Signature validation using scan and sign

  • Updated on Feb 5, 2026
  • Published on Jul 7, 2025
  • 2 minute(s) read
Prev Next

You can provide signature validation where users are presented a Cronto image, scan that image and complete signature validation on their mobile device. This process is called scan and sign. It requires Mobile Authenticator Studio 5.

Workflow

  1. The user initiates a transaction data signing process in the business application, e.g. a banking website.

  2. The business application calls genRequest and receives a request key (SIGNFLD_REQUEST_KEY).

    The request needs to trigger the scan and sign workflow by setting the SIGNFLD_AUTH_TYPE attribute to SCAN.

  3. The business application generates a Cronto image based on SIGNFLD_REQUEST_KEY using the Image Generator SDK.

  4. The business application calls authSignatureRequest with at least the following input:

    • componentType

    • requestKey (as returned by genRequest)

    • userID

    OneSpan Authentication Server blocks and waits until the request is either approved or canceled by the end user, but at the most until the signature validation timeout, as configured in the policy settings, expires.

  5. On the mobile device, the user scans the Cronto image.

  6. On the mobile device, the Mobile Authenticator Studio app retrieves the prepared signature request (by invoking getPreparedSignatureRequest via DIGIPASS Gateway) and displays it for the user to verify.

  7. On the mobile device, the user either confirms the transaction or cancels it. The Mobile Authenticator Studio app calls authSignature or cancelAuthSignatureRequest with SIGNFLD_REQUEST_KEY, respectively (via DIGIPASS Gateway.

  8. OneSpan Authentication Server resumes the initial authSignatureRequest thread and returns the result to the business application.

Scan and sign requests

This is an example for the first genRequest request by the business application.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <sig:genRequest xmlns:sig="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Signature" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
      <attributeSet>
        <attributes>
          <value xsi:type="xsd:string">user</value>
          <attributeID>SIGNFLD_USERID</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">Client</value>
          <attributeID>SIGNFLD_COMPONENT_TYPE</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">Transaction/value>
          <attributeID>SIGNFLD_TRANSACTION_TITLE</attributeID>
        </attributes>
        <attributes>
          <value xsi:type="xsd:string">SCAN</value>
          <attributeID>SIGNFLD_AUTH_TYPE</attributeID>
        </attributes>
      </attributeSet>
      <dataFieldList>
        <dataField>
          <key>A</key>
          <value>valueA</value>
        </dataField>
        <dataField>
          <key>B</key>
          <value>valueB</value>
        </dataField>
        ...
      </dataFieldList>
    </sig:genRequest>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

This is an example for the first blocking authSignatureRequest request by the business application.

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
  <SOAP-ENV:Header/>
  <SOAP-ENV:Body>
    <sig:authSignatureRequest xmlns:sig="http://www.vasco.com/IdentikeyServer/IdentikeyTypes/Signature">
      <componentType>Client</componentType>
      <user>
        <userID>user</userID>
      </user>
      <requestKey>1234567890</requestKey>
    </sig:authSignatureRequest>
  </SOAP-ENV:Body>
</SOAP-ENV:Envelope>

For more information about scan and sign on the mobile side, refer to the Mobile Authenticator Studio product documentation.

For more information about the specific OneSpan Authentication Server SOAP commands, refer to the OneSpan Authentication Server SDK SOAP Reference.