Integration of Push Notification-Based Authentication

  • Published on Sep 9, 2025
  • 7 minute(s) read
Prev Next

OneSpan Cloud Authentication allows you to integrate Push Notification-based authentication in your solution. You can integrate this functionality for the OneSpan Orchestration SDK or for OneSpan Mobile Authenticator Studio.

Configuration of Push Notification

To configure Push Notification

  1. After configuring your mobile app, you provide the configuration data to OneSpan. This data includes:

    • Android: the API keys and / or certificates for Firebase Cloud Messaging (FCM)

    • iOS: the certificates and the Bundle ID

    You need to generate all the required certificates and provide them to OneSpan. For information how to generate these certificates, refer to the Apple and Android developer documentation.

  2. OneSpan Cloud Authentication uses this data and creates the configuration in the OneSpan Cloud Authentication database. The data is stored under a key referred to as app ID.

  3. The app ID must be set as the name of the mobile app (Mobile Application Name) in your Authentication component domain.

  4. Send a Push Notification. When sending, OneSpan Cloud Authentication uses the app ID that was configured in the domain to retrieve the necessary configuration data. This data is used to contact Google Firebase Cloud Messaging (Android) and APNs (iOS).

    Android: the pairing to the ID of the Android application happens exclusively inside the PNS configuration of your Firebase Cloud Messaging account to which you provided the credentials.

    iOS: the Bundle ID must be provided to Apple for each request. If the iOS Bundle ID is missing in the mobile app configuration, the app ID configured in the Authentication component is used as Bundle ID.

    Once the Push Notification is sent to Google FCM/iOS APNs, the notification delivery to the mobile device (the user) is handled by these services, i.e., the notification is not controlled by OneSpan Cloud Authentication.

Push Notification-based authentication for the Orchestration SDK

Remote authentication is performed by a trusted device where the appropriate protection is selected according to the passkey selection. The following protection options are available:

  • Device-based

  • PIN-based

  • Fingerprint-based

Cloud authentication is done via the Login service and the Trusted Device Command service.

To configure Mobile Security Suite Orchestration SDK for OneSpan Cloud Authentication, the existing passkey field must support one of the following values:

  • orchestration authentication types: NoPIN, PIN, Fingerprint

The orchestrationDelivery field may support the following values:

  • pushNotification: the orchestration command must be delivered to the trusted device through Push Notification

  • requestMessage: the orchestration command must be returned as a request message to the caller

(Optional) The LoginMessage object. This message will overwrite the default message displayed on the trusted device (e.g. Challenge).

For more information about the Orchestration SDK, see the following documents:

OneSpan Cloud Authentication offers two modes to integrate the user login flow, the synchronous and the asynchronous login mode.

Synchronous login mode

The synchronous login mode is the quickest method to integrate the user login flow. The server-side integration of this mode processes several steps.

Login flow in synchronous mode

Login flow in synchronous mode

Sequence of a login operation in synchronous login mode

  1. The user initiates the login operation by providing their credentials and the configured keyword with one of the following values for the Mobile Security Suite Orchestration SDK:

    • PIN

    • NoPIN

    • Fingerprint

  2. The Login service creates a secure message that returns a secure orchestration message.

  3. To challenge the user, the Login service generates a remote authentication request.
    This notification is temporarily stored in the queue of pending notifications.

  4. The login request is sent via notification to the trusted device associated with that user.

  5. The state of the notification is checked.

  6. The retrieves the authentication challenge that is based on the received push notification.

  7. The orchestration command sends a response with an authentication signature to the Login service.

  8. The authentication signature is verified and returns the authentication status, including the serial number of the used authenticator.

  9. The pending notification is updated.

  10. If the user performs the notification request successfully and signs the authentication request with the appropriate authentication method, the login request is accepted. User login can fail if the notification has not completed successfully.

Integration of the synchronous login mode

The Login service handles the JSON posts to provide login for the users of your web server application.

For more information about login input and output data, see POST /users/{userID@domain}/login.

To integrate the synchronous login mode, you must specify a timeout value for the login request. The default timeout value is 60 seconds per tenant. To increase the validation period for Push Notification-based authentication within OneSpan Cloud Authentication, this timeout value can be extended.

Contact OneSpan Support to extend the timeout configuration for your tenant(s).

The Trusted Device Command service handles the command response from the mobile device. On the client side (i.e. the mobile application) the Orchestration SDK generates the trusted device response.

Asynchronous login mode

In the asynchronous login mode, OneSpan Cloud Authentication provides an additional API to check the session status of the user with the Check Session Status service.

Login flow in asynchronous mode

Login flow in asynchronous mode

Sequence of a login operation in asynchronous login mode

  1. The user initiates the login operation by providing their credentials, the keyword push and one of the following values for the Mobile Security Suite Orchestration SDK:

    • PIN

    • NoPIN

    • Fingerprint

  2. The Login service creates a secure message that returns a secure orchestration message.

  3. To challenge the user, the Login service generates a remote authentication request.
    This notification is temporarily stored in the queue of pending notifications.

  4. The login request is sent via notification to the trusted device associated with that user.

  5. The state of the notification is checked.

  6. The Orchestration SDK retrieves the authentication challenge that is based on the received push notification.

  7. After the service checks the login status of the notification it returns this state to your web server application. Possible states are:

    • Accept

    • Decline

    • Pending

    • Timeout

    • Failed

  8. The user ID and request ID are sent to the Login service. After the service checks the request ID status it returns this state to your web server application. Possible states are:

    • Accept

    • Decline

    • Pending

    • Timeout

    • Failed

  9. The orchestration command sends a response with an authentication signature to the Login service.

  10. The authentication signature is verified, and returns the authentication status, including the serial number of the used authenticator.

  11. The pending notification is updated.

Integration of the asynchronous login mode

OneSpan Cloud Authentication processes two steps for the asynchronous login mode:

  • The OneSpan Cloud Authentication Login service, called with timeout = 0, starts the login process, challenges the user (same process step as in the synchronous login mode), and immediately returns the current state of the session.

  • The Check Session Status service returns the current session and notification states of the pending login request immediately, without waiting for the notification process to complete.

To integrate the asynchronous login mode, you must specify a timeout value for the login request. The default timeout value is 60 seconds per tenant. To increase the validation period for Push Notification-based authentication within OneSpan Cloud Authentication, this timeout value can be extended.

Contact OneSpan Support to extend the timeout configuration for your tenant(s).

Fallback mechanism with Cronto image

The user might not always receive the Push Notification message, either because the message delivery failed or because the user rejected the request but would like to proceed with the authentication. For the asynchronous login mode, OneSpan Cloud Authentication offers a fallback mechanism for such a case, and the user can authenticate by scanning a Cronto image instead of confirming the Push Notification message.

OCA Push notification-based authentication with orchestration: Fallback mechanism with Cronto

Sequence of authentication via Cronto image as fallback when user does not receive or rejects Push Notifcation message

  1. The browser requests a Cronto image from the app’s web server.

  2. The server generates the Cronto image based on the request ID, and displays it.

  3. The user scans the image with the mobile app.

  4. The app requests requestMessage for the relevant request ID from the web server.

  5. The server queries the OneSpan Cloud Authentication web services for the requestMessage for the relevant request ID.

  6. Based on the request ID, the OneSpan Cloud Authentication web services retrieve the RemoteAuthentication orchestration command request message.

  7. OneSpan Cloud Authentication returns this and the session status to the web server.

  8. The web server forwards the RemoteAuthentication orchestration command request message to the mobile app.

After this, the login operation continues with the regular authentication via orchestration command.

To integrate the fallback mechanism via Cronto image, you must specify requestMessageInSession as input value for the orchestrationDelivery method.

Push Notification-based authentication for OneSpan Mobile Authenticator Studio

In the push mode, a new OneSpan Mobile Authenticator Studio app is enabled on a mobile device to authenticate the user. The user receives a notification prompt on their mobile device during the authentication process and completes this process by tapping the mobile device.

Sequence of a Push Notification-based authentication operation

  1. The user initiates the login operation by providing their credentials, the keyword push and their static password for OneSpan Mobile Authenticator.

  2. OneSpan Cloud Authentication verifies the user.

  3. The Push Notification service generates a Push Notification message and sends it to the user's mobile device, where the Mobile Authenticator Studio application is installed.

  4. The user receives the Push Notification message on their mobile device.

  5. The user approves the request to log in.

  6. The user's approval is returned to the Push Notification service.

  7. The Push Notification service notifies OneSpan Cloud Authentication of the user's approval.

    The user has successfully logged in.

  8. OneSpan Cloud Authentication  returns the result of the authentication, including the serial number of the used authenticator.

You integrate Push Notification-based authentication with a login request.

To integrate Push Notification-based authentication