November Release – 23.R2

As of December 31, 2023, OneSpan will end support for the SOAP interface in OneSpan Cloud Authentication.

We recommend customers who are using OneSpan Cloud Authentication with SOAP to switch to the standard REST interface.

For information on third-party dependencies associated with OneSpan Cloud Authentication, see Third-party licenses and Third-party notices.

A new policy has been added, TID Activation for Multi-Device Licensing to facilitate activating an authenticator instance in multi-device licensing (MDL) mode. This policy provides settings to allow the activation of all types of authenticators and/or authenticator instance types. It completes the authenticator provisioning by validating a signature that is generated by the newly activated authenticator instance.

For more information, see TID Activation for Multi-Device Licensing (Policy).

Also, a new field has been added to the TID Provisioning for Multi-Device Licensing policy, dp_types. With this new field you can indicate which authenticator types are permitted. For more information, see TID Provisioning for Multi-Device Licensing (Policy).

The FIDO2 Bank Demo Web App is a stand-alone component hosted in the Sandbox environment that allows you to test and simulate basic capabilities of the FIDO2 ceremonies.

Once FIDO2 has been enabled, you can access the FIDO2 Bank Demo Web App via https://yourtenant.sdb.tid.onespan.cloud/v1/mybank-fido.

For more information about the FIDO2 Bank Demo Web App, see FIDO2 Bank Demo Web App.

For more information on the FIDO2 Bank Demo Web App interaction with the web browser and the OneSpan Trusted Identity platform API, see Test User Registration with the FIDO2 Bank Demo Web App and Test User Authentication with the FIDO2 Bank Demo Web App. The code samples demonstrate how to use the WebAuthn API for the registration and authentication flows.

For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.

OneSpan Cloud Authentication now supports the option to check if a user account exists in OneSpan Trusted Identity platform. This basic check enables you to verify the existence of an account without the need to fetch any additional details about this user.

Check if a user account exists endpoint. A new endpoint has been added for this operation:

HEAD /users/{userId@domain}

The responses include:

• 204: User account exists.

• 400: The input is invalid.

• 403: The command is prohibited for the tenant admin account.

• 404: User account not found.

• 500: Internal error, sub service failure, server crash.

This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:

• CVE-2023-29491 (ncurses vulnerability)

• CVE-2023-23914 (Curl vulnerability)

• CVE-2023-20873 (Spring Boot vulnerability)

• CVE-2023-20862 (Spring Security vulnerability)

• CVE-2023-20860 (Spring Framework vulnerability)

• CVE-2023-1436 (Jettison vulnerability)

• CVE-2023-1370 (JSON vulnerability)

• CVE-2023-0464 (OpenSSL vulnerability)

• CVE-2023-0286 (OpenSSL vulnerability)

• CVE-2023-0215 (OpenSSL vulnerability)

• CVE-2022-41853 (HyperSQL vulnerability)

• CVE-2022-31692 (Spring Security vulnerability)

• CVE-2022-31197 (PostgreSQL vulnerability)

• CVE-2022-25647 (Gson vulnerability)

• CVE-2022-23221 (H2 vulnerability)

• CVE-2022-22978 (Spring Security vulnerability)

• CVE-2022-22971 (Spring framework vulnerability)

• CVE-2022-22970 (Spring framework vulnerability)

• CVE-2022-22968 (Spring framework vulnerability)

• CVE-2022-4450 (OpenSSL vulnerability)

• CVE-2022-1471 (SnakeYaml vulnerability)

• CVE-2021-46848 (GNU Libtasn1 vulnerability)

• CVE-2021-42392 (H2 vulnerability)

• CVE-2021-36159 (libfetch vulnerability)

• CVE-2020-11612 (zlib vulnerability)

• CVE-2018-1000873 (Fasterxml Jackson vulnerability)

• CVE-2016-1000344 (Bouncy Castle vulnerability)

When no authenticator attachment is provided in OneSpan Trusted Identity platform for the FIDO2 Sample Relying Party Web App, the client app automatically selects platform as the default option.

Status: This issue has been fixed. The authenticatorAttachment field for the POST /users/{userID@domain}/generate-fido-registration-request endpoint no longer has a default value. If this field is not provided, the client app will then select all platform and cross-platform authenticators that are allowed.

When integrating orchestration with OneSpan Cloud Authentication, it was difficult to correctly handle error messages that originated from the cloud web services. The error messages that were provided were unclear.

Status: This issue has been fixed. A list of relevant error messages for orchestration has been added to the OneSpan Cloud Authentication Integration Guide. See Error Handling in Orchestration for this list.

The method used to update a data store entry causes the library to delete the entry before recreating it. This results in short periods where the relevant record is not available and leads to unexpected errors for certain flows. Instead of a valid entry, the users receive a 404 Element_NOT_FOUND error.

Status: This issue has been fixed. The data store is now updated with a different method.

When the POST /registrations/{registrationID}/add-device is called with an HTTP OPTIONS request method, a CORS (Cross-Origin Resource Scripting) error 403 occurs, thus preventing the user to send requests to this API endpoint.

Status: This issue has been fixed. The endpoint has been adapted to include access control in the response header.

In previous versions, the grace period of an authenticator (instance) only expired automatically after a successful authentication with a one-time password (OTP) but not after a multi-device licensing (MDL) activation.

Status: This issue has been fixed. Now, the grace period automatically expires after the user authenticates with an OTP, or activates an authenticator in MDL mode using either an OTP or a signature validation, since all of these indicate that the authenticator has been correctly activated and is working properly.

The openAPI definition of the TID GET /users endpoint contains the following incorrect information:

• The UserOutput object incorrectly specifies that the lastPasswordUpdate and mdcProfile fields are required.

• The response of the GET /users endpoint was incorrectly wrapped in an array.

Status: This issue has been fixed.

The default timeout for the Secure Channel-based authentication and transaction data signing operations in OneSpan Cloud Authentication is incorrectly set to 60 seconds.

Status: This issue has been fixed. The default timeout for the Secure Channel-based authentication and transaction data signing operations is now set to 180 seconds.

Contact OneSpan Support if you need to change this configuration.

The manual changes for the policy values regarding the minimum lock duration, lock duration multiplier, and the maximum unlock tries are not updated or reset to default values after OneSpan Cloud Authentication is redeployed.

Status: This issue has been fixed. Additional fields for these policy values have been added to the relevant OneSpan Cloud Authentication microservice. With this, after OneSpan Cloud Authentication is redeployed, these fields are updated to the values configured for the customer, or reset to their default values.

OneSpan Cloud Authentication incorrectly retrieved a virtual one-time password (OTP) that was provided with a custom delivery when the authentication session failed.

Status: This issue has been fixed. OneSpan Cloud Authentication now correctly retrieves the OTP only for successful authentication sessions.

The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".

Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.7.0

• 5.5.1

• 5.4.4

• 5.4.2

• 5.4.0

• 5.3.1

• 5.3.0

• 5.2.0

• 5.0.2

• 4.24.4

• 4.24.2

• 4.23.0

• 4.21.1