Scan and login

  • Updated on Jul 7, 2025
  • 1 minute(s) read
Prev Next

Scan and login is an authentication process where users are presented a Cronto image, scan that image and complete authentication on their mobile device, either with Mobile Authenticator Studio 5 or a proprietary mobile application integrating OneSpan Mobile Security Suite.

The typical scan and login authentication process is as follows:

  1. The user initiates a user logon process in the business application, e.g. a banking website, providing at least a user ID.
  2. The web application sends a respective request to the connected OneSpan Authentication Server instance via SOAP (getSecureChallenge).
  3. The business application generates a Cronto image based on the challenge key using the Image Generator SDK.

  4. The business application calls authUser via SOAP.

    OneSpan Authentication Server blocks and waits until the request is either approved or canceled by the end user, but at the most until the authentication timeout, as configured in the policy settings, expires.

  5. On the mobile device, the user scans the Cronto image.
  6. On the mobile device, the Mobile Authenticator Studio app retrieves the secure challenge (by invoking getPreparedSecureChallege via DIGIPASS Gateway) and displays it for the user to verify.
  7. On the mobile device, the user either confirms the logon attempt or cancels it. The Mobile Authenticator Studio app calls the authUser or cancelAuthUser, respectively (via DIGIPASS Gateway).
  8. OneSpan Authentication Server resumes the initial authUser thread and returns the result to the business application.