- 21 Oct 2024
- 2 Minutes to read
- DarkLight
Integrating User Login with Secure Channel
- Updated on 21 Oct 2024
- 2 Minutes to read
- DarkLight
Secure Channel-based authentication is a type of authentication which supports the secure exchange of authentication data. It is used in combination with Cronto images or QR codes to exchange the Secure Channel messages. This type of authentication requires the use of authenticator licenses that are activated in the multi-device licensing (MDL) mode.
Sequence of a login operation with Secure Channel
Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.
The user initiates the adaptive authentication operation and triggers the client application to send a login request to the OneSpan Trusted Identity platform API by calling the https://{tenant}.{environment}.tid.onespan.cloud/v1/users/{userID@domain}/login endpoint.
The default timeout value for Secure Channel-based authentication is set to 180 seconds. Contact OneSpan if you need to change this timeout configuration.
The web service triggers a Risk Management component-event request for the login.
The Risk Management component responds with a Cronto challenge (value = 11).
The web service triggers a secure challenge to the Authentication component to generate a secure message.
The web service returns the Risk Management component challenge together with the secure message to the client application.
The client application uses the Visual Codes service to generate the Cronto image.
The user captures the Cronto image with their authenticator which generates an OTP.
The OTP is inserted in a new login request that is forwarded to the OneSpan Trusted Identity platform API for validation.
Intelligent Adaptive Authentication returns the validation result of the OTP.
To Integrate user login with Secure Channel
Issue a login request with the https://{tenant}.{environment}.tid.onespan.cloud/v1/users/{userid@domain}/login endpoint:
Method: POST
Issue a generate Cronto image request with the https://{tenant}.{environment}.tid.onespan.cloud/v1/visualcodes/render endpoint:
Method: POST
Issue a login request with the https://{tenant}.{environment}.tid.onespan.cloud/v1/users/{userid@domain}/login endpoint:
Method: POST
Payload:
objectType: “AdaptiveLoginInput”
credentials.authenticator.OTP
requestID
Request ID from the first login request.
Use the Visual Codes service to generate Cronto images or QR codes
With Intelligent Adaptive Authentication you can integrate the Visual Codes service in your client applications. With this, the application can generate and embed a clear text- or encoded message into a Cronto image or a QR code. The visualcodes interface allows clients to render a visual code and get raw access to the image URL if the following parameters have been specified:
Message. A hexadecimal encoded message that is to be embedded in the image.
Format. The output format of the returned image (Cronto image or QR code).
Image size. The image size of the returned image.
Use Cronto authenticator to generate Cronto images or QR codes
With Intelligent Adaptive Authentication you can implement the functionality to support the use of a Cronto authenticator for user authentication and transaction signature validation. The Cronto authenticator scans a Cronto image or QR code and generates a signature for authentication purposes. Intelligent Adaptive Authentication supports the following use cases:
User registration and Cronto authenticator activation. If a valid authenticator license is available, a user can register a Cronto authenticator through the User Registration service and activate the authenticator.
Login. If the user has successfully registered and activated a Cronto authenticator associated to them, the user can log in. They will get challenged by Intelligent Adaptive Authentication (ChallengeSCTransaction code 11) to obtain the signature code generated by their Cronto authenticator.
Signature validation. If the user has successfully registered and activated a Cronto authenticator associated to them, the user can perform a transaction validation and get challenged by Intelligent Adaptive Authentication (ChallengeSCTransaction code 11) to obtain the signature code generated by their Cronto authenticator.