Persistent storage

Tokens are persistently stored in an application’s private directory and great lengths have been taken to make it hard to read and reverse engineered. Protector OATH SDK contains all the resources to manage the user credentials in the persistent memory. The credentials of each user are identified by a unique label the application provided during provisioning. Each label is linked to a “token” inside Protector OATH SDK. At any time, the application can retrieve the list of available tokens, remove a token, or use a token to generate OTPs. A token’s credentials can be decomposed into the following asset levels:

  • Primary Asset

    The token’s secret key used as part of an OTP calculation. This is the only data that completely prevents an attacker from forging an attack against a user’s credentials.

  • Secondary Asset

    All data involved in generating an OTP. This data does not allow an attacker to forge an attack against a user’s credentials.

Therefore, the tokens cannot be accessed by any other applications regardless if this SDK is used.

Tokens and token management

Token is the base class that represents a user’s credentials, state and metadata examples of each are the secret key, counter, and identifier respectively) and TokenManager is the base class that specifies how to list, remove and retrieve the tokens.

Most OTP services are built on these base types to enhance static type checking. And there are optional types which provide additional operations that you can add on to. A token’s credentials are used by a device type (defined by the relevant service) to generate OTPs.


There is no limitation imposed on the number of tokens that can be stored

  • Android Storage Locations

    The data is stored in the following locations within the application’s installation directory:

    • The databases directory
    • The files directory.
  • iOS storage locations

    The data is stored in the app’s Documents directory in (<APPHOME>/Documents) within the application’s installation directory.


Does the SDK support client certificates for mutual authentication in the provisioning sequence?

No, the SDK does not support this feature for provisioning. Therefore, the server’s TLS software must be configured to accept clients without certificates.

What steps needed to upgrade from PPv3 to PPv5?

  1. Use new API as specified on: EPS Configuration and make sure EPS Url is correct
  2. Use new API as specified on: createToken