Secure Channel

The Secure Channel feature uses a randomly generated symmetric key to encrypt the communication between the server and the authenticator account. This symmetric key is the payload key. It is provisioned with the authenticator key during the activation process.

The payload key can only be provisioned in the authenticator account if this has been activated following the two-step activation process.

The secure channel is a one-way channel. Mobile Authenticator Studio only receives transaction messages encrypted by Authentication Server Framework.

To use the Secure Channel feature with Mobile Authenticator Studio, at least one secure channel cryptographic application must be selected in the Mobile Authenticator Studio Parameter Sheet.

The transaction message contains the information about the serial number of the authenticator. Mobile Authenticator Studio uses the serial number to select the authenticator account to use and decrypt the transaction message with the payload key to get the transaction message body. If the authenticator's serial number in the message does not match a serial number loaded in Mobile Authenticator Studio, a message indicating that the transaction message is not dedicated to this authenticator is displayed.

The transaction message body contains the following information:

• The index of the authenticator's cryptographic application to sign the message.

• A flag that indicates if the app has to display a warning message to the user.

• A flag that indicates if the app has to sign the message.

• A flag that indicates if the app has to request from the user a formal approval of the transaction message before signing it.

• The transaction information to be displayed, formatted as a free text or a list of key-value pairs with the corresponding title. The display format of the transaction information is chosen during the message generation on the server.

The result of the transaction message signature can either be displayed to the end user or sent to a URL. This can be configured in the secure channel action parameters defined in the Mobile Authenticator Studioconfiguration file. For more information on the secure channel action definition, refer to the Mobile Authenticator Studio Customization Guide

The body of the transaction message is generated by the OneSpan Secure Messaging SDK integrated on the server. For more information on the Secure Messaging SDK integration, refer to the Mobile Authenticator Studio Integration Guide.

To use the secure channel between Authentication Server Framework and Mobile Authenticator Studio, either a Secure Channel action is enabled in the configuration file or the Secure Channel message is sent to Mobile Authenticator Studio by a third-party application.

Secure Channel action

With the Secure Channel action, the user can scan QR codes or Cronto images containing transaction messages. The transaction messages are encrypted by the payload key provisioned during the activation of the authenticator and shared between Mobile Authenticator Studio and the server. The images carrying the transaction messages are generated by the Image Generator SDK integrated on the server. For more information on the Image Generator SDK integration, refer to the Mobile Authenticator Studio Integration Guide.

In addition to transaction messages, the Secure Channel action can be configured to support activation messages as well. In this case, the Secure Channel action can be used to replace an activated authenticator account without having to delete it first.

App-to-app communication

With the app-to-app communication, a third-party application or web page invokes the Mobile Authenticator Studio app with a Secure Channel message. The Mobile Authenticator Studio app then calls back the third-party application or web page with the signature of the Secure Channel message.

Invoke Mobile Authenticator Studio app by third-party application via app-to-app communication

Mobile Authenticator Studio is invoked from a URL that has the following format:

${scheme}://app2app_secure_channel?x-success=thirdpartyapp://...&x-error=thirdpartyapp://...&x-cancel=thirdpartyapp://...&secure_message=0000C3E40F4

• ${scheme} is a string specified in the course of the Mobile Authenticator Studio application customization, according to the iOS and Android scheme policies.

• x-success is the callback URL invoked by Mobile Authenticator Studio in case of success. The signature of the Secure Channel transaction message is concatenated to this URL..

• x-error is the call-back URL invoked by Mobile Authenticator Studio in case of error. The error code is concatenated to this URL.

• x-cancel is the call-back URL invoked by Mobile Authenticator Studio in case of process interruption by the user.

• secure_message is the Secure Channel message string provided by Authentication Server Framework.

To prevent the call-back URL from being compromised, it is checked against a URL white list defined in the Mobile Authenticator Studio configuration file.

For more information about supported actions and parameters, refer to the Mobile Authenticator Studio Integration Guide.