October 2021

If a user's hardware authenticator is out of sync, they can now initiate time synchronization for their authenticator. All OneSpan authenticators that can be out of sync, both time- and event-based, support this new feature.

• Authenticator endpoint. A new endpoint has been added to allow the user-controlled time synchronization:

  POST /users/{userID@domain}/sync-authenticator

  This endpoint accepts SyncAuthenticatorInput as payload.

  The following failure responses are included:

  • 400: The input is invalid.

  • 403: The command is prohibited for the tenant admin account.

  • 404: The user was not found.

  • 409: Conflict error.

  • 500: Unexpected server error.

For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.

It is now possible to customize how the virtual one-time password (OTP) is delivered to the user (e.g. use your own gateway or another special, customized communication channel). A new channel is available which makes it possible to receive the OTP in the request response session. To ensure the generated virtual OTP is never returned directly to the user, it is stored inside a session that is to be queried separately.

Mild security risk

When you use this feature, the OTP is returned in the same session in which it has been requested. Because this forms a mild security risk, be advised to treat the virtual OTP as sensitive data. Make sure the data is transmitted via a different secure channel than the one in which it was requested (e.g. an SMS sent to a different device than the one from which the request was sent).

Enabling this feature does not deactivate the original delivery method for virtual OTPs! The custom delivery has to be requested in the request payload on a per-request basis.

The following endpoints have been extended:

• POST /authenticators/{serialNumber}/applications/{applName}/generate-votp

  Accepted payload: GenerateVOTPOutput.

• POST /users/{userID@domain}/login

  The delivery of the virtual OTP is triggered upon user request and when the keyword session is sent via the votpDeliveryOverride field of the AdaptiveLoginInput payload (without providing the credentials fields).

  The response will be 200 OK. The following payloads are accepted:

  • AdaptiveLoginInput

  • LoginOutput, with the following fields and values:

    • sessionStatus, with the value pending

    • riskResponseCode, with an integer value

    • requestID, with with a generated value, e.g. 47543e06-1c11-49b8-94ed-d9501f7fd3f2

• POST /users/{userID@domain}/events/validate

  Accepted payloads:

  • AdaptiveEventValidationInput

  • eventType, with the value LoginAttempt

For more detailed information on how to integrate this feature, see Integrating user login and event validation via notification.

Use of this feature is optional, it is not provided by default. Contact OneSpan Support for the activation of this feature. Once enabled, the virtual OTP will be delivered with the same method for all tenants that are grouped in the same authentication service deployment as the one where this feature has been enabled.

The orchestration command that is returned by the POST /users/{userID@domain}/login endpoint cannot be rendered by the POST /visualcodes/render endpoint.

Status: This issue has been fixed.

The Fido2RequestTimeout (FIDO2) and JwtTokenTimeout (FIDO UAF) timeout parameters now have a default value set to 10 seconds in the respective FIDO tenant configuration.

For more information, see Standard FIDO Settings for the Sandbox Environment.

Contact OneSpan Support if you need to change this configuration.

Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:

• 5.4.2

• 5.4.1

• 5.4.0

• 5.3.1

• 5.3.0

• 5.2.0

• 5.0.2

• 4.24.4

• 4.24.2

• 4.23.0

• 4.21.1

• 4.20.2

• 4.19.3