Login
    Contents x
    OneSpan Cloud Authentication April Release – 25.R1
    • 15 Apr 2025
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    OneSpan Cloud Authentication April Release – 25.R1

    • Updated on 15 Apr 2025
    • 4 Minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article summary

    As of version 24.R2, input for the fingerprintRaw and fingerprintHash fields is now optional. The orchestration error handling endpoint is deprecated and will be removed by March 31, 2026. New features include beta support for single sign-on for administrative users and performance improvements through a new service user account type, enhancing administrative command execution. User management for administrative accounts has been expanded, allowing retrieval of specific privileges without contacting support. Additionally, accounts can be reactivated by resetting the last authentication time, and authenticator applications can now be reset. Customization options for activation passwords have been introduced. Several vulnerabilities have been fixed, and issues related to FIDO registration and text message delivery have been addressed. The update also includes country-based text message templates to comply with legal requirements. Known issues and supported versions of the Orchestration SDK are also noted.

    Important notice

    CDDC data field input optional

    As of version 24.R2, the input in the fingerprintRaw and fingerprintHash input data fields is optional. This applies to the following endpoints:

    Deprecated or removed components and services

    Orchestration error handling with orchestration-commands endpoint

    Orchestration error handling with the POST /orchestration-commands endpoint is deprecated and will be removed on 31 March 2026.

    New features and enhancements—supported use cases

    Single sign-on (in beta testing)

    OneSpan Cloud Authentication now supports single sign-on to the Web Administration interface of the Authentication component for your users with administrative permissions.

    This feature is currently in beta testing. If you would like to use single sign-on in your implementation, please contact OneSpan.

    Performance improvement with new type of internal user account: service user

    The way in which OneSpan Cloud Authentication has been executing administrative commands from the Authentication Component sometimes caused performance and latency issues, sometimes even resulting in outages.

    We have improved this now by introducing a new type of internal user account, the service user. This type of user account is a specific set of users which are used for administrative operations within services. This removes the need for handling and caching of administrative sessions in the OneSpan Cloud Authentication services.

    Retrieve information about your administrative user accounts

    The user management for users with administrative privileges has been extended. The output of relevant endpoints now includes information about the specific administrative privileges granted to the account. This allows you to retrieve detailed information about the administrative accounts without having to contact OneSpan Support.

    The endpoints to querying, viewing, and updating a user account have been extended:

    GET /users

    GET /users/{userID@domain}

    PATCH /users/{userID@domain}

    For information about the format of the output and further details, refer to the Interactive API Reference (Platform API Sandbox).

    Reactivate suspended user accounts

    A user account can be suspended (become inactive) if it has not been used for a given amount of time. If this happens, the account can be reactivated by resetting the date and time the user last authenticated.

    • Reset last authentication time. A new endpoint has been added to reset a user’s last authentication date and time:

      POST /users/{userID@domain}/reset-last-authentication-time

      The following responses are included:

      • 204: Last authentication time reset.

      • 400: The input is invalid.

      • 403: The command is prohibited for the tenant admin account.

      • 404: User account not found.

      • 500: Internal error, sub-service failure, server crash.

    For more information, see Reactivate Suspended User Accounts.

    Reset authenticator applications

    OneSpan Cloud Authentication now enables you to reset the application(s) of one or more authenticators.

    • Reset authenticator application. A new endpoint has been added to reset an authenticator application:

      POST /authenticators/{serialNumber}/applications/{applName}/reset-application.

      The following responses are included:

      • 204: Application reset.

      • 400: The input is invalid.

      • 404: Authenticator or application not found.

      • 409: Application could not be reset.

      • 500: Internal error, sub-service failure, server crash.

    Customize the activation password

    OneSpan Cloud Authentication now enables you to customize the activation password. You can make the following changes:

    • Select the format of the activation password (the password can now be numeric or alphanumeric)

    • Set the length of the activation password

    • Set a maximum number of allowed provisioning attempts

    • Set the length of the registration identifier

    Fixes and other changes

    Issue OAS-20854 (Support Case INC0012952): Failure to register several authenticators

    When a user has one authenticator assigned, and a second one is added with the DsappSRPRegister command, the registration fails with the following error message: Multiple assigned digipass [2] found for user where only one expected. The cause is that the DsappSRPRegister command does not allow selecting a specific serial number to be used.

    Status: This issue has been fixed. The DsappSRPRegister command has been enhanced to allow specifying an authenticator serial number.

    Issue OAS-22141, OAS-25765: Fixed vulnerabilities

    This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:

    • CVE-2023-22102 (Oracle MySQL vulnerability)

    • CVE-2023-42364 (BusyBox vulnerability)

    • CVE-2023-42365 (BusyBox vulnerability)

    • CVE-2024-4741 (OpenSSL vulnerability)

    • CVE-2024-5535 (OpenSSL vulnerability)

    • CVE-2024-6119 (OpenSSL vulnerability)

    • CVE-2024-8096 (cURL vulnerability)

    • CVE-2024-9143 (OpenSSL vulnerability)

    • CVE-2024-21131 (Oracle vulnerability)

    • CVE-2024-21138 (Oracle vulnerability)

    • CVE-2024-21145 (Oracle vulnerability)

    Issue OAS-25777: FIDO registration failure on Android

    When trying to log in with FIDO2 to an Android application, the registration of the FIDO2 authenticator failed. The reason for this was an incorrectly configured origin field in the relying party object. The main issue, however, was that OneSpan Cloud Authentication did not provide a clear error message.

    Status: This issue has been fixed. Origin mismatch errors are now logged with information about the log level, thus providing a more descriptive error message.

    Issues OAS-25904, OAS-27304: Country-based templates for text messages

    Due to recent changes in legal requirements for the format of text messages in some countries, messaging carriers have applied stricter regulations. As a result, some users who received text messages before, did not receive messages with their one-time passwords anymore, and their payments failed.

    To address this issue and meet the stricter text message format requirements, we have implemented a routing table configuration. OneSpan Cloud Authentication now offers text message templates whose content can be customized according to the country of the message recipient.

    In this context, vulnerabilities in service dependencies were also fixed.

    If you would like to use this feature, please contact OneSpan Support.

    Issue OAS-26241: Apple Push Notification message delivery

    The Certification Authority (CA) for Apple Push Notification service (APNs) has changed and APNs has updated the server certificates. We have verified the validity of the OneSpan Cloud Authentication Trust Store and ensured it includes the new server certificates.

    Known issues

    Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number

    The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

    Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.

    Orchestration SDK—supported versions

    OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

    • 5.10.1

    • 5.10.0

    • 5.9.0

    • 5.8.1

    • 5.8.0

    • 5.7.0

    • 5.6.4

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant