Integration of FIDO-Based Transaction Data Signing

OneSpan Cloud Authentication supports the FIDO UAF protocol for transaction data signing.

Prerequisites for transaction data signing with a FIDO-based authenticator

The following prerequisites have to be met before the transaction data signing process can be started:

• The user must exist in OneSpan Cloud Authentication.

• The user must have a registered FIDO authenticator for their account.

FIDO-based transaction data signing architecture—overview

Sequence of a FIDO-based transaction data signing operation

1. The app starts the transaction signing process. This triggers the web server to initiate the authentication to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/generate-fido-authentication-request endpoint.

   The web server adds a transaction validation message, which is transferred to the OneSpan Trusted Identity platform API during the intialization of the authentication.

2. The OneSpan Trusted Identity platform API initializes the authentication with the FIDO Server.

3. The FIDO Server proceeds to generate an authentication request that is sent to the OneSpan Trusted Identity platform API.

   The FIDO Server generates an authentication request with an embedded transaction validation message.

4. The OneSpan Trusted Identity platform API receives the authentication request and sends it to the web server.

5. The web server forwards the request to the app.

6. The app communicates with the FIDO authenticator to generate an authentication response.

   If a FIDO UAF authenticator with a built-in display is used, it will display the transaction validation message when asking the user for confirmation.

7. The app forwards the authentication response together with the transaction data to the web server. The web server forwards this data to the OneSpan Trusted Identity platform API by calling the POST /users{userID@domain}/transactions/validate endpoint.

8. The OneSpan Trusted Identity platform API finalizes the transaction data signing with the FIDO Server.

9. The FIDO Server generates a verification response that is sent to the OneSpan Trusted Identity platform API.

10. The OneSpan Trusted Identity platform API receives the verification response and sends it to the web server.

11. To conclude the transaction data signing process, the web server sends this verification response to the app.

To integrate FIDO-based transaction data signing

1. Issue an authentication request with the POST /users/{userID@domain}/generate-fido-authentication-request endpoint.

   • Payload:

     • fidoProtocol: UAF11

     • authenticationMessage
       Contains a message that will be shown on a built-in display of a FIDO UAF authenticator.

   • Response body:

     • authenticationRequest

     • requestID

     • uafStatusCode

       For a full list of UAF status codes, refer to the FIDO alliance documentation.

2. Issue a transaction validation request with the POST /users{userID@domain}/transactions/validate endpoint.

   • Payload:

     • objectType: "TransactionValidationInput"

     • data.fido

       • authenticationResponse

         This is the authentication response generated by a FIDO-based authenticator.

       • requestID

         Identifier of the request that started the session. This identifier stems from the call made in step 1 of Integration of FIDO-based transaction data signing above.

   • Response body:

     • uafStatusCode

       For a full list of UAF status codes, refer to the FIDO alliance documentation.