Scan and sign

  • Updated on Oct 29, 2025
  • 1 minute(s) read
Prev Next

Scan and sign is a signature validation process where users are presented a Cronto image, scan that image and complete signature validation on their mobile device, either with Mobile Authenticator Studio 5 or a proprietary mobile application integrating OneSpan Mobile Security Suite.

The typical scan and sign authentication process is as follows:

  1. The user initiates a transaction data signing process in the business application, e.g. a banking website.

  2. The web application sends a respective request to the connected OneSpan Authentication Server instance via SOAP(genRequest).

  3. The business application generates a Cronto image based on the request key received using the Image Generator SDK.

  4. The business application calls authSignatureRequest via SOAP.

    OneSpan Authentication Server blocks and waits until the request is either approved or canceled by the end user, but at the most until the signature validation timeout, as configured in the policy settings, expires.

  5. On the mobile device, the user scans the Cronto image.

  6. On the mobile device, the Mobile Authenticator Studio app retrieves the prepared signature request (by invoking getPreparedSignatureRequest via DIGIPASS Gateway) and displays it for the user to verify.

  7. On the mobile device, the user does one of the following:

    • The user confirms the signature request. The mobile application generates a signature and completes the signature request via DIGIPASS Gateway (using authSignature). The signature request is successfully processed and removed from the signature cache.

    • The user cancels the signature request. The mobile application cancels the signature request via DIGIPASS Gateway (using cancelAuthSignatureRequest). The signature request is removed from the signature cache without being completed.

  8. OneSpan Authentication Server resumes the initial authSignatureRequest thread and returns the result to the business application.

Additional references

For more information about handling Secure Channel messages, refer to the Secure Messaging SDK Client Integration Guide.

For more information about creating Cronto images, refer to the Image Generator SDK Integration Guide.

For more information about the OneSpan Authentication Server SOAP commands, refer to the OneSpan Authentication Server SDK SOAP Reference.