Intelligent Adaptive Authentication August Release – 22.R3

A number of services, including the provided endpoints therein, will be deprecated for Intelligent Adaptive Authentication in the fourth quarter of 2023.

For every service that will be deprecated, a replacement is already available in the OneSpan Trusted Identity platform API.

In the Adaptive Authentication API Reference service API, the following services will be deprecated:

• userregister (v1)

• login (v2)

• checksessionstatus (v2)

• transaction (v2)

• eventvalidation (v2)

• checkactivationstatus (v1)

• userunregister (v1)

• user-management (v1)

• authenticator-management (v1)

• authenticator-provisioning (v1)

• visualcode (v1)

In the Risk Analytics API Reference service API, the following services will be deprecated:

• eventvalidation (v2)

• transaction (v2)

• bulfile-upload (v1)

The following standalone services which are not part of a service API will also be deprecated:

• eventvalidation (v1)

• login (v1)

• transaction (v1)

• checksessionstatus (v1)

• fido-metadata

The FIDO UAF onboarding process is now available on the OneSpan Community Portal for Intelligent Adaptive Authentication.

For more information on FIDO UAF onboarding, see FIDO UAF onboarding in the Sandbox and Production environments.

When a OneSpan Trusted Identity platform user is deleted, all FIDO-relevant user data that is associated with this account is also deleted. This prevents reusing old user data, if the user is reactivated in a future instance.

The OneSpan Trusted Identity platform API now supports the following data fields for FIDO UAF channel binding:

• cidPublicKey

• tlsUnique

The following FIDO-based endpoints are impacted by this enhancement:

• POST /users/{userID@domain}/register-fido-device

• POST /users/{userID@domain}/login

• POST /users/{userID@domain}/transactions/validate

• POST /users/{userID@domain}/events/validate

The OneSpan Trusted Identity platform API now supports the tokenBinding data field for FIDO2 token binding.

The following FIDO-based endpoints are impacted by this enhancement:

• POST /users/{userID@domain}/register-fido-device

• POST /users/{userID@domain}/login

• POST /users/{userID@domain}/events/validate

Intelligent Adaptive Authentication now supports decrypting the body of a Secure Channel information message via the REST API. With the Decrypt Information Message feature, you can decrypt the body of a Secure Channel information message that is encrypted with the payload key of an instance of a multi-device licensing (MDL) authenticator.

• Decrypt information message endpoint. A new endpoint has been added for this decrypting operation:

  POST /authenticators/{serialNumber}/decrypt-information-message

  This endpoint accepts informationMessage as payload.

  The following responses are included:

  • 200: Decrypted information message.

  • 400: The input is invalid.

  • 404: Authenticator not found.

  • 409: Failed to decode information message.

  • 500: Unexpected server error.

For more information, refer to Decrypt an Information Message Body.

With the new Reset Activation feature, Intelligent Adaptive Authentication now supports resetting the activation information of an authenticator via the OneSpan Trusted Identity platform API.

For authenticators that are compliant with standard, i.e. single-device licensing (SDL), activation, the following parameters are reset:

• Activation count

• Activation locations

• Last activation date/time

For authenticators compliant with multi-device licensing (MDL) activation, the following parameters are reset:

• Provisioning activation count

• Activation challenge

• Last activation date/time

For MDL-compliant authenticators, this reset operation does not decrease the activation count (i.e. the number of activated instances), but resets the number of activations.

• Reset activation endpoint. A new endpoint has been added for this reset operation:

  POST /authenticators/{serialNumber}/reset-activation

  The following responses are included:

  • 200: Reset activation completed successfully.

  • 400: The input is invalid.

  • 404: Authenticator not found.

  • 409: Failed to reset the activation.

  • 500: Unexpected server error.

For more information, refer to Reset Authenticator Activation Information.

Intelligent Adaptive Authentication now offers new options to query and/or update user information. The following fields have been adapted and can now be used to query user information:

• hasAuthenticatorAssigned

• expired

• disabled

• lastAuthentication

• lastAuthenticationRequest

• maxDaysBetweenAuthentications

  You can use this field to query and update user information based on the user's interval between authentications.

Intelligent Adaptive Authentication now supports the hasAdminPrivileges field for the following OneSpan Trusted Identity platform API endpoints:

• GET /users

You can now query a user based on the hasAdminPrivileges field in Intelligent Adaptive Authentication.

In Intelligent Adaptive Authentication, the SOAP client library for the common Java web services exhibits a bottleneck. This results in poor performance when many users are simultaneously trying to call the same service. To improve performance for users during high-traffic spikes, a new library is used.

Status: With the new library already in place, a higher number of simultaneous requests can now be handled without performance impairments for the following scenarios:

• User authentication and login

• Transaction validation

• Event validation

• Time synchronization between OneSpan Trusted Identity platform (i.e. host) and authenticator

• Orchestration SDK processing

• General improvement on internal processing operations (e.g. administration sessions)

When deregistering a FIDO UAF authenticator only via the Authenticator Attestation ID (AAID), the response received from the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint contains the list of all deregistered key IDs. Because the KeyID in the response should be empty, the certification tool reports a problem with the KeyID validation.

Status: This issue has been fixed. In addition, the behavior of the deregistration endpoint has been updated to also include the option to deregister the FIDO UAF authenticator using the AAID and KeyID.

The FIDO2 Sample Relying Party Web App does not behave correctly during authentication with an Android phone as the assigned FIDO2 authenticator.

Status: This issue has been fixed. The FIDO2 Server did not correctly handle the case when the userHandle property was null, which caused the authentication attempt to fail.

An error occurs when calling the POST /users/register endpoint. Attempts to register an additional authenticator without including a static password result in the following error: User registration failed: Initial static password not set.

Status: This issue has been fixed. It is now possible to use this endpoint multiple times to start the registration of a new authenticator.

Once a registration call has been made with a password, that password will then be required for all subsequent registration calls (as long as the password has not been reset).