Integration of Adaptive Message-Based Transaction Data Signing

Adaptive message-based transaction data signing is a type of transaction data signing that supports virtual signatures that are sent via email, SMS, or voice delivery to a mobile device. A virtual signature consists of a one-time password (OTP) and signature data fields that are unique to the pending transaction.

This type of transaction requires a virtual authenticator that supports VDP Sign.

Prerequisites

To ensure successful adaptive message-based transaction data signing, the following prerequisites must be met:

The user exists in OneSpan Cloud Authentication.
A virtual authenticator that supports VDP Sign must be assigned to the user in Intelligent Adaptive Authentication.
The user must provide a valid phone number and/or email address.
The rules Rules are used to define sets of criteria to verify if an event (transaction and non-monetary event) matches any fraudulent behavior. If an event matches a previously defined rule, an alert can be raised. that generate the corresponding response code (ChallengeSMS, ChallengeEmail, or ChallengeVoice) have been configured in OneSpan Risk Analytics.
The transaction data signing flow will vary depending on the result of the risk evaluation performed by the Risk Management component. This component performs a real-time analysis of vast amounts of user, device, and historical data to calculate the risk that is involved. The result is returned as a risk response code (riskResponseCode).
- If the transaction validation request is regarded as risky, the Risk Management component will challenge the user with an additional transaction validation step. In case of transaction data signing with message-based transaction validation, the Risk Management component will return one of the following challenges:
  - SMS: riskResponseCode of 3 (ChallengeSMS).
  - Email: riskResponseCode of 8 (ChallengeEmail).
  - Voice: riskResponseCode of 13 (ChallengeVoice).
- If the Risk Management component accepts the transaction validation request without an additional challenge, it will return a riskResponseCode of 0. In this scenario, no additional validation steps are required. For more information about this scenario, see Adaptive message-based transaction data signing — low risk validation request.

Adaptive message-based transaction data signing secured with virtual signature validation

Adaptive message-based transaction data signing — overview

Sequence of an adaptive message-based transaction data signing operation secured with virtual signature validation

The user starts the transaction data signing operation. The app collects CDDC data and sends the request with the collected data to the web server. The web server forwards the request to the OneSpan Trusted Identity platform API with a call to the POST /transactions endpoint.
The OneSpan Trusted Identity platform API forwards the request to Risk Analytics, which returns either a riskResponseCode of 3 (ChallengeSMS), 8 (ChallengeEmail), or 13 (ChallengeVoice) to the client application.
The user enters their credentials, which triggers the client application to initiate the signature generation request to the OneSpan Trusted Identity platform API with a call to the POST /users/{userID@domain}/generate-virtual-signature endpoint.
The Authentication component verifies the user credentials.
The Authentication component generates the signature and contacts the Message Delivery component.
The Message Delivery component forwards the message via the specified delivery method (SMS/ email/ voice call) to the user's mobile device. The message consists of an OTP and signature data fields.
The user verifies the signature data fields and enters the OTP into their client application.
The client application sends the transaction validation request to the OneSpan Trusted Identity platform API with a call to the POST /users/{userID@domain}/transactions/validate endpoint. The request contains the OTP and the signature data fields.

When you send the signature for the POST /users/{userID@domain}/transactions/validate endpoint, ensure that you also add the authType field and set it to strong in the payload.
The Authentication component validates the signature.
The Authentication component sends all the gathered data with the result of the transaction validation response to the Risk Management component. This component assesses all factors involved and sends the response back to the client application to confirm the transaction.

To integrate message-based transaction data signing via virtual signature

Issue a transactions request with a call to the POST /transactions endpoint and provide the following information:
- Payload:
  - accountRef
  - amount
  - currency
  - relationshipRef
  - sessionID
  - transactionType
  - userRef: (Optional) This field can be configured in Risk Management component to query user-specific information.
- Response body:
  - riskResponseCode: 3 (ChallengeSMS) for SMS delivery, 8 (ChallengeEmail) for email delivery, and 13 (ChallengeVoice) for voice delivery
  - transactionID
Issue a generate virtual signature request with a call to the POST /users/{userID@domain}/generate-virtual-signature endpoint and provide the following information:
- Payload:
  - dataFields
  - credentials
  - deliveryMethod
Issue a transaction validation request with a call to the POST /users/{userID@domain}/transactions/validate endpoint and provide the following information:
- Payload:
  - objectType: “AdaptiveTransactionValidationInput”
  - accountRef
  - amount
  - cddc
  - currency
  - authentType: strong
  - data.standard
    - dataFields
    - signature
  - relationshipRef
  - transactionType
  - userRef: (Optional) This field can be configured in Risk Management component to query user-specific information.
- Response body:
  - riskResponseCode: 0
  - sessionStatus: accepted

Adaptive message-based transaction data signing — low risk validation request

If the transaction signing validation request is regarded as low risk, the Risk Management component will accept the request and return a riskResponseCode of 0 (accepted). In this case, no additional authentication steps are required.

Adaptive message-based transaction data signing — overview

Sequence of an adaptive transaction data signing operation

The user starts the transaction data signing operation. The app collects CDDC data and sends the request with the collected data to the web server. The web server forwards the request to the OneSpan Trusted Identity platform API with a call to the POST /transactions endpoint.
The OneSpan Trusted Identity platform API sends a transaction request to the Risk Management component. This component accepts the transaction request.
The OneSpan Trusted Identity platform API receives the accepted transaction request and sends it to the web server.
The web server forwards the accepted transaction request to the app.

To integrate message-based transaction data signing

Issue a transactions request with a call to the POST /transactions endpoint and provide the following information:
- Payload:
  - accountRef
  - amount
  - currency
  - relationshipRef
  - sessionID
  - transactionType
  - userRef: (Optional) This field can be configured in Risk Management component to query user-specific information.
- Response body:
  - riskResponseCode: 0 accepted
  - transactionID

Integration of adaptive message-based transaction data signing

Prerequisites

Adaptive message-based transaction data signing secured with virtual signature validation

Adaptive message-based transaction data signing — low risk validation request

Log in

Two-step verification is required