Replace app with custom system?
Wednesday, October 14, 2020 at 03:04pmHi,
Many banks use the CrontoSign Swiss app or something similar (e.g. comdirect photoTAN) for the 2FA. The app is available for iOS and Android, but not everyone has such a device. Is the used protocol open? Is it possible to integrate the core functionality of the app (registration; Cronto image => confirmation code) with other UIs? I.e. is there a programming library or API that can be called to process the challenges (presumably based on some stored private key?) and obtain the numeric codes that the bank wants?
Thank you!
Reply to: Replace app with custom system?
Thursday, October 15, 2020 at 11:53amHi,
Some of the aspects that you mentioned in your question like registration are simply provided through an HTTP REST protocol, you could check this blog to learn more about the registration service and onespan.com/blog for the other endpoints.
Also, the rendering of the CRONTO image data is provided through a RESTful service, meaning once you get an activation string sequence, you could render it through "/visualcodes/render" endpoint, check the "Visual Codes" section in the Sandbox API. So the answer to whether you could integrate those functionalities with different UIs is Yes. For example you could embed it in your web application to show-up on a web browser. Though, since the CRONTO code is only a mean to transmit encrypted data, and used for different purposes - e.g it could be data coming from an authentication server- the CRONTO must be scanned with a security app to interpret this data and take a specific action (if that what you mean by core functionality), an example could be an authentication step up. So in our case, you must use OneSpan Mobile Authenticator Studio (MAS) to scan the rendered CRONTO to interpret the data, then generate a challenge (e.g OTP for 2FA), sign a transaction, or whatever required in the message.
MAS is part of OneSpan Mobile Security Suite, and it is available to integrate it for both Android or iOS.
I hope that helps,
Hakim
Reply to: Replace app with custom system?
Thursday, October 15, 2020 at 02:06pmHi,
thanks for your response.
I don't think these REST endpoints are applicable to the CrontoSign swiss app. The bank sends a snail mail letter with a visual activation code. When the app scans that code -- even when it's in flight mode! -- it detects that it's a special kind of code and starts the registration flow. That essentially consists of a registration code that the app displayed and that needs to be entered in the bank's web UI. Then, to confirm that the pairing worked, the bank generates a regular login challenge code, the app scans it and generates a response that is again manually entered in the bank's web UI. All of this works while the phone is entirely offline. To me, it looks more like the app has a private key (similar to Google Authenticator) and it just responds to whatever challenges it receives.
My question is essentially: Can I build that app from scratch? And I guess if I can re-build it for Android or iOS, then I could also build it for other operating systems.
Reply to: Replace app with custom system?
Friday, October 16, 2020 at 08:23pmHi,
Depending on the way you prefer to activate the user device used for authentication that's offline or online, you must integrate the required OneSpan Mobile Security Suite SDKs. The MSS SDKs are only available for Android and iOS. Also, the CRONTO code could be presented to the end-user through the web, to scan it by his/her device from the web browser.
You could consult this blog post for an example, also part 2 of the blog.
Please let me know if you have any further questions.
Hakim
Reply to: Replace app with custom system?
Monday, November 28, 2022 at 03:07amThis could also benefit mobile developers that in addition to integrating with OneSpan Sign Mobile SDKs, now developers can take advantage of this feature and directly load the signing URL to a WebView.