Intelligent Adaptive Authentication November Release – 23.R2

As of December 31, 2023, OneSpan will end support for the SOAP interface in Intelligent Adaptive Authentication.

We recommend customers who are using Intelligent Adaptive Authentication with SOAP to switch to the standard REST interface.

The services and endpoints listed below have now been removed from the OneSpan Trusted Identity platform API. For a full list of removed services, see Deprecated or removed components and services.

For every removed service, a replacement is already available in the OneSpan Trusted Identity platform API.

The services and endpoints listed below will be removed from Intelligent Adaptive Authentication with the next version. We recommend customers who are using any of these services and endpoints to migrate to the OneSpan Trusted Identity platform API before December 31, 2023!

For every removed service, a replacement is already available in the OneSpan Trusted Identity platform API.

In the Adaptive Authentication API Reference service API, the following services will be removed:

• userregister (v1)

• login (v2)

• checksessionstatus (v2)

• transaction (v2)

• eventvalidation (v2)

• checkactivationstatus (v1)

• userunregister (v1)

• user-management (v1)

• authenticator-management (v1)

• authenticator-provisioning (v1)

• visualcode (v1)

In the Risk Analytics API Reference service API, the following services will be removed:

• eventvalidation (v2)

• transaction (v2)

• bulkfile-upload (v1)

The following standalone services which are not part of a service API will also be removed:

• eventvalidation (v1)

• login (v1)

• transaction (v1)

• checksessionstatus (v1)

• fido-metadata

For information on third-party dependencies associated with Intelligent Adaptive Authentication, see Third-party licenses and Third-party notices.

A new policy has been added, TID Activation for Multi-Device Licensing to facilitate activating an authenticator instance in multi-device licensing (MDL) mode. This policy provides settings to allow the activation of all types of authenticators and/or authenticator instance types. It completes the authenticator provisioning by validating a signature that is generated by the newly activated authenticator instance.

For more information, see TID Activation for Multi-Device Licensing (Policy).

Also, a new field has been added to the TID Provisioning for Multi-Device Licensing policy, dp_types. With this new field you can indicate which authenticator types are permitted. For more information, see TID Provisioning for Multi-Device Licensing (Policy).

The FIDO2 Bank Demo Web App is a stand-alone component hosted in the Sandbox environment that allows you to test and simulate basic capabilities of the FIDO2 ceremonies.

Once FIDO2 has been enabled, you can access the FIDO2 Bank Demo Web App via https://yourtenant.sdb.tid.onespan.cloud/v1/mybank-fido.

For more information about the FIDO2 Bank Demo Web App, see FIDO2 Bank Demo Web App.

For more information on the FIDO2 Bank Demo Web App interaction with the web browser and the OneSpan Trusted Identity platform API, see Test User Registration with the FIDO2 Bank Demo Web App and Test User Authentication with the FIDO2 Bank Demo Web App. The code samples demonstrate how to use the WebAuthn API for the registration and authentication flows.

For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.

Intelligent Adaptive Authentication now supports the option to check if a user account exists in OneSpan Trusted Identity platform. This basic check enables you to verify the existence of an account without the need to fetch any additional details about this user.

Check if a user account exists endpoint. A new endpoint has been added for this operation:

HEAD /users/{userId@domain}

The responses include:

• 204: User account exists.

• 400: The input is invalid.

• 403: The command is prohibited for the tenant admin account.

• 404: User account not found.

• 500: Internal error, sub service failure, server crash.

This version of Intelligent Adaptive Authentication contains fixes for the following vulnerabilities:

• CVE-2023-29491 (ncurses vulnerability)

• CVE-2023-23914 (Curl vulnerability)

• CVE-2023-20873 (Spring Boot vulnerability)

• CVE-2023-20862 (Spring Security vulnerability)

• CVE-2023-20860 (Spring Framework vulnerability)

• CVE-2023-1436 (Jettison vulnerability)

• CVE-2023-1370 (JSON vulnerability)

• CVE-2023-0464 (OpenSSL vulnerability)

• CVE-2023-0286 (OpenSSL vulnerability)

• CVE-2023-0215 (OpenSSL vulnerability)

• CVE-2022-41853 (HyperSQL vulnerability)

• CVE-2022-31692 (Spring Security vulnerability)

• CVE-2022-31197 (PostgreSQL vulnerability)

• CVE-2022-25647 (Gson vulnerability)

• CVE-2022-23221 (H2 vulnerability)

• CVE-2022-22978 (Spring Security vulnerability)

• CVE-2022-22971 (Spring framework vulnerability)

• CVE-2022-22970 (Spring framework vulnerability)

• CVE-2022-22968 (Spring framework vulnerability)

• CVE-2022-4450 (OpenSSL vulnerability)

• CVE-2022-1471 (SnakeYaml vulnerability)

• CVE-2021-46848 (GNU Libtasn1 vulnerability)

• CVE-2021-42392 (H2 vulnerability)

• CVE-2021-36159 (libfetch vulnerability)

• CVE-2020-11612 (zlib vulnerability)

• CVE-2018-1000873 (Fasterxml Jackson vulnerability)

• CVE-2016-1000344 (Bouncy Castle vulnerability)

When no authenticator attachment is provided in OneSpan Trusted Identity platform for the FIDO2 Sample Relying Party Web App, the client app automatically selects platform as the default option.

Status: This issue has been fixed. The authenticatorAttachment field for the POST /users/{userID@domain}/generate-fido-registration-request endpoint no longer has a default value. If this field is not provided, the client app will then select all platform and cross-platform authenticators that are allowed.

The Checkevent service does not validate application data.

Status: This issue has been fixed. The Checkevent service has been enhanced to check if application data is present on the check mobile event input.

When integrating orchestration with Intelligent Adaptive Authentication, it was difficult to correctly handle error messages that originated from the cloud web services. The error messages that were provided were unclear.

Status: This issue has been fixed. A list of relevant error messages for orchestration has been added to the Intelligent Adaptive Authentication Integration Guide. See Error Handling in Orchestration for this list.

The method used to update a data store entry causes the library to delete the entry before recreating it. This results in short periods where the relevant record is not available and leads to unexpected errors for certain flows. Instead of a valid entry, the users receive a 404 Element_NOT_FOUND error.

Status: This issue has been fixed. The data store is now updated with a different method.

When the POST /registrations/{registrationID}/add-device is called with an HTTP OPTIONS request method, a CORS (Cross-Origin Resource Scripting) error 403 occurs, thus preventing the user to send requests to this API endpoint.

Status: This issue has been fixed. The endpoint has been adapted to include access control in the response header.

In previous versions, the grace period of an authenticator (instance) only expired automatically after a successful authentication with a one-time password (OTP) but not after a multi-device licensing (MDL) activation.

Status: This issue has been fixed. Now, the grace period automatically expires after the user authenticates with an OTP, or activates an authenticator in MDL mode using either an OTP or a signature validation, since all of these indicate that the authenticator has been correctly activated and is working properly.

The openAPI definition of the TID GET /users endpoint contains the following incorrect information:

• The UserOutput object incorrectly specifies that the lastPasswordUpdate and mdcProfile fields are required.

• The response of the GET /users endpoint was incorrectly wrapped in an array.

Status: This issue has been fixed.

The default timeout for the Secure Channel-based authentication and transaction data signing operations in Intelligent Adaptive Authentication is incorrectly set to 60 seconds.

Status: This issue has been fixed. The default timeout for the Secure Channel-based authentication and transaction data signing operations is now set to 180 seconds.

Contact OneSpan Support if you need to change this configuration.

The manual changes for the policy values regarding the minimum lock duration, lock duration multiplier, and the maximum unlock tries are not updated or reset to default values after Intelligent Adaptive Authentication is redeployed.

Status: This issue has been fixed. Additional fields for these policy values have been added to the relevant Intelligent Adaptive Authentication microservice. With this, after Intelligent Adaptive Authentication is redeployed, these fields are updated to the values configured for the customer, or reset to their default values.

The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.

Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:

• 5.7.0

• 5.5.1

• 5.4.4

• 5.4.2

• 5.4.0

• 5.3.1

• 5.3.0

• 5.2.0

• 5.0.2

• 4.24.4

• 4.24.2

• 4.23.0

• 4.21.1