Topology example: Cloud and on-premises

These topology scenarios use OneSpan cloud services to relay push notifications (OneSpan Notification Gateway).

The mobile authenticator app is either customized (Mobile Authenticator Studio) or a customer-made application implementing OneSpan Mobile Security Suite. Thus it does not need OneSpan DIGIPASS Gateway (cloud) to route its communication back to the customer network, but can connect to the customer network directly to retrieve the actual request data from OneSpan Authentication Server.

Scenario: Push and login (Cloud and on-prem)

Push and login consists of an out-of-band authentication initiated on a website or other application. The authentication request is transmitted via push notifications to a mobile app. The user can inspect and confirm the authentication request with the mobile app.

About this scenario

It supports the following mobile authenticator apps:

  • Mobile Authenticator Studio
  • OneSpan Mobile Security Suite
Push and login (topology, cloud and on-prem)

Figure: Push and login (Topology, Cloud and on-prem)

Walkthrough: Push and login (cloud and on-prem)

  1. The user initiates a push and login process using the specified request method in the client application, e.g. an application server or Digipass Authentication for Windows Logon.
  2. The client application initiates a push and login process on OneSpan Authentication Server.
  3. After receiving the corresponding request from the client application, OneSpan Authentication Server generates the required push notification message. The push notification message is relayed to the Message Delivery Component (MDC) service.
  4. MDC relays the push notification request to the OneSpan Notification Gateway.
  5. OneSpan Notification Gateway sends the push notification via third-party notification web services for the respective end device.
  6. The mobile authenticator application, e.g. Mobile Authenticator Studio, requests login details from the on-prem DIGIPASS Gateway.
  7. The on-prem DIGIPASS Gateway requests details from OneSpan Authentication Server.
  8. The mobile authenticator app retrieves the push notification details routed back from the on-prem DIGIPASS Gateway. Then it requests the user to confirm to log on to the specified client application.
  9. The user confirms and accepts the push and login request. The mobile authenticator app authenticates against OneSpan Authentication Server via DIGIPASS Gateway.
  10. OneSpan Authentication Server processes this request. In case of success it returns the authentication to the client application.
  11. The user is informed via the client application that the authentication has succeeded.

Scenario: Push and sign (Cloud and on-prem)

Push and sign allows data signing using a separate and unconnected channel (out-of-band signing).

About this scenario

It supports the following mobile authenticator apps:

  • Mobile Authenticator Studio
  • OneSpan Mobile Security Suite
Push and sign (topology, cloud and on-prem)

Figure: Push and sign (Topology, Cloud and on-prem)

Walkthrough: Push and sign (cloud and on-prem)

  1. The user initiates a transaction data signing request towards the application server, e.g. via a banking application site.
  2. The application server initiates a push and sign process on OneSpan Authentication Server.
  3. After receiving the corresponding request from the application server, OneSpan Authentication Server generates the required push notification message. The push notification message is relayed to the Message Delivery Component (MDC) service.
  4. MDC sends the push notification request to the OneSpan Notification Gateway.
  5. OneSpan Notification Gateway sends a push notification to the mobile authenticator app via third-party notification services for the respective end device. If a user has multiple devices assigned and registered, a push notification is sent to all applicable devices (MDL instances).
  6. The mobile authenticator app, e.g. Mobile Authenticator Studio, requests details from the on-prem DIGIPASS Gateway.
  7. The on-prem DIGIPASS Gateway requests details from OneSpan Authentication Server.
  8. The mobile authenticator app, i.e. Mobile Authenticator Studio, retrieves the signature transaction message routed back from the on-prem DIGIPASS Gateway. Then it requests the user to confirm the signing of the transaction data.
  9. When the user confirms, the mobile authenticator app authenticates the user against OneSpan Authentication Server via DIGIPASS Gateway.
  10. OneSpan Authentication Server processes this request and, if applicable, returns success to the application server.
  11. The user is informed via the application server that the transaction data has been signed successfully.