Integration of Push Notification-Based Authentication

OneSpan Cloud Authentication allows you to integrate Push Notification-based authentication in your solution. You can integrate this functionality for the OneSpan Orchestration SDK or for OneSpan Mobile Authenticator Studio.

In an integration with the OneSpan Orchestration SDK, remote authentication is performed by a trusted device. For more information, see Push Notification-based authentication for the Orchestration SDK.
In an integration with OneSpan Mobile Authenticator Studio, a new Mobile Authenticator Studio application is enabled on a mobile device to authenticate the user. For more information, see Push Notification-based authentication for OneSpan Mobile Authenticator Studio.

Configuration of Push Notification

To configure Push Notification

After configuring your mobile app, you provide the configuration data to OneSpan. This data includes:
- Android: the API keys and / or certificates for Firebase Cloud Messaging (FCM)
- iOS: the certificates and the Bundle ID
You need to generate all the required certificates and provide them to OneSpan. For information how to generate these certificates, refer to the Apple and Android developer documentation.
OneSpan Cloud Authentication uses this data and creates the configuration in the OneSpan Cloud Authentication database. The data is stored under a key referred to as app ID.
The app ID must be set as the name of the mobile app (Mobile Application Name) in your Authentication component domain.
Send a Push Notification. When sending, OneSpan Cloud Authentication uses the app ID that was configured in the domain to retrieve the necessary configuration data. This data is used to contact Google Firebase Cloud Messaging (Android) and APNs (iOS).
Android: the pairing to the ID of the Android application happens exclusively inside the PNS configuration of your Firebase Cloud Messaging account to which you provided the credentials.
iOS: the Bundle ID must be provided to Apple for each request. If the iOS Bundle ID is missing in the mobile app configuration, the app ID configured in the Authentication component is used as Bundle ID.
Once the Push Notification is sent to Google FCM/iOS APNs, the notification delivery to the mobile device (the user) is handled by these services, i.e., the notification is not controlled by OneSpan Cloud Authentication.

Push Notification-based authentication for the Orchestration SDK

Remote authentication is performed by a trusted device where the appropriate protection is selected according to the passkey selection. The following protection options are available:

Device-based
PIN-based
Fingerprint-based

Cloud authentication is done via the Login service and the Trusted Device Command service.

To configure Mobile Security Suite Orchestration SDK for OneSpan Cloud Authentication, the existing passkey field must support one of the following values:
orchestration authentication types: NoPIN, PIN, Fingerprint
The orchestrationDelivery field may support the following values:
pushNotification: the orchestration command must be delivered to the trusted device through Push Notification
requestMessage: the orchestration command must be returned as a request message to the caller
(Optional) The LoginMessage object. This message will overwrite the default message displayed on the trusted device (e.g. Challenge).

For more information about the Orchestration SDK, see the following documents:

Mobile Security Suite Product Guide
Orchestration SDK Integration Guide

OneSpan Cloud Authentication offers two modes to integrate the user login flow, the synchronous and the asynchronous login mode.

Synchronous login mode

The synchronous login mode is the quickest method to integrate the user login flow. The server-side integration of this mode processes several steps.

Diagram illustrating synchronous login flow with push notification.

Sequence of a login operation in synchronous login mode

The back end initiates the login operation by providing the user’s domain, user ID, and the configured keyword to Onespan Cloud Authentication with one of the following values for the Mobile Security Suite Orchestration SDK:
- PIN
- NoPIN
- Fingerprint
The Login service generates a remote authentication request in the form of a secure orchestration message. This message is embedded into a push notification message which is temporarily stored in the queue of pending notifications.
The secure orchestration message with the remote authentication request and an authentication challenge is sent via notification to the trusted device associated with that user.
The client side with the Orchestration SDK sends a response with an authentication signature to the Login service.
The authentication signature is verified and returns the authentication status, including the serial number of the used authenticator.
If the user performs the notification request successfully and signs the authentication request with the appropriate authentication method, the login request is accepted. User login can fail if the notification has not completed successfully.

Integration of the synchronous login mode

The Login service handles the JSON posts to provide login for the users of your web server application. For more information about login input and output data, see POST /users/{userID@domain}/login. To integrate the synchronous login mode, you must specify a timeout value for the login request. This timeout value must be between 1 and 60 seconds.

The Trusted Device Command service handles the command response from the mobile device. On the client side (i.e. the mobile application) the Orchestration SDK generates the trusted device response. For more detailed information, see the Integration Guide in Orchestration SDK.

Asynchronous login mode

In the asynchronous login mode, OneSpan Cloud Authentication provides an additional API to check the session status of the user with the Check Session Status service.

Diagram illustrating asynchronous login flow with push notification.

Sequence of a login operation in asynchronous login mode

The back end initiates the login operation by providing the user’s domain, user ID, and the configured keyword to Onespan Cloud Authentication with one of the following values for the Mobile Security Suite Orchestration SDK:
- PIN
- NoPIN
- Fingerprint
The Login service generates a remote authentication request in the form of a secure orchestration message. This message is embedded into a push notification message which is temporarily stored in the queue of pending notifications.
TID returns a request ID to the Client Web Server
The secure orchestration message with the remote authentication request and an authentication challenge is sent via notification to the trusted device associated with that user.
(Optional) To track the status of the authentication (or login) session, you can now start polling the GET /sessions/{requestID} endpoint. Possible states are:
- Accept
- Decline
- Pending
- Timeout
- Failed
Polling should continue until the session reaches a final state (other than Pending).
At this point you can also verify the status of the push notification delivery in the endpoint output.
The client side with the Orchestration SDK sends a response with an authentication signature to the Login service.
The authentication session is updated with the authentication status, including the serial number of the used authenticator.
The updated status can be queried via the GET /sessions/{requestID} endpoint, or, if you opted to start polling in step 5, will be polled automatically at this point.

Integration of the asynchronous login mode

OneSpan Cloud Authentication processes two steps for the asynchronous login mode:

The OneSpan Cloud Authentication Login service, called with timeout = 0, starts the login process, challenges the user (same process step as in the synchronous login mode), and immediately returns the current state of the session.
The Check Session Status service returns the current session and notification states of the pending login request immediately, without waiting for the notification process to complete.

The default timeout value for asynchronous authentication with push notification is set to 180 seconds. Contact OneSpan if you need to change this timeout configuration.

Fallback mechanism with Cronto image

The user might not always receive the Push Notification message, either because the message delivery failed or because the user rejected the request but would like to proceed with the authentication. For the asynchronous login mode, OneSpan Cloud Authentication offers a fallback mechanism for such a case, and the user can authenticate by scanning a Cronto image instead of confirming the Push Notification message.

OCA Push notification-based authentication with orchestration: Fallback mechanism with Cronto

Sequence of authentication via Cronto image as fallback when user does not receive or rejects Push Notification message

The browser requests a Cronto image from the app’s web server.
The server generates the Cronto image based on the request ID, and displays it.
The user scans the image with the mobile app.
The app requests requestMessage for the relevant request ID from the web server.
The server queries the OneSpan Cloud Authentication web services for the requestMessage for the relevant request ID.
Based on the request ID, the OneSpan Cloud Authentication web services retrieve the RemoteAuthentication orchestration command request message.
OneSpan Cloud Authentication returns this and the session status to the web server.
The web server forwards the RemoteAuthentication orchestration command request message to the mobile app.

After this, the login operation continues with the regular authentication via orchestration command.

To integrate the fallback mechanism via Cronto image, you must specify requestMessageInSession as input value for the orchestrationDelivery method.

Push Notification-based authentication for OneSpan Mobile Authenticator Studio

In the push mode, a new OneSpan Mobile Authenticator Studio app is enabled on a mobile device to authenticate the user. The user receives a notification prompt on their mobile device during the authentication process and completes this process by tapping the mobile device.

Sequence of a Push Notification-based authentication operation

The back end initiates the login operation by providing the user’s domain, user ID, the keyword push, and the user’s static password for OneSpan Mobile Authenticator.
OneSpan Cloud Authentication verifies the user.
The Push Notification service generates a Push Notification message and sends it to the user's mobile device, where the Mobile Authenticator Studio application is installed.
The user receives the Push Notification message on their mobile device.
The user approves the request to log in.
The user's approval is returned to the Push Notification service.
The Push Notification service notifies OneSpan Cloud Authentication of the user's approval.
The user has successfully logged in.
OneSpan Cloud Authentication returns the result of the authentication, including the serial number of the used authenticator.

You integrate Push Notification-based authentication with a login request.

To integrate Push Notification-based authentication

Issue a login request with the POST /users/{userid@domain}/login endpoint.
- Payload:
  - objectType: “LoginInput”
  - credentials.passKey: "push{password}"