Integration of user login with Secure Channel

Secure ChannelClosed The Secure Channel feature encrypts the communication between device and server. It uses payload keys to protect the confidentiality and authenticity of the message's payload.-based authentication is a type of authentication which supports the secure exchange of authentication data. It is used in combination with CrontoClosed Specific colorful cryptogram, similar to a QR code that is used for visual transaction signing. images or QR codes to exchange the Secure Channel messages. This type of authentication requires the use of authenticator licenses that are activated in the multi-device licensing (MDL)Closed OneSpan licensing model with a one-to-one relationship between a user account and an authenticator serial number license. With this licensing model, a user account can be optionally bound to several authenticator instances. Multi-Device Activation, which is an activation process in two steps, guarantess that only the intended user can perform the device activation. mode.

Sequence of a login operation with Secure Channel

  1. The user initiates the operation from their browser, and the client application requests a Secure Channel challenge from the OneSpan Trusted Identity platform APIClosed Provides the endpoints that are required for the successful completion of the operations. by calling the POST /users/{userID@domain}/generate-secure-challenge endpoint.

    The default timeout value for Secure Channel-based authentication is set to 180 seconds. Contact OneSpan if you need to change this timeout configuration.

  2. The OneSpan Trusted Identity platform API creates a Secure Channel challenge in the form of a Cronto message.
  3. The client application uses the Visual Codes service to generate the Cronto image.
  4. The user captures the Cronto image with their authenticator, and the authenticator generates an OTP.
  5. The OTP is inserted in a login request forwarded to the OneSpan Trusted Identity platform API for validation.

    The login uses the request identifier provided in the generate-secure-challenge-request response.

  6. The OTP is validated successfully.

To integrate user login with Secure Channel

  1. Issue a generate Secure Channel message request with the POST /users/{userID@domain}/generate-secure-challenge endpoint.

  1. Issue a generate Cronto image for Secure Channel message request with the POST /visualcodes/render endpoint.

  1. Issue a login request with the POST /users/{userid@domain}/login endpoint:

    • Payload:

      • objecttype: “LoginInput”
      • credentials.authenticator.OTP
      • requestID

        Request ID received in the output of the Secure Channel message generation request.

Use the Visual Codes service to generate Cronto images or QR codes

With OneSpan Cloud Authentication you can integrate the Visual Codes service in your client applications. With this, the application can generate and embed a clear text- or encoded message into a Cronto image or a QR code. The visualcodes interface allows clients to render a visual code and get raw access to the image URL if the following parameters have been specified:

  • Message. A hexadecimal encoded message that is to be embedded in the image.
  • Format. The output format of the returned image (Cronto image or QR code).
  • Image size. The image size of the returned image.

Use Cronto authenticator to generate Cronto images or QR codes

With OneSpan Cloud Authentication you can implement the functionality to support the use of a Cronto authenticator for user authentication and transaction signature validation. The Cronto authenticator scans a Cronto image or QR code and generates a signature for authentication purposes. OneSpan Cloud Authentication supports the following use cases:

  • User registration and Cronto authenticator activation. If a valid authenticator license is available, a user can register a Cronto authenticator through the User Registration service and activate the authenticator.
  • Login. If the user has successfully registered and activated their Cronto authenticator associated to this user, the user can log in with an OTP generated by their Cronto authenticator.
  • Signature validation. If the user has successfully registered and activated a Cronto authenticator associated to them, a user can perform a transaction validation with the signature code generated by their Cronto authenticator.