August Release – 22.R3
  • 22 Oct 2024
  • 4 Minutes to read
  • Dark
    Light

August Release – 22.R3

  • Dark
    Light

Article summary

New features and enhancements—supported use cases

FIDO UAF onboarding for Sandbox and Production environments

The FIDO UAF onboarding process is now available on the OneSpan Community Portal for OneSpan Cloud Authentication.

For more information on FIDO UAF onboarding, see FIDO UAF onboarding in the Sandbox and Production environments.

Deletion of a OneSpan Trusted Identity platform user

When a OneSpan Trusted Identity platform user is deleted, all FIDO-relevant user data that is associated with this account is also deleted. This prevents reusing old user data, if the user is reactivated in a future instance.

Data fields for FIDO UAF channel binding now supported by the OneSpan Trusted Identity platform API

The OneSpan Trusted Identity platform API now supports the following data fields for FIDO UAF channel binding:

  • cidPublicKey

  • tlsUnique

The following FIDO-based endpoints are impacted by this enhancement:

Data fields for FIDO2 token binding now supported by the OneSpan Trusted Identity platform API

The OneSpan Trusted Identity platform API now supports the tokenBinding data field for FIDO2 token binding.

The following FIDO-based endpoints are impacted by this enhancement:

Decrypt information message

OneSpan Cloud Authentication now supports decrypting the body of a Secure Channel information message via the REST API. With the Decrypt Information Message feature, you can decrypt the body of a Secure Channel information message that is encrypted with the payload key of an instance of a multi-device licensing (MDL) authenticator.

  • Decrypt information message endpoint. A new endpoint has been added for this decrypting operation:

    POST /authenticators/{serialNumber}/decrypt-information-message

    This endpoint accepts informationMessage as payload.

    The following responses are included:

    • 200: Decrypted information message.

    • 400: The input is invalid.

    • 404: Authenticator not found.

    • 409: Failed to decode information message.

    • 500: Unexpected server error.

For more information, refer to Decrypt an Information Message Body.

Authenticator activation reset

With the new Reset Activation feature, OneSpan Cloud Authentication now supports resetting the activation information of an authenticator via the OneSpan Trusted Identity platform API.

For authenticators that are compliant with standard, i.e. single-device licensing (SDL), activation, the following parameters are reset:

  • Activation count

  • Activation locations

  • Last activation date/time

For authenticators compliant with multi-device licensing (MDL) activation, the following parameters are reset:

  • Provisioning activation count

  • Activation challenge

  • Last activation date/time

For MDL-compliant authenticators, this reset operation does not decrease the activation count (i.e. the number of activated instances), but resets the number of activations.

  • Reset activation endpoint. A new endpoint has been added for this reset operation:

    POST /authenticators/{serialNumber}/reset-activation

    The following responses are included:

    • 200: Reset activation completed successfully.

    • 400: The input is invalid.

    • 404: Authenticator not found.

    • 409: Failed to reset the activation.

    • 500: Unexpected server error.

For more information, refer to Reset Authenticator Activation Information.

New options to query and/or update user information

OneSpan Cloud Authentication now offers new options to query and/or update user information. The following fields have been adapted and can now be used to query user information:

  • hasAuthenticatorAssigned

  • expired

  • disabled

  • lastAuthentication

  • lastAuthenticationRequest

  • maxDaysBetweenAuthentications

    You can use this field to query and update user information based on the user's interval between authentications.

hasAdminPrivileges field now supported in OneSpan Cloud Authentication

OneSpan Cloud Authentication now supports the hasAdminPrivileges field for the following OneSpan Trusted Identity platform API endpoints:

You can now query a user based on the hasAdminPrivileges field in OneSpan Cloud Authentication.

Fixes and other changes

Issue OAS-12509: Performance bottleneck in OneSpan Cloud Authentication web services

In OneSpan Cloud Authentication, the SOAP client library for the common Java web services exhibits a bottleneck. This results in poor performance when many users are simultaneously trying to call the same service. To improve performance for users during high-traffic spikes, a new library is used.

Status: With the new library already in place, a higher number of simultaneous requests can now be handled without performance impairments for the following scenarios:

  • User authentication and login

  • Transaction validation

  • Time synchronization between OneSpan Trusted Identity platform (i.e. host) and authenticator

  • Orchestration SDK processing

  • General improvement on internal processing operations (e.g. administration sessions)

Issue OAS-12661: Incorrect behavior when deregistering the FIDO UAF authenticator via AAID

When deregistering a FIDO UAF authenticator only via the Authenticator Attestation ID (AAID), the response received from the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint contains the list of all deregistered key IDs. Because the KeyID in the response should be empty, the certification tool reports a problem with the KeyID validation.

Status: This issue has been fixed. In addition, the behavior of the deregistration endpoint has been updated to also include the option to deregister the FIDO UAF authenticator using the AAID and KeyID.

Issue OAS-12798: FIDO2 Sample Relying Party Web App not behaving correctly when authenticating with Android phone

The FIDO2 Sample Relying Party Web App does not behave correctly during authentication with an Android phone as the assigned FIDO2 authenticator.

Status: This issue has been fixed. The FIDO2 Server did not correctly handle the case when the userHandle property was null, which caused the authentication attempt to fail.

Issue OAS-13223 (Support Case INC0010680): User registration error without optional static password

An error occurs when calling the POST /users/register endpoint. Attempts to register an additional authenticator without including a static password result in the following error: User registration failed: Initial static password not set.

Status: This issue has been fixed. It is now possible to use this endpoint multiple times to start the registration of a new authenticator.

Once a registration call has been made with a password, that password will then be required for all subsequent registration calls (as long as the password has not been reset).

Orchestration SDK—supported versions

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

  • 5.5.1

  • 5.4.4

  • 5.4.2

  • 5.4.0

  • 5.3.1

  • 5.3.0

  • 5.2.0

  • 5.0.2

  • 4.24.4

  • 4.24.2

  • 4.23.0

  • 4.21.1

  • 4.20.2

  • 4.19.3


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant