Remote Authentication
  • 23 Oct 2024
  • 4 Minutes to read
  • Dark
    Light

Remote Authentication

  • Dark
    Light

Article summary

With the remote authentication feature of the Orchestration SDK, the user can authenticate to the Customer Website using the Customer Mobile Application, via an authentication request initiated on the OneSpan Trusted Identity platform, and based on the corresponding risk evaluation.

The remote authentication process is initiated using the Customer Website and evaluated for risk by OneSpan Trusted Identity platform before continuing with the Customer Mobile Application.

The authentication request is embedded in an orchestration command and can be transmitted via a push notification message initiated by OneSpan Trusted Identity platform or by another communication channel handled by the Customer Website (e.g. image scanning).

The authentication request contains the following parameters:

  • A session identifier created by the Customer Application Server, which uniquely identifies the authentication session.

  • A request identifier created by the Customer Application Server, which uniquely identifies the authentication request.

  • An authentication method, which defines how the user must authenticate to sign the authentication request (see Authentication methods).

  • (OPTIONAL) Data to display on the Customer Mobile Application to provide authentication request information to the user; the user can choose to approve or reject it.

    The data to display is a string defined by the Customer Application Server, which must be interpreted by the Customer Mobile Application.

Remote authentication workflow illustrates the remote authentication workflow with the transmission of the authentication request via a push notification message.

Remote authentication workflow

Remote authentication workflow

  1. The user initializes an authentication request via the Customer Website (e.g. for login purposes), providing their user identifier.

  2. The Customer Website transmits the user identifier and the Client Device Data Collector (CDDC) browser data to the Customer Application Server.

  3. The Customer Application Server calls the https://{tenant}.{environment}.tid.onespan.cloud/v1/users/{userID@domain}/login endpoint from the OneSpan Trusted Identity platform API by providing their user identifier, a session identifier (dynamically generated and uniquely identifying the authentication request), the received CDDC browser data, and, optionally, the data to display on the Customer Mobile Application.

  4. The OneSpan Trusted Identity platform evaluates the risk related to the Web browser used for the authentication request (based on multiple parameters provided in the previous step and on existing parameters related to the user, e.g. unknown country) and, in case of risk detection, initiates a step-up authentication request on the Customer Mobile Application with a given authentication method (see Authentication methods).

    Depending on the configuration defined in the OneSpan Trusted Identity platform, multiple scenarios are possible:

    • The authentication request can be transmitted via a push notification message initiated by the OneSpan Trusted Identity platform and sent by the Push Notification Service to the Customer Mobile Application. In this case, a push notification message is sent to all mobile devices of the user where the Customer Mobile Application is installed and activated.

    • The authentication request can be transmitted by the Customer Application  Server via a different channel (e.g. display a Cronto image containing the orchestration command related to the authentication request and scan it with the Customer Mobile Application).

    • The authentication request can be blocking or non-blocking.

    The following steps describe a blocking scenario with the authentication request transmitted via push notification.

  5. The Push Notification Service sends a push notification message containing the orchestration command related to the authentication request to the Customer Mobile Application.

  6. The Customer Mobile Application obtains the orchestration command contained in the push notification message and calls the execute method of the Orchestration SDK to perform the remote authentication.

  7. The Orchestration SDK builds an orchestration command and transmits it to the Customer Mobile Application using the  onRemoteAuthenticationStepComplete method.

  8. The Customer Mobile Application transmits the orchestration command to the Customer Application Server.

  9. The Customer Application Server calls the orchestration-commands Web service of the OneSpan Trusted Identity platform by providing the orchestration command. A new orchestration command is returned as a result.

  10. The Customer Application Server transmits the orchestration command to the Customer Mobile Application as a response to the previous request.

  11. The Customer Mobile Application calls the execute method of the Orchestration SDK to continue the remote authentication process (only if the authentication request is still pending).

  12. The Orchestration SDK calls the onRemoteAuthenticationDisplayData method to transmit the data to display to the Customer Mobile Application (if data has been defined in step 3).

  13. The Customer Mobile Application displays a screen to the user containing the data to display and two buttons to approve or reject the authentication request.

  14. The user must approve or reject the authentication request, according to the displayed data.

  15. Based on the user’s decision in the previous step, the Customer Mobile Application calls the onDataApproved or onDataRejected method of the Orchestration SDK.

  16. In both cases, the Orchestration SDK prompts the user to authenticate by using an authentication method defined by the OneSpan Trusted Identity platform, based on the evaluated risk (see step 4).

  17. The Orchestration SDK signs the authentication request, builds an orchestration command, and transmits it to the Customer Mobile Application using the onRemoteAuthenticationStepComplete method.

  18. Repeat steps 8 to 11.

  19. In case of validation by the OneSpan Trusted Identity platform, the Orchestration SDK calls the onRemoteAuthenticationSuccess method to notify the Customer Mobile Application.

  20. The Customer Mobile Application notifies the user that the authentication request has been successful and that they are about to be logged in to the Customer Website.

  21. The OneSpan Trusted Identity platform provides a response to the call to the login Web service from step 3, indicating the success of the authentication request.

  22. The Customer Application Server transmits the success status to the Customer Website. The user is now logged in to the Customer Website.

For more information about integrating this feature, see Remote authentication.


Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, our interactive help assistant