Intelligent Adaptive Authentication April Release – 25.R1

As of version 24.R2, the input in the fingerprintRaw and fingerprintHash input data fields is optional. This applies to the following endpoints:

• POST /events

• POST /users/{userID@domain}/events/validate

• POST /transactions

• POST /users/{userID@domain}/transactions/validate

• POST /users/{userID@domain}/login

• POST /users/register

• POST /users/{userID@domain}/unregister

Orchestration error handling with the POST /orchestration-commands endpoint is deprecated and will be removed on 31 March 2026.

Intelligent Adaptive Authentication now supports single sign-on to the Web Administration interface of the Authentication component for your users with administrative permissions.

This feature is currently in beta testing. If you would like to use single sign-on in your implementation, please contact OneSpan.

The way in which Intelligent Adaptive Authentication has been executing administrative commands from the Authentication Component sometimes caused performance and latency issues, occasionally even resulting in outages.

We have improved this now by introducing a new type of internal user account, the service user. This type of user account is a specific set of users which are used for administrative operations within services. This removes the need for handling and caching of administrative sessions in the Intelligent Adaptive Authentication services.

The user management for users with administrative privileges has been extended. The output of relevant endpoints now includes information about the specific administrative privileges granted to the account. This allows you to retrieve detailed information about the administrative accounts without having to contact OneSpan Support.

The endpoints to querying, viewing, and updating a user account have been extended:

• GET /users

• GET /users/{userID@domain}

• PATCH /users/{userID@domain}

For information about the format of the output and further details, refer to the Interactive API Reference (Platform API Sandbox).

A user account can be suspended (become inactive) if it has not been used for a given amount of time. If this happens, the account can be reactivated by resetting the date and time the user last authenticated.

• Reset last authentication time. A new endpoint has been added to reset a user’s last authentication date and time: POST /users/{userID@domain}/reset-last-authentication-time.

  The following responses are included:

  • 204: Last authentication time reset.

  • 400: The input is invalid.

  • 403: The command is prohibited for the tenant admin account.

  • 404: User account not found.

  • 500: Internal error, sub-service failure, server crash.

For more information, see Reactivate suspended user accounts.

Intelligent Adaptive Authentication now enables you to reset the application(s) of one or more authenticators.

• Reset authenticator application. A new endpoint has been added to reset an authenticator application:

  POST /authenticators/{serialNumber}/applications/{applName}/reset-application.

  This new endpoint sends the path parameters serialNumber and applName.

  The following responses are included:

  • 204: Application reset.

  • 400: The input is invalid.

  • 404: Authenticator or application not found.

  • 409: Application could not be reset.

  • 500: Internal error, sub-service failure, server crash.

Intelligent Adaptive Authentication now enables you to customize the activation password. You can make the following changes:

• Select the format of the activation password (the password can now be numeric or alphanumeric)

• Set the length of the activation password

• Set a maximum number of allowed provisioning attempts

• Set the length of the registration identifier

When a user has one authenticator assigned, and a second one is added with the DsappSRPRegister command, the registration fails with the following error message: Multiple assigned digipass [2] found for user where only one expected. The cause is that the DsappSRPRegister command does not allow selecting a specific serial number to be used.

Status: This issue has been fixed. The DsappSRPRegister command has been enhanced to allow specifying an authenticator serial number.

Due to recent changes in legal requirements for the format of text messages in some countries, messaging carriers have applied stricter regulations. As a result, some users who received text messages before, did not receive messages with their one-time passwords anymore, and their payments failed.

To address this issue and meet the stricter text message format requirements, we have implemented a routing table configuration. Intelligent Adaptive Authentication now offers text message templates whose content can be customized according to the country of the message recipient.

In this context, vulnerabilities in service dependencies were also fixed.

If you would like to use this feature, please contact OneSpan Support.

This version of Intelligent Adaptive Authentication contains fixes for the following vulnerabilities:

• CVE-2023-22102 (Oracle MySQL vulnerability)

• CVE-2023-42364 (BusyBox vulnerability)

• CVE-2023-42365 (BusyBox vulnerability)

• CVE-2024-4741 (OpenSSL vulnerability)

• CVE-2024-5535 (OpenSSL vulnerability)

• CVE-2024-6119 (OpenSSL vulnerability)

• CVE-2024-8096 (cURL vulnerability)

• CVE-2024-9143 (OpenSSL vulnerability)

• CVE-2024-21131 (Oracle vulnerability)

• CVE-2024-21138 (Oracle vulnerability)

• CVE-2024-21145 (Oracle vulnerability)

When trying to log in with FIDO2 to an Android application, the registration of the FIDO2 authenticator failed. The reason for this was an incorrectly configured origin field in the relying party object. The main issue, however, was that Intelligent Adaptive Authentication did not provide a clear error message.

Status: This issue has been fixed. Origin mismatch errors are now logged with information about the log level, thus providing a more descriptive error message.

The Certification Authority (CA) for Apple Push Notification service (APNs) has changed and APNs has updated the server certificates. We have verified the validity of the Intelligent Adaptive Authentication Trust Store and ensured it includes the new server certificates.

The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.