Digipass FIDO Touch User Guide Version:1.04 Digipass FIDO Touch user Guide Disclaimer Disclaimer of Warranties and Limitations of Liabilities Copyright Notices Copyright 2019 OneSpan North America Inc. All rights reserved. Trademarks OneSpan, DIGIPASS and CRONTO are registered or unregistered trademarks of OneSpan North America Inc., OneSpan NV and/or OneSpan International GmbH
(collectively OneSpan) in the U.S. and other countries. OneSpan reserves all rights to the trademarks, service marks and logos of OneSpan and its subsidiaries. All other trademarks or trade names are the property of their respective owners. Intellectual Property OneSpan Software, documents and related materials (Materials) contain proprietary and confidential information. All title, rights and interest in OneSpan Software and Materials, updates and upgrades thereof, including software rights, copyrights, patent rights, industrial design rights, trade secret rights, sui generis database rights, and all other intellectual and industrial property rights, vest exclusively in OneSpan or its licensors. No OneSpan Software or Materials may be downloaded, copied, transferred, disclosed, reproduced, redistributed, or transmitted in any form or by any means, electronic, mechanical or otherwise, for any commercial or production purpose, except as otherwise marked or when expressly permitted by OneSpan in writing. Disclaimer OneSpan accepts no liability for the accuracy, completeness, or timeliness of content, or for the reliability of links to and content of external or third-
party websites. OneSpan shall have no liability under any circumstances for any loss, damage, or expense incurred by you, your company, or any third party arising from the use or inability to use OneSpan Software or Materials, or any third-party material made available or downloadable. OneSpan will not be liable in relation to any loss/damage caused by modification of these Legal Notices or content. Reservation OneSpan reserves the right to modify these Notices and the content at any time. OneSpan likewise reserves the right to withdraw or revoke consent or otherwise prohibit use of the OneSpan Software or Materials if such use does not conform to the terms of any written agreement between OneSpan and you, or other or other applicable terms that OneSpan publishes from time to time. Contact us Visit our website: https://www.onespan.com Resource center: https://www.onespan.com/resource-center Technical support and knowledge base: https://www.onespan.com/support If there is no solution in the knowledge base, contact the company that supplied you with the OneSpan product. Date: 2019-09-13 2 Digipass FIDO Touch user Guide Table of Contents Introduction .................................................. 7 1.1 Who Should Read This Guide? ....................................... 7 1.2 Comments and Feedback ............................................. 7 1.3 Terminology ....................................................... 7 Description and Configuration ................................. 8 2.1 Presentation ...................................................... 8 2.2 System requirements ............................................... 9 2.3 Power on/off ...................................................... 9 2.4 USB connection ................................................... 10 2.5 Digipass FIDO Touch settings ..................................... 10 Settings menu ................................................ 10 Pairing process .............................................. 11 Set the language of your Digipass FIDO Touch ................. 13 Reset Digipass FIDO Touch .................................... 13 Set a PIN .................................................... 14 FIDO2 usage .................................................. 15 3.1 Overview ......................................................... 15 3.2 Introduction of the scenario ..................................... 15 3.3 Registration ..................................................... 15 3.4 Authentication ................................................... 16 3.5 Transactions ..................................................... 16 3.6 Windows 10 & FIDO2 ............................................... 17 Appendix A: FCC statements ................................... 18 Appendix B: Battery recommendation ........................... 19 3 Digipass FIDO Touch user Guide Illustration Index Figure 1: Digipass FIDO Touch ............................................ 8 Figure 2: Start screen icons ............................................. 8 Figure 3: Digipass FIDO Touch splash screen .............................. 9 Figure 4: Start screen when previously paired with your device .......... 10 Figure 5: Settings screen ............................................... 11 Figure 6: Bluetooth options screen ...................................... 11 Figure 7: Searching for Bluetooth connection ............................ 12 Figure 8: PIN for Bluetooth pairing on Windows 10 device ................ 12 Figure 9: Select host to be deleted ..................................... 13 Figure 10: Settings screen .............................................. 14 Figure 11: Digipass FIDO Touch specifications ........................... 18 4 Digipass FIDO Touch user Guide Index of Tables Table 1: Glossary of technical terms ..................................... 7 Table 2: Digipass FIDO Touch system requirements ......................... 9 Table 3: FIDO2 CTAP features supported by Digipass FIDO Touch ........... 17 5 Digipass FIDO Touch user Guide Procedure Index Procedure 1: Pairing Digipass FIDO Touch ............................. 11 Procedure 2: Removing Bluetooth pairing .............................. 12 Procedure 3: Setting the language .................................... 13 Procedure 4: Resetting Digipass FIDO Touch ........................... 13 Procedure 5: Setting the PIN ......................................... 14 Procedure 6: Registering Digipass FIDO Touch ......................... 15 Procedure 7: Using Digipass FIDO Touch for authentication ............ 16 Procedure 8: Using Digipass FIDO Touch for transactions .............. 16 6 Digipass FIDO Touch user Guide Introduction FIDO2 is a set of standards that enables easy and secure logins to websites and applications via biometrics, mobile devices and/or FIDO Security Keys. FIDO2s simpler login experiences are backed by strong cryptographic security that is far superior to passwords, protecting users from phishing, all forms of password theft and replay attacks1. Learn more about FIDO2 at https://fidoalliance.org/fido2/. Digipass FIDO Touch is a FIDO security key that supports the FIDO2 protocol. Digipass FIDO Touch is FIDO2 certified Level1 by the FIDO Alliance, and Bluetooth certified. Digipass FIDO Touch establishes a communication with the computer. As a result, Digipass FIDO Touch delivers the most secure and lightning-fast user connectivity to protect even the most sensitive mobile or computer transactions. 1.1 Who Should Read This Guide?
This document is intended for users who are installing or configuring Digipass FIDO Touch in different environments and languages. The audience must also be familiar with Bluetooth pairing on Android, iOS, or Windows 10 devices and Windows 10 configuration and settings. 1.2 Comments and Feedback If you encounter errors while attempting to perform the steps articulated in this guide, or have suggestions to improve this guide should be sent by email to: documentation2@onespan.com. 1.3 Terminology Table 1 describes the technical terms used in this document. For a list of general technical terms used throughout all documents, see the FIDO Authentication Solution Guide. Table 1: Glossary of technical terms Term Digipass FIDO Touch Server App Description Authenticator supporting the FIDO2 protocol FIDO Universal Server Mobile application 1 Source of definition: https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/
7 Digipass FIDO Touch user Guide Description and Configuration 2.1 Presentation Figure 1: Digipass FIDO Touch Figure 2: Start screen icons NOTE The Bluetooth icon has three states:
Bluetooth OFF or No device paired Bluetooth ON and one device paired Bluetooth connected 8 Digipass FIDO Touch user Guide 2.2 System requirements Table 2: Digipass FIDO Touch system requirements Requirement Operating Systems/Bluetooth connection Operating System /USB connection Browser Platform Digipass FIDO Touch Bluetooth 4.0 LE iOS7 or Higher Android 6.0 or Higher Windows 10 Windows 7 ; Windows 10 MacOS x 10.13 or Higher all browsers supporting the FIDO2 WebAuthn API FIDO CTAP2 API 2.3 Power on/off To switch on Digipass FIDO Touch, click the Power button. The splash screen is displayed:
Figure 3: Digipass FIDO Touch splash screen After a moment, a new screen is displayed. This will be one of the following two, depending on the Bluetooth pairing status. 1. If you have already paired your Digipass FIDO Touch with a tablet, phone, or computer, the following screen will be displayed:
9 Digipass FIDO Touch user Guide Figure 4: Start screen when previously paired with your device 2. If you have never paired your Digipass FIDO Touch and used it in Bluetooth mode, you are invited to pair your device with Digipass FIDO Touch. The screen will inform you that Bluetooth is enabled but there is no paired device and invite you to add the device in the Bluetooth menu. For more information on the pairing process, refer to 2.6 Pairing Process. a) Press OK on the touch screen to continue. To switch off Digipass FIDO Touch, press the Power button. 2.4 USB connection Included in the product package is a USB cable; plug the Micro USB TYPE B into the connector of Digipass FIDO Touch and the USB TYPE A to your computer. When you plug the USB cable, the USB icon is displayed on the Digipass FIDO Touch display. After a few seconds Digipass FIDO Touch will enter into Charge mode. If the battery is empty, the screen displays an empty battery icon. In that case, you can plug in the cable and perform an operation after a few seconds. The battery will take 90 minutes to fully recharge. 2.5 Digipass FIDO Touch settings Settings menu The Settings menu offers you the following actions/information:
Add Bluetooth pairing platform, Set the language of your Digipass FIDO Touch Reset Digipass FIDO Touch Software version information 10 Digipass FIDO Touch user Guide Pairing process To use your Digipass FIDO Touch on a new platform, you need to turn on Bluetooth on your platform and follow the platform-specific steps for pairing a new Bluetooth device. On Digipass FIDO Touch, follow these steps:
Procedure 1: Pairing Digipass FIDO Touch 1. Switch on your Digipass FIDO Touch. 2. Click on the Settings icon. Digipass FIDO Touch displays the following screen:
Figure 5: Settings screen 3. Click on the Bluetooth icon. Digipass FIDO Touch now displays this screen:
Figure 6: Bluetooth options screen 4. Enable Bluetooth by pressing enabled. By default, this option is 5. Add a new platform by pressing
. While searching for the Bluetooth connection with your platform, Digipass FIDO Touch displays the following screen:
11 Digipass FIDO Touch user Guide Figure 7: Searching for Bluetooth connection The platform should display a message with a PIN to enter for pairing. shows an example on a Windows-10 device. Figure 8: PIN for Bluetooth pairing on Windows 10 device 6. Enter the PIN on Digipass FIDO Touch. 7. If pairing was successful, Digipass FIDO Touch displays a success message. NOTE For Android devices, the pairing process can be done via the system menu or directly in the App. For iOS devices, the pairing process must be done with an app. The system menu does not allow you to pair BLE devices. To remove the pairing of Digipass FIDO Touch and a device, follow these steps. Procedure 2: Removing Bluetooth pairing 1. Press the Remove Bluetooth pairing icon
. 2. You can delete the Bluetooth pairing for all hosts or select hosts individually. 12 Digipass FIDO Touch user Guide Figure 9: Select host to be deleted 3. Select the host for which you wish to remove the Bluetooth pairing. Set the language of your Digipass FIDO Touch You can set the language of your Digipass FIDO Touch. The following languages are supported:
English French Dutch Japanese Spanish German Procedure 3: Setting the language 1. On the main screen, click the settings icon. 2. In the next screen, click the language selection icon 3. Select your language. 4. To finish, Digipass FIDO Touch displays a confirmation message. Confirm this by clicking OK. Reset Digipass FIDO Touch To reset Digipass FIDO Touch, follow these steps. Procedure 4: Resetting Digipass FIDO Touch 1. On the main screen, click on the Settings icon. 13 Digipass FIDO Touch user Guide 2. The following screen is displayed:
Figure 10: Settings screen
. 3. Click the reset icon 4. Confirm or cancel the action. CAUTION When you reset your device, the PIN will be reset, and all registrations will be lost. Set a PIN FIDO2 supports using a PIN to protect the credentials. As Digipass FIDO Touch provides a touch screen, the credentials are protected on the touch screen, not via the client PIN API (i.e. with a web browser, apps or platform PIN entry). The credential protection extension is set by default Procedure 5: Setting the PIN 1. In the main screen, press the Set Pin icon 2. Enter your PIN. 3. The policy for PIN strength prescribes a length of 6 digits (before 4. Confirm the PIN entry. 5. When the PIN is set, Digipass FIDO Touch will display the message validation). PIN configured. Press OK to leave this screen. NOTE Digipass FIDO Touch refuses weak PINs. The difference between two consecutive digits must not be a constant. For example, simple PINs like 111111, 123456, or 987654 are refused. Also, the new PIN must be different from the current PIN. 14 Digipass FIDO Touch user Guide FIDO2 usage 3.1 Overview Before using your Digipass FIDO Touch, you need to register it. FIDO supports the following operations:
Registration Authentication Transaction verification Windows 10 (version May 2019 update) includes support for password-
less FIDO Authentication via Windows Hello or FIDO Security Key on Microsoft Edge and the most recent versions of Mozilla Firefox and Chrome. 3.2 Introduction of the scenario The general workflow between a platform and Digipass FIDO Touch is:
1. The platform establishes the connection with Digipass FIDO Touch. 2. The platform retrieves information about Digipass FIDO Touch using a command to determine the capabilities of Digipass FIDO Touch. 3. The platform sends a command for an operation if Digipass FIDO Touch supports the operation. 4. Digipass FIDO Touch replies with response data or an error message. 3.3 Registration Before using your Digipass FIDO Touch to replace your credentials (user name and/or password), you must register your Digipass FIDO Touch. Procedure 6: Registering Digipass FIDO Touch Switch on and connect your Digipass FIDO Touch with USB or Bluetooth. When the Server sends the request, Digipass FIDO Touch asks you if you want to register. After you press Yes, Digipass FIDO Touch displays the details of the registration, including the name of the relying party, the account, the display and user names. 15 Digipass FIDO Touch user Guide NOTE In case the Server requests a PIN verification, or Digipass FIDO Touch is PIN-protected, the PIN verification screen is displayed. Enter the Digipass FIDO Touch PIN To delete the credentials, press the FIDO credential icon main menu. on the 3.4 Authentication After registering your Digipass FIDO Touch, the device is ready for authentication and transactions. Procedure 7: Using Digipass FIDO Touch for authentication Switch on and connect your Digipass FIDO Touch with USB or Bluetooth. When the Server sends the request, Digipass FIDO Touch asks you if you want to authenticate. After you press Yes, Digipass FIDO Touch displays the details of the login, including the name of the relying party, selecting the account, the display and user names. NOTE In case Digipass FIDO Touch is PIN-protected, the PIN verification screen is displayed. Enter the Digipass FIDO Touch PIN 3.5 Transactions Transactions are initiated in the same way as an authentication, but Digipass FIDO Touch uses transaction data instead of the authentication data. Procedure 8: Using Digipass FIDO Touch for transactions Switch on and connect your Digipass FIDO Touch with USB or Bluetooth. When the Server sends the request, Digipass FIDO Touch asks you if you want to carry out a transaction. After you press Yes, you can verify the transaction details:
With a mobile app, Digipass FIDO Touch displays the details of the transaction for you to approve. With a web browser application, you can display the transaction details on Digipass FIDO Touch if the browser supports the FIDO2 transaction extension. NOTE In case Digipass FIDO Touch is PIN-protected, the PIN verification screen is displayed. Enter the Digipass FIDO Touch PIN 16 Digipass FIDO Touch user Guide 3.6 Windows 10 & FIDO2 The FIDO2 CTAP specification contains a few optional features and extensions which are crucial to provide a seamless and secure experience. lists A the features and extensions from the FIDO2 CTAP protocol supported by Digipass FIDO Touch. Table 3: FIDO2 CTAP features supported by Digipass FIDO Touch Why is this required?
# Feature / Extension 1 trust Resident key 3 4 hmac-secret Multiple accounts per RP This feature enables the security key to be portable, where your credential is stored on the security key. This extension ensures you can sign-in to your device when it's off-line or in airplane mode. This feature ensures you can use the same security key across multiple services like Microsoft Account (MSA) and Azure Active Directory (AAD). NOTE You must setup the PIN before registering your Digipass FIDO Touch for Windows 10/Hello. With its user interface, Digipass FIDO Touch manages the PIN directly. You can now set up Digipass FIDO Touch as a security key from the cloud panel with your online account page. For more information on the Windows 10 FIDO configuration and credential issuance (HMAC-secret), please refer to the Microsoft documentation: https://support.microsoft.com/en-
us/help/4463210/windows-10-sign-in-microsoft-account-windows-hello-
security-key. 17 Digipass FIDO Touch user Guide Appendix A: FCC statements This device complies with part 15 of the FCC Rules. Operation is subject to the following two conditions:
(1) This device may not cause harmful interference, and
(2) this device must accept any interference received, including interference that may cause undesired operation. CAUTION IMPORTANT: No changes shall be made to the equipment without the manufacturers permission as this may void the users authority to operate the equipment. This device complies with FCC requirements for RF exposure in accordance with FCC rule part 2.1093 and KDB 447498 D01 for portable use conditions. Figure 11: Digipass FIDO Touch specifications 18 Digipass FIDO Touch user Guide Appendix B: Battery recommendation This product contains a battery, and a printed circuit board (pcb) that may require special handling at end-of-life. Long term storage for devices with rechargeable batteries should be limited to 1 year after production date. After each year, the battery of the unit must be fully recharged before it can be stored for another year. CAUTION Do not penetrate the battery with a nail or other sharp object!
Do not charge the battery at high temperature over 45 degrees Celsius!
Do not immerse the battery in liquid such as water, beverages, or other fluids!
19