The PowerAuth protocol 3, defines a new version of activation code, where OTP is no longer applied. The format of the code is the same (four groups, each group is composed from five Base32 characters), but the code is no longer split into
SHORT_ID parts. The new code has following features:
- The whole code is now a short activation identifier, and we call it simply
ACTIVATION_CODE. This principally means, that the code is no longer used in the cryptographic calculations.
- The code is using
CRC-16/ARCto detect a typing errors. This is useful for scenarios, where the user needs to re-type the code manually.
- 96 out of possible 100 bits are used (80 random bits + 16 bits for CRC).
- Generate 10 random bytes
CRC-16/ARCfrom that 10 bytes. You can check a reference implementation in Java.
- Append CRC-16 in big endian order at the end of random bytes.
- Generate BASE32 representation from that 12 bytes, without padding characters.
- Split BASE32 string into four groups, each one contains file characters. Use “-“ as a separator.
The validation process is quite simple:
- Test whether the length of activation code is equal to 23. If not, then the code is not valid.
- Remove dashes form the code.
- Test whether the string contains only characters allowed in Base32 encoding.
- Decode Base32 string into sequence of bytes
- The length of decoded sequence must be 12
- Calculate CRC-16/ARC from first 10 bytes
- Compare the calculated value to last two bytes (in big endian order). If values doesn’t match, then the code contains some mistyped characters.
You can use following simple values to test your application’s validation logic: