Integration of User Login and Event Validation with one-time password (OTP)
  • 21 Oct 2024
  • 4 Minutes to read
  • Dark
    Light

Integration of User Login and Event Validation with one-time password (OTP)

  • Dark
    Light

Article summary

Intelligent Adaptive Authentication enables users to login to your web application and validate events by generating an one-time password (OTP). An authenticator (hardware or software) that supports the generation of Response-Only- or 1-step Challenge/Response-OTPs is provisioned for the user.

During the allocation of the authenticator, hardware authenticators can be defined to use Response-Only-, Challenge/Response-, or time-based OTPs, and can be modified on an as-needed basis.ChallengeDevice2FA (value 5) depends on the Risk Management component rules.

Response-Only-based adaptive authentication can use both the synchronous or asynchronous login mode. Event validation refers to the POST /users/{userID@domain}/events/validate endpoint. The endpoint should specify the event type as LoginAttempt.

For 1-step Challenge/Response authentications, the client application generates a custom challenge. This challenge is displayed to the user on the login page. The user enters it into their authenticator and enters the response, e.g. an OTP, on the login page.

Synchronous login mode Response-Only OTP

Login flow - synchronous mode Response-Only OTP

Login flow—synchronous mode Response-Only OTP

The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user. If the user signs the authentication request using the Intelligent Adaptive Authentication Response-Only (RO) OTP, ChallengeDevice2FA), the second login request is successfully accepted.

For a 1-step Challenge/Response authentication, the client application generates a custom challenge. This challenge is displayed to the user on the login page. The user enters it into their authenticator and enters the response, e.g. an OTP, on the login page.

Sequence of a login operation in synchronous login mode

Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.

  1. The user initiates the adaptive authentication login operation which triggers the client application to send a login and event validation request. This request includes the following parameters:

    • authenticator user

    • authenticator domain

    • Response-Only OTP (for authentication with Response-Only OTP

    • challenge (for authentication with 1-step Challenge/Response OTP)

    • Challenge/Response OTP (for authentication with 1-step Challenge/Response OTP)

    • CDDC data

    • session identifier.

      The user's credentials (static password) must not be included in the request input!

  2. The web service triggers a Risk Management component-event request for the login and event validation.

  3. The Risk Management component responds with a OTP challenge (ChallengeDevice2FA).

    1. The web service returns the OTP challenge (ChallengeDevice2FA) to the client application.

    2. The client application collects the  OTP.

  4. The client application sends a second login to the application server (provided by the authenticator owned by the user).

  5. The client application sends the  OTP to the web service.

  6. The web service validates the OTP.

    1. Intelligent Adaptive Authentication returns the validation result of the OTP.

    2. The Login service forwards the validation result to the web service.

    3. The web service returns an HTTP 200 status code to the client application that authentication has been successful.

  7. The client application checks the status of the login request with the web service.

  8. The web service returns to the client application that the authentication has been successful.

Asynchronous login mode Response-Only OTP

Login flow - asynchronous mode Response-Only OTP

Login flow—asynchronous mode Response-Only OTP

The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user setting in the riskResponseCode field, if the challenge value is 5. If the user signs the authentication request with a Response-Only OTP, the second login request is accepted.

For a 1-step Challenge/Response authentication, the client application generates a custom challenge. This challenge is displayed to the user on the login page. The user enters it into their authenticator and enters the response, e.g. an OTP, on the login page.

Sequence of a login operation in asynchronous login mode with OTP

Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.

  1. The user initiates the adaptive authentication login, which triggers the client application to send a login and event validation request. This request includes the following parameters:

    • authenticator user

    • authenticator domain

    • Response-Only OTP (for authentication with Response-Only OTP

    • challenge (for authentication with 1-step Challenge/Response OTP)

    • Challenge/Response OTP (for authentication with 1-step Challenge/Response OTP)

    • CDDC data

    • session identifier.

      The user's credentials (static password) must not be included in the request input!

  2. The Login service triggers a Risk Management component-event request for the login.

  3. The Risk Management component responds with a Response-Only OTP challenge (value 5).

    1. The Login service returns an HTTP 200 status code in the riskResponseCode field that is set to the two-factor challenge value (ChallengeDevice2FA).

    2. The client application sends a check-session request (concurrent with HTTP response step above). For more information, see GET /sessions/{requestID}.

    3. The web service returns an HTTP 200 status code to the client application.

  4. The client application collects the OTP (using the hardware or software authenticator).

  5. The client application sends a new login request to the Login service. This request includes the following parameters:

    • authenticator user

    • authenticator domain

    • CDDC data

    • same session identifier

    • request identifier

    • Response-Only OTP (for authentication with Response-OnlyOTP

    • challenge (for authentication with 1-step Challenge/Response OTP)

    • Challenge/Response OTP (for authentication with 1-step Challenge/Response OTP)

  6. The web service validates the OTP.

    1. Intelligent Adaptive Authentication validates the OTP.

    2. The Login service returns an HTTP 200 OK status code to the web service.

    3. The web service returns an HTTP 200 status code to the client application that authentication has been successful.

  7. The client application sends a check-session request, and the asynchronous session is closed successfully. For more information, see GET /sessions/{requestID}.

    1. The session status is returned to the web service.

OneSpan Intelligent Adaptive Authentication follows these steps for the asynchronous login mode:

  • The Intelligent Adaptive Authentication Login service, called with timeout set to 0. The login and event validation process is started, challenges the user (same process step as in the synchronous login mode), and immediately returns the current state of the session. In the Static Password use case, the check session state will always return Accepted.

  • The Check Session Status service returns the current session and notification states of the login request immediately, without waiting for the notification process to complete.

Next Steps

The next step for a full integration of an adaptive authentication solution is to integrate the Orchestration SDK into your mobile application.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant