yyyy HH:MM. Leave the time field empty if you do not wish to limit your search for a particular time of day.

• Device type

• Device Serial number or specify a range of numbers to search within:

  • VASCO - device serial number, e.g. 123456789000

  • SMS - phone number including country code, e.g. +61123456789

  • Email - email address, e.g. jo.citizen@domain.com

• Click Search to display device details.

Device Search Result¶

System Management > Authentication Management > Device Management > Find Device > Search Result

This page displays

• A list of Devices

• Device ID link to the Device Details page

• Delete, Mark as lost, Mark as damaged, Mark as disabled and Back buttons

The following fields and links are displayed for each device

• Select - checkbox for selecting the device to use in conjunction with the Delete, Mark as lost, Mark as damaged and Mark as disabled buttons.

• Device ID link to the Device Details page

• Serial number - The unique device / authentication method identifier

• Issuer - The issuer name to which this device belongs

• Device type - The type/make of the device such as VASCO, Email, SMS, etc

• Status - Active/Lost/Damaged/Disabled. Only an active device can be used in device authentication. If a device is reported lost, stolen, damaged or disabled, it must be flagged accordingly. A lost or damaged device can no longer be used for authentication and the cardholder must be issued with a new device.

To Delete, Mark as lost, damaged or disabled, devices in the Search Results

• Click the checkbox adjacent to the appropriate device or the checkbox in the Select column heading, to select all devices.

• Click the appropriate Delete, Mark as lost, Mark as damaged or Mark as disabled button.

Device Details¶

System Management > Authentication Management > Device Management > Find Device > Device Details

This page is used to view details for the device selected on the Find Device page and to change device status if the device has been reported as lost, damaged or temporarily disabled.

The following fields and links are displayed

• Device ID - unique device ID

• Issuer - The issuer name to which this device belongs

• Serial number - The unique device / authentication method identifier

• Device type - The type / make of the device, e.g. VASCO, Email, SMS.

• Status - Active/Lost/Damaged. Only an active device can be used for authentication. If a device is reported lost, stolen or damaged, it must be flagged accordingly. A lost or damaged device can no longer be used for device authentication and the cardholder must be issued with a new device.

• Creation date - The date on which the device was created.

• Reported lost/damaged on - displays the last time a token was reported lost or damaged.

• Device Specific Parameters - a number of device specific parameters may be displayed for each device. These parameters are determined by the device manufacturer / authentication method and are displayed for completeness.

• Assigned Cards - link to a list of cards assigned to this device.

• Activate Device - the link appears for devices marked as lost or damaged. This allows the administrator to re-activate the device for example when the cardholder reports that the device has been found, to save the cardholder from the trouble of having to use a back up device or wait for the replacement to arrive. To activate the device, the administrator needs to enter a valid token generated by the device to confirm that the device is actually in the possession of the cardholder again.

• Reset device - this option is currently supported for time-synchronous VASCO tokens. Such devices use an internal clock for generating the tokens which may gradually go out of sync with the authentication server time due to the internal clock's drift. Time synchronous devices automatically adjust this error with each authentication, as long as the time drift is within a reasonable range. The time drift on a device that has not been used for a long period of time may go outside the accepted window for automatic adjustment. In such a case, resetting the device will re-initialise the associated record and allows for a much larger window of synchronization. Before performing this action, the administrator should make sure that the cardholder's account status is enabled and should confirm that the cardholder is entering the token from a linked device by checking the device's serial number against the cardholder account. If this does not resolve the problem, the administrator should reset the token and advice the cardholder to perform another authentication. If resetting the device does not solve the problem, the device should be marked as damaged and a replacement ordered for the cardholder.