December Release – 22.R4

With the FIDO2 Automatic Onboarding feature, you can use FIDO2-based functionalities with OneSpan Cloud Authentication for the Sandbox environment without any manual configuration. To be able to use this feature, you have to create a new tenant in the Community Portal, and FIDO2 will be automatically configured to work with the FIDO2 Sample Relying Party Web App.

For more information on the FIDO2 Automatic Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.

With the FIDO2 Self-Service Onboarding feature, you can configure FIDO2 by using the OneSpan Trusted Identity platform REST API endpoints for managing Relying Party Resources. In addition, you can enable the FIDO2-based functionalities with OneSpan Cloud Authentication for the Sandbox and Production environments.

• Create a new FIDO2 Relying Party endpoint. A new FIDO2 Relying Party Resource can be created by calling the following endpoint:

  POST ​/fido2-relying-parties

  with the following mandatory request body:

  • origins. Set of valid origins matching the Relying Party ID, e.g. ["https://www.yourwebapp.example-tenant.com"].

  • publicKeyCredentialRpEntity

    • id. This is the Relying Party ID, e.g. "yourwebapp.example-tenant.com".

    • name. This is the name of the Relying Party.

    • icon. This is the Relying Party logo.

  The following responses are included:

  • 201: FIDO2 Relying Party created.

    The Relying Party UUID (the identifier for this newly created resource) will be returned.

  • 400: Input data errors.

  • 500: Internal error, sub-service failure, server crash.

• Delete a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:

  DELETE ​/fido2-relying-parties​/{uuid}

  The following responses are included:

  • 204: Delete operation successful.

  • 400: Input data errors.

  • 404: FIDO2 Relying Party not found.

  • 500: Internal error, sub-service failure, server crash.

• Query all FIDO2 Relying Parties endpoint. A new endpoint has been added for this operation:

  GET ​/fido2-relying-parties

  The following responses are included:

  • 200: FIDO2 Relying Parties retrieved successfully.

  • 400: Input data errors.

  • 500: Internal error, sub-service failure, server crash.

• Retrieving a specific FIDO2 Relying Party by ID endpoint. A new endpoint has been added for this operation:

  GET ​/fido2-relying-parties/{uuid}

  The following responses are included:

  • 200: FIDO2 Relying Parties retrieved successfully.

  • 400: Input data errors.

  • 404: FIDO2 Relying Party not found.

  • 500: Internal error, sub-service failure, server crash.

• Set a FIDO2 Relying Party as default endpoint. A new endpoint has been added for this operation:

  POST /fido2-relying-parties/{uuid}/make-default

  The following responses are included:

  • 204: Make default operation successful.

  • 400: Input data errors.

  • 404: FIDO2 Relying Party not found.

  • 500: Internal error, sub-service failure, server crash.

• Updating a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:

  PATCH ​/fido2-relying-parties​/{uuid}

  The following responses are included:

  • 200: FIDO2 Relying Party update successful.

  • 400: Input data errors.

  • 404: FIDO2 Relying Party not found.

  • 500: Internal error, sub-service failure, server crash.

For more information on the FIDO2 Self-Service Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.

For more information on the FIDO2 Self-Service Onboarding feature for the Production environment, see FIDO2 in the Production environment.

When a user enters too many incorrect PINs into a hardware authenticator, the authenticator is locked. With the new feature, OneSpan Cloud Authentication now supports unlocking the authenticator via the OneSpan Trusted Identity platform API. To unlock the authenticator, it is necessary to send an unlocking challenge that will be generated when the authenticator is next turned on after it has been locked.

• Unlock device endpoint. A new endpoint has been added for this unlock operation:

  POST /authenticators/{serialNumber}/applications/{applName}/unlock

  This endpoint accepts UnlockChallengeInput as payload.

  This endpoint creates UnlockCodeOutput as output.

  The following responses are included:

  • 200: Unlock completed successfully, unlock code generated and returned in response.

  • 400: The input is invalid.

  • 404: Authenticator or application not found.

  • 409: The authenticator unlock challenge is invalid.

  • 500: Internal error, sub-service failure, server crash.

The validity period of Activation Message 1 can now be shortened for OneSpan Cloud Authentication. The default value of the activation message validity parameter can be lowered for the following policies:

• Identikey Administration Logon

• TID Provisioning for Multi-Device Licensing

Contact OneSpan Support to change this configuration.

For more information about this policy parameter and its default value, see Identikey Administration Logon (Policy) and TID Provisioning for Multi-Device Licensing (Policy).

The POST /users/{userID@domain}/generate-secure-challenge endpoint displays an incorrect message for the title parameter.

Status: This issue has been fixed.

Further fixes have been implemented to remove the performance bottleneck in the OneSpan Cloud Authentication SOAP client library for the common Java web services. This allows handling a higher number of simultaneous requests without performance impairments.

Status: The new SOAP client library has now also been implemented for the services governing the following scenarios:

• Authenticator management

• Authenticator provisioning and activation

• Authenticator and authenticator application administration

• Workflows involving secure challenge requests for authentication and signature operations

• Transaction validation requests

• User account management

If a mobile application is using the Orchestration SDK integrated with the OneSpan Trusted Identity platform, the onOrchestrationServerError() callback method is in many cases not invoked. This may lead to server error messages not being conveyed to the client app.

Status: This issue has been fixed. The onOrchestrationServerError() callback method is now fully supported by the OneSpan Trusted Identity platform. In case of a server-side error, the callback method will be invoked by the Orchestration SDK, and the server error message will be available to the client app via the field readableMessage.

This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:

• CVE-2021-45046 (Log4shell vulnerability)

• CVE-2021-44228 (Log4shell vulnerability)

• CVE-2021-31805 (Apache Struts vulnerability)

• CVE-2021-27568 (exception that is thrown from a function is not caught)

• CVE-2019-20445 (HttpObjectDecoder.java in Netty)

• CVE-2019-20444 (HttpObjectDecoder.java in Netty)

• CVE-2019-17495 (CSS injection vulnerability)

The userregister (v1) and (v2) microservices may return a serial number of a different authenticator type during authenticator registration and activation. This issue occurs if the following applies:

• a serial number is not specified in the payload, and

• an authenticator type is specified for offline multi-device licensing (MDL)

Status: This issue has been fixed.