Intelligent Adaptive Authentication November Release – 24.R2
  • 13 Dec 2024
  • 10 Minutes to read
  • Dark
    Light
  • PDF

Intelligent Adaptive Authentication November Release – 24.R2

  • Dark
    Light
  • PDF

Article summary

Deprecated or removed components and services

Orchestration error handling with orchestration-commands endpoint

Orchestration error handling with the POST /orchestration-commands endpoint is deprecated and will be removed in 2025.

New features and enhancements—supported use cases

Improved failover behavior in microservices

To improve the failover behavior in Intelligent Adaptive Authentication, all microservices that were running on the standard MySQL driver were migrated to an advanced Amazon Web Services JDBC wrapper. With this, Intelligent Adaptive Authentication now detects the unavailability of any of the database management systems faster and switches to the failover instance.

Updated security HTTP headers

The security HTTP headers in the Intelligent Adaptive Authentication API calls were updated to enhance security. If some of these headers break an existing customer integration, please contact OneSpan Support.

Improved error handling in orchestration with new microservice and endpoint

Previously, Orchestration in Intelligent Adaptive Authentication returned very generic error responses. To improve orchestration error handling and provide unambiguous and well defined error messages, the new Trusted Device microservice has been created to return more specific responses. This microservice is exposed via the POST /orchestration-commands-v2 endpoint.

Orchestration error handling with POST /orchestration-commands is deprecated and will be removed in 2025.

The error responses generated by this endpoint include the following:

Orchestration command error response payload

  • readableMessage

  • customPayload

  • errorType

  • flowType

  • previousCommandType

  • commandSessioId

Client error callback payload

  • readableMessage

  • customPayload

These payloads and their parameters and/or fields have already been available prior to the implementation of this new feature but new values are used when calling POST /orchestration-commands-v2.

To process the error messages with the new service and endpoint, you must use Orchestration SDK client version 4.24.0 or later.

See also the following:

Authenticator management for FIDO

With a new API to query FIDO authenticators, Intelligent Adaptive Authentication now offers consolidated management of FIDO authenticator registrations with FIDO2 and FIDO UAF. This allows unified update and deletion operations for authenticators registered with either protocol.

For the implementation of this feature, the registration of FIDO UAF- and FIDO2-based authenticators has been extended. During the registration process, users can provide a customized registration name (registration alias). If not provided, Intelligent Adaptive Authentication uses the description of the relevant metadata and creates this alias. Intelligent Adaptive Authentication now also generates a unique ID for each registration which can be used for queries to list FIDO-based authenticators.

With the implementation of this new feature, FIDO-based authenticators can now be listed by the following parameters:

  • registration ID

  • registration name (alias)

  • registration type

    This can be FIDO2 or UAF11, as applicable.

  • registration time

  • KeyID

  • AAID

  • userID@domain

With this, administrators can query Intelligent Adaptive Authentication for a specific user or all users, and list their authenticators by registration type to update, deregister, and/or delete specific authenticator registrations. It also allows end users to list their authenticators to know which authenticators they have registered.

The existing functionality to delete FIDO UAF-only registrations has not been changed and will continue to be available.

The new FIDO authenticator management has also been integrated into the FIDO2 Bank Demo Web App:

  • A new page, Manage Registrations, has been added.

    This page displays a list of existing registrations and offers the options to register authenticators, update, and delete registrations. It also provides an additional field with the option to add an alias.

  • In the login screen, the Add additional Authenticator button has been replaced with the Manage Registrations button, leading to the new Manage Registrations page.

For more information of this feature in the demo web app, see FIDO2 Bank Demo Web App; for more information on how to integrate this new functionality, see Management of FIDO authenticators.

  • Query Intelligent Adaptive Authentication for FIDO registrations. To find FIDO authenticator registrations by user, registration type, or a combination of these two, either for a specific user or all users, call the following endpoint:

    GET ​/fido-registrations

    This endpoint accepts userName and registrationType as query parameters.

    • The responses for this endpoint include the following:

      • 200: Registrations returned.

      • 400: The input is invalid.

      • 500:  Internal error, sub service failure, server crash.

  • Update a FIDO registration. To change the customized registration name, call the following endpoint:

    PATCH ​/fido-registrations/{registrationID}

    This endpoint accepts registrationID as path parameter and registrationName(alias) as payload.

    • The responses for this endpoint include the following:

      • 200: FIDO registration update successful.

      • 400: The input is invalid.

      • 404: FIDO registration not found.

      • 500:  Internal error, sub service failure, server crash.

  • Delete registrations. To deregister and/or delete registrations, call the following endpoint:

    DELETE ​/fido-registrations/{registrationID}

    This endpoint accepts registrationID as path parameter.

    • The responses for this endpoint include the following:

      • 204: Delete operation successful.

      • 400: The input is invalid.

      • 404: FIDO registration not found.

      • 500:  Internal error, sub service failure, server crash.

1-step Challenge/Response authentications with custom challenge

Intelligent Adaptive Authentication now supports using custom challenges to sign transactions. For 1-step Challenge/Response authentications, the client application generates a custom challenge. This challenge is displayed to the user on the login page. The user enters it into their authenticator and enters the response, e.g. an OTP, on the login page.

The POST /users/{userID@domain}/login and POST /users/{userID@domain}/events/validate endpoints have been extended. A new field, challenge, has been added which can be set to use the custom challenge. The format of the challenge must be a string of numeric or hexadecimal characters with a maximum length of 17 characters.

Fixes and other changes

Issue OAS-9099 (Support case CS0061534): Signature validation uses incorrect authenticator application and succeeds

In some environments where more than one signature authenticator application is used, the signature validation operation may use an incorrect authenticator application to process the request and still create a valid signature.

Consider a scenario where two signature authenticator applications exist on an authenticator, SG1 that accepts exactly one data field, and SG2 that accepts two data fields. Now assume that a user attempts a transaction signature validation for a business application that requires two data fields, but mistakenly selects the authenticator application that is accepting only one data field. The signature validation can still be successful, because it uses SG1 to successfully process the request (ignoring the second data field).

Status: This issue has been fixed. Data field handling for performing a signature validation has been improved. Now, any authenticator application that cannot process as many data fields as required by the request will be ignored.

Issue OAS-11826 (Support Cases CS0041100, CS0029614): Concurrent authenticator updates can corrupt authenticator BLOB data

Unassigning an authenticator or moving a user account with assigned authenticators while certain other operations are in progress can corrupt the authenticator BLOB data. This issue can happen rarely, it requires another operation that changes the BLOB data, e.g. generating a virtual signature, almost concurrently as the unassign or move operation.

Status: This issue has been fixed. The update query was improved, the unassign or move operation will fail with a Database update failed attempting to update a digipass application record error message, but the BLOB data will remain correct.

Issue OAS-20433 (Support Cases CS0141131/INC0012611): Signature validation fails

When more than one cryptographic application is available, signature validation could fail. The Authentication component by default always uses the first appropriate application for the validation but if a different application was selected for the signature, this would lead to errors.

To enable the selection of which application to use for response validation, the following optional parameters have been added to the POST /users/{userID@domain}/generate-secure-challenge and POST /users/{userID@domain}/generate-signing-request endpoints:

  • cryptoAppIndex

    Index of the authenticator application to be used for response validation.

  • cryptoAppName

    Name of the authenticator application to be used for response validation.

These two parameters are mutually exclusive!

Issue OAS-20464: Fixed vulnerabilities

This version of Intelligent Adaptive Authentication contains fixes for the following vulnerabilities:

  • CVE-2023-42363 (BusyBox vulnerability)

  • CVE-2023-42366 (BusyBox vulnerability)

  • CVE-2024-2511 (OpenSSL vulnerability)

  • CVE-2024-4603 (OpenSSL vulnerability)

  • CVE-2024-25062 (libxml2 vulnerability)

  • CVE-2024-28757 (Expat vulnerability)

  • CVE-2024-34459 (libxml2 vulnerability)

Issue OAS-20681 (Support Case INC0012894): Push Notification on iOS not working properly

On deployments for iOS, push notifications were not working properly. The reason was that the Apple Push Notification service (APNs) API host name was resolved with IPv6 which is, however, not supported by the Intelligent Adaptive Authentication infrastructure.

Status: This issue has been fixed. The Push Notification service has been adapted to prioritize host name resolution IPv4.

Issue OAS-20893 (Support-Case INC0012943): Input in CDDC data fields optional

The input validation for some CDDC data fields has been changed.

As of version 24.R2, the input in the fingerprintRaw and fingerprintHash CDDC input data fields is optional. This applies to the following endpoints:

Issue OAS-20971 (Support Case INC0012977): Incorrect session timeout error message

For a session timeout, Intelligent Adaptive Authentication provided an incorrect error message. This was caused by a misalignment of session timeouts between Intelligent Adaptive Authentication and the Authentication component.

Status: This issue has been fixed. The value of the Intelligent Adaptive Authentication session timeout has been changed to be larger than the session timeout value of the Authentication component.

Issue OAS-21060: Misleading error response when unlocking an authenticator

Intelligent Adaptive Authentication returned the same error response for two different errors. The POST /authenticators/{serialNumber}/applications/{applName}/unlock endpoint returned error message 409 - Invalid unlock challenge when either the challenge was not correct or the authenticator does not support the unlock functionality.

Status: This issue has been fixed. When the authenticator does not support the unlock function, Intelligent Adaptive Authentication now returns the error message 409 - Unlock Function Not Supported.

Issue OAS-21967 (Support Case INC0013056): Database failover error

An incorrectly handled failover caused a general restart with the result that Intelligent Adaptive Authentication was not operative for a few minutes.

Status: This issue has been fixed. Failovers are now handled faster and correctly.

Issue OAS-21770: Audit logs occasionally absent for Push Notification

The logs from the audit logger were occasionally absent in certain instances of the Push Notification flow. When a connection timeout between the push and audit services occurred, Intelligent Adaptive Authentication did not display the corresponding error message.

Status: This issue has been fixed. Now, in the event of a timeout, the correct error message from the audit logger is displayed for the Push Notification flow.

Issue OAS-22660 (Support Case INC0013360): Timeout causes push notifications to fail

When the Message Delivery Component (MDC) contacts the Push Notification service and encounters a timeout, it aborts the current request call and blocks further calls for 10 seconds, regardless of the validity of any of these calls. In addition, the timeout value for the Apple Push Notification service (APNs) cannot be configured at all.

Status: This issue has been fixed. The implementation of the flow for push notifications handled with the APNs has been adapted. OneSpan can now configure this value to prevent notification failures for all platforms.

Issue OAS-22862: Duplicated/missing users caused by blank spaces in user name

When a user name includes either a leading or trailing blank space, this leads to duplicated or missing entries for that user in the database.

Status: This issue has been fixed. User name validation has been implemented in the following Intelligent Adaptive Authentication endpoints:

In addition, Intelligent Adaptive Authentication now returns error message [400 The input is invalid.] if the user name includes leading or trailing blank spaces.

Issue OAS-22923: FIDO2 login fails on Apple Mac

When the user tries to log in to the MyBank Demo app from an Apple Mac computer with TouchID, the registration with TouchID is successful but the login fails with an internal server error, even though the registration is set to none attestation. The reason for the failure is the fact that Apple Mac computers return a valid aaguid value even when none attestation has been set, but Intelligent Adaptive Authentication skips the policy validation for none-attestation registrations.

Status: This issue has been fixed. The implementation of the FIDO2 registration has been adjusted to always store a zero-value in the registration record when none attestation is used.

Issue OAS-24633 (Support Case INC0013915): Failed requests due to long response times

Different requests failed and services were not available due to disconnected clients. The reason for this was that the Check Event service of OneSpan Cloud Authentication waited too long for a response from the Risk Management component which caused the web server environment to run out of available threads for processing new requests. This ultimately led to outages of tenants and OneSpan Cloud Authentication was no longer able to process any requests.

Status: This issue has been fixed. The timeout period between the Check Event service and the Risk Management component has been reduced.

Known issues

Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number

The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.

Orchestration SDK—supported versions

Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:

  • 5.9.0

  • 5.8.1

  • 5.8.0

  • 5.7.0

  • 5.6.4


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant