September 2021

A new field (uafStatusCode) has been added to the response body of the following endpoints that are related to the FIDO-based operations:

• POST /users/{userID@domain}/generate-fido-registration-request (handled in OneSpan Cloud Authentication)

• POST /users/{userID@domain}/register-fido-device (handled in OneSpan Cloud Authentication)

• POST /users/{userID@domain}login

• POST /users/{userID@domain}/transactions/validate

• POST /users/{userID@domain}/events/validate

For a full list of UAF status codes, refer to the FIDO alliance documentation.

Intelligent Adaptive Authentication now supports end-user login with FIDO-based authentication. FIDO (Fast IDentity Online) offers frameworks that enable passwordless authentication.

Intelligent Adaptive Authentication supports the latest FIDO Alliance protocols.

This feature is not functional in the sandbox environment.

Login endpoint. The login endpoint has been extended to support FIDO-based authentication requests:

POST /users/{uuid}/login

In the first call, this endpoint now accepts fidoAuthentication as payload, with the following parameters:

• fidoProtocol

• userVerification (FIDO2 only)

• auhtenticationMessage (FIDO UAF only)

In the second call, this endpoint now accepts credentials as payload, with the following parameter:

• fidoAuthenticator

The failure responses include:

• 400: The input is invalid.

• 403: The command is prohibited for the tenant admin account.

• 404: The user account was not found.

• 409: Failed to login user.

• 500: Unexpected server error.

For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.

Transactions validation endpoint. The transactions validation endpoint has been updated to support FIDO-based transaction data signing requests for the UAF protocol:

POST /users/{uuid}/transcations/validate

In the first call, this endpoint now accepts data as payload, with the following parameter:

• fidoTransactionMessage

In the second call, this endpoint now accepts data as payload, with the following parameter:

• fido

The failure responses include:

• 400: The input is invalid.

• 403: The command is prohibited for the tenant admin account.

• 404: The user account was not found.

• 409: Failed to validate transaction.

• 500: Unexpected server error.

For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.

Events validation endpoint. The events validation endpoint has been updated to support FIDO-based event signing requests for the FIDO UAF and FIDO2 protocols:

POST /users/{uuid}/events/validate

In the first call, this endpoint now accepts fidoAuthentication as payload, with the following parameters:

• fidoProtocol

• userVerification (FIDO2 only)

• auhtenticationMessage (FIDO UAF only)

In the second call, this endpoint now accepts credentials as payload, with the following parameter:

• fidoAuthenticator

The failure responses include:

• 400: The input is invalid.

• 403: The command is prohibited for the tenant admin account.

• 404: The user account was not found.

• 409: Failed to validate event.

• 500: Unexpected server error.

For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.

To avoid replay attacks, you can restrict the maximum number of authenticators assigned to a user for specific authenticator types. This applies to single-device licensing (SDL) and multi-device licensing (MDL) authenticators, and authenticator instances (MDL only).

The following restrictions apply:

• Authenticator type TYP03 (iOS): 10 instances per user

• Authenticator type TYP07 (Android): 10 instances per user

• Authenticator type DAL10: 1 per user

• Authenticator type VIR10: 1 per user

If a user account has 10 or more active instances of TYP00, TYP03, or TYP07, it will not be possible to activate more until enough instances have been deleted to be at or under the 10-instance limit.

For information about the authenticator types and affected endpoints, refer to Restrict the Number of Authenticators Assigned Per User.

With the new restriction for the number of authenticators that are assigned to a user, the limit of a maximum of 30 authenticator instances that are derived from a single license has become obsolete. This activation count limit has now been removed.

It is now possible to extend the default timeout value of currently 60 seconds per tenant. This enables you to increase the validation period for Push Notification-based authentication within Intelligent Adaptive Authentication.

Contact OneSpan Support to extend the timeout configuration for your tenant(s).

For the offline activation of multi-device licensing (MDL) authenticators, some of the Intelligent Adaptive Authentication endpoints return the serial number of the license instead of the serial number of the added or activated instance. This is incorrect since the endpoints have the capability of returning an instance number as serialNumber.

The affected endpoints are:

• POST /registrations

• POST /registrations/{registationID}/add-device

• POST /registrations/{registationID}/activate

Status: This issue has been fixed.

Every time the trusteddevicecmd web service audits a served call, it throws an exception because the connection to the central database fails, for lack of available and/or configured connection parameters.

Status: This issue has been fixed.

Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:

• 5.4.1

• 5.4.0

• 5.3.1

• 5.3.0

• 5.2.0

• 5.0.2

• 4.24.4

• 4.24.2

• 4.23.0

• 4.21.1

• 4.20.2

• 4.19.3