- 13 Dec 2024
- 4 Minutes à lire
- SombreLumière
- PDF
August Release – 22.R3
- Mis à jour le 13 Dec 2024
- 4 Minutes à lire
- SombreLumière
- PDF
New features and enhancements—supported use cases
FIDO UAF onboarding for Sandbox and Production environments
The FIDO UAF onboarding process is now available on the OneSpan Community Portal for OneSpan Cloud Authentication.
For more information on FIDO UAF onboarding, see FIDO UAF onboarding in the Sandbox and Production environments.
Deletion of a OneSpan Trusted Identity platform user
When a OneSpan Trusted Identity platform user is deleted, all FIDO-relevant user data that is associated with this account is also deleted. This prevents reusing old user data, if the user is reactivated in a future instance.
Data fields for FIDO UAF channel binding now supported by the OneSpan Trusted Identity platform API
The OneSpan Trusted Identity platform API now supports the following data fields for FIDO UAF channel binding:
cidPublicKey
tlsUnique
The following FIDO-based endpoints are impacted by this enhancement:
Data fields for FIDO2 token binding now supported by the OneSpan Trusted Identity platform API
The OneSpan Trusted Identity platform API now supports the tokenBinding data field for FIDO2 token binding.
The following FIDO-based endpoints are impacted by this enhancement:
Decrypt information message
OneSpan Cloud Authentication now supports decrypting the body of a Secure Channel information message via the REST API. With the Decrypt Information Message feature, you can decrypt the body of a Secure Channel information message that is encrypted with the payload key of an instance of a multi-device licensing (MDL) authenticator.
Decrypt information message endpoint. A new endpoint has been added for this decrypting operation:
POST /authenticators/{serialNumber}/decrypt-information-message
This endpoint accepts informationMessage as payload.
The following responses are included:
200: Decrypted information message.
400: The input is invalid.
404: Authenticator not found.
409: Failed to decode information message.
500: Unexpected server error.
For more information, refer to Decrypt an Information Message Body.
Authenticator activation reset
With the new Reset Activation feature, OneSpan Cloud Authentication now supports resetting the activation information of an authenticator via the OneSpan Trusted Identity platform API.
For authenticators that are compliant with standard, i.e. single-device licensing (SDL), activation, the following parameters are reset:
Activation count
Activation locations
Last activation date/time
For authenticators compliant with multi-device licensing (MDL) activation, the following parameters are reset:
Provisioning activation count
Activation challenge
Last activation date/time
For MDL-compliant authenticators, this reset operation does not decrease the activation count (i.e. the number of activated instances), but resets the number of activations.
Reset activation endpoint. A new endpoint has been added for this reset operation:
POST /authenticators/{serialNumber}/reset-activation
The following responses are included:
200: Reset activation completed successfully.
400: The input is invalid.
404: Authenticator not found.
409: Failed to reset the activation.
500: Unexpected server error.
For more information, refer to Reset Authenticator Activation Information.
New options to query and/or update user information
OneSpan Cloud Authentication now offers new options to query and/or update user information. The following fields have been adapted and can now be used to query user information:
hasAuthenticatorAssigned
expired
disabled
lastAuthentication
lastAuthenticationRequest
maxDaysBetweenAuthentications
You can use this field to query and update user information based on the user's interval between authentications.
hasAdminPrivileges field now supported in OneSpan Cloud Authentication
OneSpan Cloud Authentication now supports the hasAdminPrivileges field for the following OneSpan Trusted Identity platform API endpoints:
You can now query a user based on the hasAdminPrivileges field in OneSpan Cloud Authentication.
Fixes and other changes
Issue OAS-12509: Performance bottleneck in OneSpan Cloud Authentication web services
In OneSpan Cloud Authentication, the SOAP client library for the common Java web services exhibits a bottleneck. This results in poor performance when many users are simultaneously trying to call the same service. To improve performance for users during high-traffic spikes, a new library is used.
Status: With the new library already in place, a higher number of simultaneous requests can now be handled without performance impairments for the following scenarios:
User authentication and login
Transaction validation
Time synchronization between OneSpan Trusted Identity platform (i.e. host) and authenticator
Orchestration SDK processing
General improvement on internal processing operations (e.g. administration sessions)
Issue OAS-12661: Incorrect behavior when deregistering the FIDO UAF authenticator via AAID
When deregistering a FIDO UAF authenticator only via the Authenticator Attestation ID (AAID), the response received from the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint contains the list of all deregistered key IDs. Because the KeyID in the response should be empty, the certification tool reports a problem with the KeyID validation.
Status: This issue has been fixed. In addition, the behavior of the deregistration endpoint has been updated to also include the option to deregister the FIDO UAF authenticator using the AAID and KeyID.
Issue OAS-12798: FIDO2 Sample Relying Party Web App not behaving correctly when authenticating with Android phone
The FIDO2 Sample Relying Party Web App does not behave correctly during authentication with an Android phone as the assigned FIDO2 authenticator.
Status: This issue has been fixed. The FIDO2 Server did not correctly handle the case when the userHandle property was null, which caused the authentication attempt to fail.
Issue OAS-13223 (Support Case INC0010680): User registration error without optional static password
An error occurs when calling the POST /users/register endpoint. Attempts to register an additional authenticator without including a static password result in the following error: User registration failed: Initial static password not set.
Status: This issue has been fixed. It is now possible to use this endpoint multiple times to start the registration of a new authenticator.
Once a registration call has been made with a password, that password will then be required for all subsequent registration calls (as long as the password has not been reset).
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
5.5.1
5.4.4
5.4.2
5.4.0
5.3.1
5.3.0
5.2.0
5.0.2
4.24.4
4.24.2
4.23.0
4.21.1
4.20.2
4.19.3