Intelligent Adaptive Authentication December Release – 22.R4
  • 25 Oct 2024
  • 4 Minutes to read
  • Dark
    Light

Intelligent Adaptive Authentication December Release – 22.R4

  • Dark
    Light

Article summary

New features and enhancements—supported use cases

FIDO2 Automatic Onboarding feature for Sandbox environment

With the FIDO2 Automatic Onboarding feature, you can use FIDO2-based functionalities with Intelligent Adaptive Authentication for the Sandbox environment without any manual configuration. To be able to use this feature, you have to create a new tenant in the Community Portal, and FIDO2 will be automatically configured to work with the FIDO2 Sample Relying Party Web App.

For more information on the FIDO2 Automatic Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.

FIDO2 Self-Service Onboarding feature for Sandbox and Production environments

With the FIDO2 Self-Service Onboarding feature, you can configure FIDO2 by using the OneSpan Trusted Identity platform REST API endpoints for managing Relying Party Resources. In addition, you can enable the FIDO2-based functionalities with Intelligent Adaptive Authentication for the Sandbox and Production environments.

  • Create a new FIDO2 Relying Party endpoint. A new FIDO2 Relying Party Resource can be created by calling the following endpoint:

    POST ​/fido2-relying-parties

    with the following mandatory request body:

    • origins. Set of valid origins matching the Relying Party ID, e.g. ["https://www.yourwebapp.example-tenant.com"].

    • publicKeyCredentialRpEntity

      • id. This is the Relying Party ID, e.g. "yourwebapp.example-tenant.com".

      • name. This is the name of the Relying Party.

      • icon. This is the Relying Party logo.

    The following responses are included:

    • 201: FIDO2 Relying Party created.

      The Relying Party UUID (the identifier for this newly created resource) will be returned.

    • 400: Input data errors.

    • 500: Internal error, sub-service failure, server crash.

  • Delete a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:

    DELETE ​/fido2-relying-parties​/{uuid}

    The following responses are included:

    • 204: Delete operation successful.

    • 400: Input data errors.

    • 404: FIDO2 Relying Party not found.

    • 500: Internal error, sub-service failure, server crash.

  • Query all FIDO2 Relying Parties endpoint. A new endpoint has been added for this operation:

    GET ​/fido2-relying-parties

    The following responses are included:

    • 200: FIDO2 Relying Parties retrieved successfully.

    • 400: Input data errors.

    • 500: Internal error, sub-service failure, server crash.

  • Retrieving a specific FIDO2 Relying Party by ID endpoint. A new endpoint has been added for this operation:

    GET ​/fido2-relying-parties/{uuid}

    The following responses are included:

    • 200: FIDO2 Relying Parties retrieved successfully.

    • 400: Input data errors.

    • 404: FIDO2 Relying Party not found.

    • 500: Internal error, sub-service failure, server crash.

  • Set a FIDO2 Relying Party as default endpoint. A new endpoint has been added for this operation:

    POST /fido2-relying-parties/{uuid}/make-default

    The following responses are included:

    • 204: Make default operation successful.

    • 400: Input data errors.

    • 404: FIDO2 Relying Party not found.

    • 500: Internal error, sub-service failure, server crash.

  • Updating a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:

    PATCH ​/fido2-relying-parties​/{uuid}

    The following responses are included:

    • 200: FIDO2 Relying Party update successful.

    • 400: Input data errors.

    • 404: FIDO2 Relying Party not found.

    • 500: Internal error, sub-service failure, server crash.

For more information on the FIDO2 Self-Service Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.

For more information on the FIDO2 Self-Service Onboarding feature for the Production environment, see FIDO2 in the Production environment.

Unlock hardware authenticator via API call

When a user enters too many incorrect PINs into a hardware authenticator, the authenticator is locked. With the new feature, Intelligent Adaptive Authentication now supports unlocking the authenticator via the OneSpan Trusted Identity platform API. To unlock the authenticator, it is necessary to send an unlocking challenge that will be generated when the authenticator is next turned on after it has been locked.

  • Unlock device endpoint. A new endpoint has been added for this unlock operation:

    POST /authenticators/{serialNumber}/applications/{applName}/unlock

    This endpoint accepts UnlockChallengeInput as payload.

    This endpoint creates UnlockCodeOutput as output.

    The following responses are included:

    • 200: Unlock completed successfully, unlock code generated and returned in response.

    • 400: The input is invalid.

    • 404: Authenticator or application not found.

    • 409: The authenticator unlock challenge is invalid.

    • 500: Internal error, sub-service failure, server crash.

Validity period of Activation Message 1 is configurable

The validity period of Activation Message 1 can now be shortened for Intelligent Adaptive Authentication. The default value of the activation message validity parameter can be lowered for the following policies:

  • Identikey Administration Logon

  • TID Provisioning for Multi-Device Licensing

Contact OneSpan Support to change this configuration.

For more information about this policy parameter and its default value, see Identikey Administration Logon (Policy) and TID Provisioning for Multi-Device Licensing (Policy).

Fixes and other changes

Issue OAS-10844 (Support Case CS0067585): Incorrect title parameter shown for generate-secure-challenge endpoint

The POST /users/{userID@domain}/generate-secure-challenge endpoint displays an incorrect message for the title parameter.

Status: This issue has been fixed.

Issue OAS-12509: Performance bottleneck in Intelligent Adaptive Authentication web services

Further fixes have been implemented to remove the performance bottleneck in the Intelligent Adaptive Authentication SOAP client library for the common Java web services. This allows handling a higher number of simultaneous requests without performance impairments.

Status: The new SOAP client library has now also been implemented for the services governing the following scenarios:

  • Authenticator management

  • Authenticator provisioning and activation

  • Authenticator and authenticator application administration

  • Workflows involving secure challenge requests for authentication and signature operations

  • Transaction validation requests

  • User account management

Issue OAS-14514: Orchestration SDK clients not receiving server error messages

If a mobile application is using the Orchestration SDK integrated with the OneSpan Trusted Identity platform, the onOrchestrationServerError() callback method is in many cases not invoked. This may lead to server error messages not being conveyed to the client app.

Status: This issue has been fixed. The onOrchestrationServerError() callback method is now fully supported by the OneSpan Trusted Identity platform. In case of a server-side error, the callback method will be invoked by the Orchestration SDK, and the server error message will be available to the client app via the field readableMessage.

Issues OAS-14647–OAS-14651: Fixed vulnerabilities

This version of Intelligent Adaptive Authentication contains fixes for the following vulnerabilities:

  • CVE-2021-45046 (Log4shell vulnerability)

  • CVE-2021-44228 (Log4shell vulnerability)

  • CVE-2021-31805 (Apache Struts vulnerability)

  • CVE-2021-27568 (exception that is thrown from a function is not caught)

  • CVE-2019-20445 (HttpObjectDecoder.java in Netty)

  • CVE-2019-20444 (HttpObjectDecoder.java in Netty)

  • CVE-2019-17495 (CSS injection vulnerability)

Issue OAS-15107: Incorrect serial number returned by the userregister (v1) and (v2) microservices

The userregister (v1) and (v2) microservices may return a serial number of a different authenticator type during authenticator registration and activation. This issue occurs if the following applies:

  • a serial number is not specified in the payload, and

  • an authenticator type is specified for offline multi-device licensing (MDL)

Status: This issue has been fixed.

Orchestration SDK—supported versions

Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:

  • 5.5.1

  • 5.4.4

  • 5.4.2

  • 5.4.0

  • 5.3.1

  • 5.3.0

  • 5.2.0

  • 5.0.2

  • 4.24.4

  • 4.24.2

  • 4.23.0

  • 4.21.1

  • 4.20.2

  • 4.19.3


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant