October 2021
  • 29 Oct 2024
  • 2 Minutes à lire
  • Sombre
    Lumière

October 2021

  • Sombre
    Lumière

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

New features and enhancements—supported use cases

FIDO metadata

Intelligent Adaptive Authentication now supports FIDO Metadata Service 3.0.

For more information about FIDO metadata, refer to the FIDO Alliance documentation.

User-initiated authenticator time synchronization

If a user's hardware authenticator is out of sync, they can now initiate time synchronization for their authenticator. All OneSpan authenticators that can be out of sync, both time- and event-based, support this new feature.

  • Authenticator endpoint. A new endpoint has been added to allow the user-controlled time synchronization:

    POST /users/{userID@domain}/sync-authenticator

    This endpoint accepts SyncAuthenticatorInput as payload.

    The following failure responses are included:

    • 400: The input is invalid.

    • 403: The command is prohibited for the tenant admin account.

    • 404: The user was not found.

    • 409: Conflict error.

    • 500: Unexpected server error.

For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.

Customize delivery method of virtual OTP

It is now possible to customize how the virtual one-time password (OTP) is delivered to the user (e.g. use your own gateway or another special, customized communication channel). A new channel is available which makes it possible to receive the OTP in the request response session. To ensure the generated virtual OTP is never returned directly to the user, it is stored inside a session that is to be queried separately.

Mild security risk

When you use this feature, the OTP is returned in the same session in which it has been requested. Because this forms a mild security risk, be advised to treat the virtual OTP as sensitive data. Make sure the data is transmitted via a different secure channel than the one in which it was requested (e.g. an SMS sent to a different device than the one from which the request was sent).

Enabling this feature does not deactivate the original delivery method for virtual OTPs! The custom delivery has to be requested in the request payload on a per-request basis.

The following endpoints have been extended:

  • POST /authenticators/{serialNumber}/applications/{applName}/generate-votp

    Accepted payload: GenerateVOTPOutput.

  • POST /users/{userID@domain}/login

    The delivery of the virtual OTP is triggered upon user request and when the keyword session is sent via the votpDeliveryOverride field of the AdaptiveLoginInput payload (without providing the credentials fields).

    The response will be 200 OK. The following payloads are accepted:

    • AdaptiveLoginInput

    • LoginOutput, with the following fields and values:

      • sessionStatus, with the value pending

      • riskResponseCode, with an integer value

      • requestID, with with a generated value, e.g. 47543e06-1c11-49b8-94ed-d9501f7fd3f2

  • POST /users/{userID@domain}/events/validate

    Accepted payloads:

    • AdaptiveEventValidationInput

    • eventType, with the value LoginAttempt

For more detailed information on how to integrate this feature, see Integrating user login and event validation via notification.

Use of this feature is optional, it is not provided by default. Contact OneSpan Support for the activation of this feature. Once enabled, the virtual OTP will be delivered with the same method for all tenants that are grouped in the same authentication service deployment as the one where this feature has been enabled.

Fixes and other changes

Issue OAS-9793 (Support Case CS0042742): Cronto image rendering fails for orchestration command

The orchestration command that is returned by the POST /users/{userID@domain}/login endpoint cannot be rendered by the POST /visualcodes/render endpoint.

Status: This issue has been fixed.

Issue OAS-9932: FIDO timeout configuration

The Fido2RequestTimeout (FIDO2) and JwtTokenTimeout (FIDO UAF) timeout parameters now have a default value set to 10 seconds in the respective FIDO tenant configuration.

For more information, see Standard FIDO Settings for the Sandbox Environment.

Contact OneSpan Support if you need to change this configuration.

Orchestration SDK—supported versions

Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:

  • 5.4.2

  • 5.4.1

  • 5.4.0

  • 5.3.1

  • 5.3.0

  • 5.2.0

  • 5.0.2

  • 4.24.4

  • 4.24.2

  • 4.23.0

  • 4.21.1

  • 4.20.2

  • 4.19.3


Cet article vous a-t-il été utile ?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle