Digipass OTP device activation (protected self-service)

Digipass OTP devices are physical OTP devices from OneSpan. Airlock IAM supports the activation and reactivation of inactive Digipass OTP devices by the end-user in a protected self-service. Since protected self-services are only accessible after successful authentication by the end-user, this process can help minimize the risk of potential misuse.

This article describes how a corresponding flow in the Loginapp REST API.

  • As a result:
  • Administrators can ship deactivated Digipass OTP devices to the end-user.
  • Tampering with an inactive Digipass OTP device, e.g. during shipping, is impossible. The end-user first needs to log in to activate the new device via a protected self-service.


  • The following requirements must be met to activate a Digipass OTP device:
  • A corresponding Loginapp REST API authentication flow must be configured to allow the required end-user authentication for the protected self-service.
  • One or more inactive Digipass OTP devices must be assigned to the end-user's account in the Adminapp user management.
  • The end-user must be in possession of the assigned inactive Digipass OTP device or devices.

Configuration of the protected self-service

The following configuration instruction is generic and simplified – all requirements must be preconfigured.

  1. Go to:
    Loginapp >> Protected Self-Services >> Protected Self-Service Flows
  2. In property Flows, create and edit a new Custom Protected Self-Service Flow.
  3. In property Flow ID, create and edit a unique Flow ID.
  4. In property Access Condition, set Vasco Activation Possible. This will allow a device activation when one or more inactive Digipass OTP devices are available.
  5. In property Authorization Condition, choose a setting according to your needs (e.g. restrict access to users with a certain role).
  6. In property Steps, create a Vasco OTP Device Activation plugin and open it.
  7. In property Token Data Provider, choose the same token data provider as configured for Loginapp authentication and Adminapp management, e.g., the Default Token Data Provider.
  8. In property Vasco Handler, choose the same Vasco handler as configured in the Loginapp and Adminapp (typically the Native Vasco Handler).
  9. With this configuration, Digipass OTP devices can be activated by the authenticated end-user over REST. See Loginapp REST API Reference for further information on the REST endpoints.

Adding the device activation page to the Loginapp UI

With only the Loginapp REST API being configured with the protected self-service, Digipass OTP devices can only be activated via REST calls. To allow device activation via Loginapp UI, a new device activation page must be configured as follows.

  1. Go to:
    Loginapp >> UI Settings >> Protected Self-Service UIs
  2. In property Flow UIs, create and edit a new Protected Self-Service UI
  3. In the property Flow ID, reference the flow ID that we created earlier in the Loginapp REST API configuration.
  4. Finish the configuration by choosing the corresponding actions:
    1. In property On Flow Completion, e.g. choose Target Application Redirect to the authentication page.
    2. In property On Flow Cancellation, you may choose the same Target Application Redirect as on completion.
  5. With these settings and inactivated Digipass OTP devices:
    • A logged-in end-user can select a device from the device list. Only inactive Digipass OTP devices will be listed.
    • After entering a valid OTP, the end-user can activate the new device with the Activate button or use the Cancel button to stop the process. In both cases, the end-user will be redirected to the configured target application page.
    • OneSpan Vasco OTP activation
      Figure: Example Loginapp UI screen for Digipass OTP device activation