- 21 Oct 2024
- 4 Minutes à lire
- SombreLumière
Integration of User Login and Event Validation with one-time password (OTP)
- Mis à jour le 21 Oct 2024
- 4 Minutes à lire
- SombreLumière
Intelligent Adaptive Authentication enables users to login to your web application and validate events by generating an one-time password (OTP). An authenticator (hardware or software) that supports the generation of Response-Only- or 1-step Challenge/Response-OTPs is provisioned for the user.
During the allocation of the authenticator, hardware authenticators can be defined to use Response-Only-, Challenge/Response-, or time-based OTPs, and can be modified on an as-needed basis.ChallengeDevice2FA (value 5) depends on the Risk Management component rules.
Response-Only-based adaptive authentication can use both the synchronous or asynchronous login mode. Event validation refers to the POST /users/{userID@domain}/events/validate endpoint. The endpoint should specify the event type as LoginAttempt.
For 1-step Challenge/Response authentications, the client application generates a custom challenge. This challenge is displayed to the user on the login page. The user enters it into their authenticator and enters the response, e.g. an OTP, on the login page.
Synchronous login mode Response-Only OTP
Login flow—synchronous mode Response-Only OTP
The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user. If the user signs the authentication request using the Intelligent Adaptive Authentication Response-Only (RO) OTP, ChallengeDevice2FA), the second login request is successfully accepted.
For a 1-step Challenge/Response authentication, the client application generates a custom challenge. This challenge is displayed to the user on the login page. The user enters it into their authenticator and enters the response, e.g. an OTP, on the login page.
Sequence of a login operation in synchronous login mode
Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.
The user initiates the adaptive authentication login operation which triggers the client application to send a login and event validation request. This request includes the following parameters:
authenticator user
authenticator domain
Response-Only OTP (for authentication with Response-Only OTP
challenge (for authentication with 1-step Challenge/Response OTP)
Challenge/Response OTP (for authentication with 1-step Challenge/Response OTP)
CDDC data
session identifier.
The user's credentials (static password) must not be included in the request input!
The web service triggers a Risk Management component-event request for the login and event validation.
The Risk Management component responds with a OTP challenge (ChallengeDevice2FA).
The web service returns the OTP challenge (ChallengeDevice2FA) to the client application.
The client application collects the OTP.
The client application sends a second login to the application server (provided by the authenticator owned by the user).
The client application sends the OTP to the web service.
The web service validates the OTP.
Intelligent Adaptive Authentication returns the validation result of the OTP.
The Login service forwards the validation result to the web service.
The web service returns an HTTP 200 status code to the client application that authentication has been successful.
The client application checks the status of the login request with the web service.
The web service returns to the client application that the authentication has been successful.
Asynchronous login mode Response-Only OTP
Login flow—asynchronous mode Response-Only OTP
The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user setting in the riskResponseCode field, if the challenge value is 5. If the user signs the authentication request with a Response-Only OTP, the second login request is accepted.
For a 1-step Challenge/Response authentication, the client application generates a custom challenge. This challenge is displayed to the user on the login page. The user enters it into their authenticator and enters the response, e.g. an OTP, on the login page.
Sequence of a login operation in asynchronous login mode with OTP
Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.
The user initiates the adaptive authentication login, which triggers the client application to send a login and event validation request. This request includes the following parameters:
authenticator user
authenticator domain
Response-Only OTP (for authentication with Response-Only OTP
challenge (for authentication with 1-step Challenge/Response OTP)
Challenge/Response OTP (for authentication with 1-step Challenge/Response OTP)
CDDC data
session identifier.
The user's credentials (static password) must not be included in the request input!
The Login service triggers a Risk Management component-event request for the login.
The Risk Management component responds with a Response-Only OTP challenge (value 5).
The Login service returns an HTTP 200 status code in the riskResponseCode field that is set to the two-factor challenge value (ChallengeDevice2FA).
The client application sends a check-session request (concurrent with HTTP response step above). For more information, see GET /sessions/{requestID}.
The web service returns an HTTP 200 status code to the client application.
The client application collects the OTP (using the hardware or software authenticator).
The client application sends a new login request to the Login service. This request includes the following parameters:
authenticator user
authenticator domain
CDDC data
same session identifier
request identifier
Response-Only OTP (for authentication with Response-OnlyOTP
challenge (for authentication with 1-step Challenge/Response OTP)
Challenge/Response OTP (for authentication with 1-step Challenge/Response OTP)
The web service validates the OTP.
Intelligent Adaptive Authentication validates the OTP.
The Login service returns an HTTP 200 OK status code to the web service.
The web service returns an HTTP 200 status code to the client application that authentication has been successful.
The client application sends a check-session request, and the asynchronous session is closed successfully. For more information, see GET /sessions/{requestID}.
The session status is returned to the web service.
OneSpan Intelligent Adaptive Authentication follows these steps for the asynchronous login mode:
The Intelligent Adaptive Authentication Login service, called with timeout set to 0. The login and event validation process is started, challenges the user (same process step as in the synchronous login mode), and immediately returns the current state of the session. In the Static Password use case, the check session state will always return Accepted.
The Check Session Status service returns the current session and notification states of the login request immediately, without waiting for the notification process to complete.
Next Steps
The next step for a full integration of an adaptive authentication solution is to integrate the Orchestration SDK into your mobile application.