- 16 Oct 2024
- 2 Minutes to read
- DarkLight
Integration of User Login with Secure Channel
- Updated on 16 Oct 2024
- 2 Minutes to read
- DarkLight
Secure Channel-based authentication is a type of authentication which supports the secure exchange of authentication data. It is used in combination with Cronto images or QR codes to exchange the Secure Channel messages. This type of authentication requires the use of authenticator licenses that are activated in the multi-device licensing (MDL) mode.
Sequence of a login operation with Secure Channel
The user initiates the operation from their browser, and the client application requests a Secure Channel challenge from the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/generate-secure-challenge endpoint.
The default timeout value for Secure Channel-based authentication is set to 180 seconds. Contact OneSpan if you need to change this timeout configuration.
The OneSpan Trusted Identity platform API creates a Secure Channel challenge in the form of a Cronto message.
The client application uses the Visual Codes service to generate the Cronto image.
The user captures the Cronto image with their authenticator, and the authenticator generates an OTP.
The OTP is inserted in a login request forwarded to the OneSpan Trusted Identity platform API for validation.
The login uses the request identifier provided in the generate-secure-challenge-request response.
The OTP is validated successfully.
To integrate user login with Secure Channel
Issue a generate Secure Channel message request with the POST /users/{userID@domain}/generate-secure-challenge endpoint.
You can select with which cryptographic application to use for response validation by setting one of the following two optional fields:
cryptoAppIndex
Index of the authenticator application to be used for response validation.
cryptoAppName
Name of the authenticator application to be used for response validation.
Issue a generate Cronto image for Secure Channel message request with the POST /visualcodes/render endpoint.
Issue a login request with the POST /users/{userid@domain}/login endpoint:
Payload:
objecttype: “LoginInput”
credentials.authenticator.OTP
requestID
Request ID received in the output of the Secure Channel message generation request.
Use the Visual Codes service to generate Cronto images or QR codes
With OneSpan Cloud Authentication you can integrate the Visual Codes service in your client applications. With this, the application can generate and embed a clear text- or encoded message into a Cronto image or a QR code. The visualcodes interface allows clients to render a visual code and get raw access to the image URL if the following parameters have been specified:
Message. A hexadecimal encoded message that is to be embedded in the image.
Format. The output format of the returned image (Cronto image or QR code).
Image size. The image size of the returned image.
Use Cronto authenticator to generate Cronto images or QR codes
With OneSpan Cloud Authentication you can implement the functionality to support the use of a Cronto authenticator for user authentication and transaction signature validation. The Cronto authenticator scans a Cronto image or QR code and generates a signature for authentication purposes. OneSpan Cloud Authentication supports the following use cases:
User registration and Cronto authenticator activation. If a valid authenticator license is available, a user can register a Cronto authenticator through the User Registration service and activate the authenticator.
Login. If the user has successfully registered and activated their Cronto authenticator associated to this user, the user can log in with an OTP generated by their Cronto authenticator.
Signature validation. If the user has successfully registered and activated a Cronto authenticator associated to them, a user can perform a transaction validation with the signature code generated by their Cronto authenticator.