Integration of Secure Channel-based transaction data signing

Secure ChannelClosed The Secure Channel feature encrypts the communication between device and server. It uses payload keys to protect the confidentiality and authenticity of the message's payload.-based transaction data signing (TDS) is a type of transaction data signing that supports the secure exchange of signing data. Secure Channel-based TDS is typically used in combination with Cronto images or QR codes to exchange the Secure Channel messages. This type of transaction data signing requires the use of authenticator licenses that are activated in the multi-device licensing (MDL)Closed OneSpan licensing model with a one-to-one relationship between a user account and an authenticator serial number license. With this licensing model, a user account can be optionally bound to several authenticator instances. Multi-Device Activation, which is an activation process in two steps, guarantess that only the intended user can perform the device activation. mode.

With this feature, you enable your users to sign a transaction, represented by a number of signature data fields, on their mobile device. This operation happens via a Secure Channel, in combination with a CrontoClosed Specific colorful cryptogram, similar to a QR code that is used for visual transaction signing. image or QR code.

Sequence of a Secure Channel-based transaction data signing operation

  1. The user initiates the operation from their browser and the client application sends a generate-signing request to the OneSpan Trusted Identity platform APIClosed Provides the endpoints that are required for the successful completion of the operations. by calling the POST /users/{userID@domain}/generate-signing-request.

    The default timeout value for Secure Channel-based transaction data signing is set to 180 seconds. Contact OneSpan if you need to change this timeout configuration.
  2. The OneSpan Trusted Identity platform API creates a Secure Channel challenge in the form of a Cronto message.
  3. The client application uses the Visual Codes service to generate the Cronto image.
  4. The user captures the Cronto image with their authenticator which generates a signature.
  5. The signature is inserted into a new transaction request which is then forwarded to the OneSpan Trusted Identity platform API for validation. The transactions/validate service uses the request identifier provided in the generate-signing-request response.
  6. The signature is validated successfully.

To integrate Secure Channel-based transaction data signing

  1. Issue a generate signing request with the POST /users/{userid@domain}/generate-signing-request endpoint:
  2. Issue a generate Cronto image request with the POST /visualcodes/render endpoint:
  3. Issue a transaction request with the POST /users/{userid@domain}/transactions/validate endpoint:

    • Payload:

      • objectType: “TransactionValidationInput”
      • data.secureChannel.requestID

        Request ID from the signing request generation.

      • data.secureChannel.signature