Tokens are persistently stored in an application’s private directory and great lengths have been taken to make it hard to read and reverse engineered. Protector OATH SDK contains all the resources to manage the user credentials in the persistent memory. The credentials of each user are identified by a unique label the application provided during provisioning. Each label is linked to a “token” inside Protector OATH SDK. At any time, the application can retrieve the list of available tokens, remove a token, or use a token to generate OTPs. A token’s credentials can be decomposed into the following asset levels:
The token’s secret key used as part of an OTP calculation. This is the only data that completely prevents an attacker from forging an attack against a user’s credentials.
All data involved in generating an OTP. This data does not allow an attacker to forge an attack against a user’s credentials.
Therefore, the tokens cannot be accessed by any other applications regardless if this SDK is used.
Tokens and token management
Token is the base class that represents a user’s credentials, state and metadata examples of each are the secret key, counter, and identifier respectively) and
TokenManager is the base class that specifies how to list, remove and retrieve the tokens.
Most OTP services are built on these base types to enhance static type checking. And there are optional types which provide additional operations that you can add on to. A token’s credentials are used by a device type (defined by the relevant service) to generate OTPs.
There is no limitation imposed on the number of tokens that can be stored
Android Storage Locations
The data is stored in the following locations within the application’s installation directory:
iOS storage locations
The data is stored in the app’s
Documentsdirectory in (
<APPHOME>/Documents) within the application’s installation directory.
Does the SDK support client certificates for mutual authentication in the provisioning sequence?
No, the SDK does not support this feature for provisioning. Therefore, the server’s TLS software must be configured to accept clients without certificates.