Integration of transaction data signing with FIDO-based transaction validation

Intelligent Adaptive Authentication supports the FIDO UAF protocol for adaptive transaction data signing secured with FIDO-based transaction validation.

Prerequisites for securing adaptive transaction data signing with FIDO-based transaction validation

To ensure successful transaction data signing with FIDO-based transaction validation, the following prerequisites must be met:

Adaptive transaction data signing secured with FIDO-based transaction validation

If the transaction validation request is regarded as risky, the Risk Management component will challenge the user with an additional transaction signing validation step. In case of adaptive transaction data signing with FIDO-based authentication, the Risk Management component will return a riskResponseCode of 14 (ChallengeFIDO). After the transaction has been validated using a FIDO-based authenticator, the Risk Management component will re-evaluate the request and accept or decline the transaction.

Adaptive transaction data signing secured with FIDO-based transaction validation - overview

Sequence of an adaptive transaction data signing operation secured with FIDO-based transaction validation

  1. The user starts the transaction data signing operation. The app collects CDDC data and sends the validation request with the CDDC data and the FIDO transaction data to the web server. The web server forwards the request to the OneSpan Trusted Identity platform API by calling https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
  2. The OneSpan Trusted Identity platform API forwards the request to the Risk Management component, which returns a riskResponseCode of 14 (ChallengeFIDO).
  3. The OneSpan Trusted Identity platform API initializes the transaction validation by sending a request to the FIDO Server.
  4. The FIDO Server generates a transaction signing request that is sent to the OneSpan Trusted Identity platform API.
  5. The OneSpan Trusted Identity platform API forwards the transaction signing request to the web server.
  6. The web server forwards the transaction validation request to the app.
  7. The app communicates with the FIDO authenticator to generate a transaction validation response.

    If a FIDO UAF authenticator is used with a built-in display, it will show the transaction validation message on this screen when asking the user for confirmation.

  8. The app collects CDDC data and sends it with the FIDO transaction validation response to the web server, which forwards the request to the OneSpan Trusted Identity platform API by calling https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
  9. The OneSpan Trusted Identity platform API finalizes the transaction validation with the FIDO Server.
  10. The FIDO Server verifies the transaction validation response and returns a success response.
  11. The OneSpan Trusted Identity platform API sends all the gathered data with the result of the transaction validation response to the Risk Management component. This component assesses all factors involved and sends the response back to the OneSpan Trusted Identity platform API.
  12. The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.
  13. The web server finalizes the transaction singing operation by sending this response to the app.

To integrate adaptive transaction data signing secured with FIDO-based transaction validation

  1. Issue a transaction validation request with https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
    • Method: POST
    • Payload:
      • objectType: "AdaptiveTransactionValidationInput"
      • accountRef
      • amount
      • cddc
      • currency
      • relationshipRef
      • transactionType
      • data
        • fidoTransactionMessage
          • fidoProtocol: UAF11
          • authenticationMessage
            Contains the transaction data that are displayed to the user when signing.
      • sessionID
    • Response body:
      • riskResponseCode: 14 (ChallengeFido)
      • requestID
      • sessionStatus: pending
      • fidoAuthenticationRequest
  2. After confirming the transaction data with FIDO authenticator, issue a second transaction validation request with https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
    • Method: POST
    • Payload:
      • objectType: "AdaptiveTransactionValidationInput"
      • accountRef
      • amount
      • cddc
      • currency
      • relationshipRef
      • transactionType
      • data
        • fido
          • authenticationResponse
          • requestID
      • sessionID
    • Response body:

Adaptive transaction data signing - low risk validation request

If the transaction signing validation request is regarded as low risk, the Risk Management component will accept the request and return a riskResponseCode of 0 (accepted). In this case, no additional authentication steps are required.

Adaptive transaction data signing - overview

Sequence of an adaptive transaction data signing operation

  1. The user starts the transaction data signing operation. The app collects CDDC data and sends the login request with the CDDC data and the FIDO transaction data to the web server. The web server forwards the request to the OneSpan Trusted Identity platform API by calling https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
  2. The OneSpan Trusted Identity platform API sends a transaction validation request to the Risk Management component. This component accepts the transaction validation request.
  3. The OneSpan Trusted Identity platform API receives the accepted transaction validation request and sends it to the web server.
  4. The web server forwards the accepted transaction validation request to the app.

To integrate adaptive transaction data signing