Push Notification-based authentication

Push notifications Message that is pushed from a server to a user and is displayed on an end-user device, e.g. a mobile device. Push notifications are received by a particular app. This must be registered on the corresponding server to receive notifications. Notifications can be sent at any time, the users do not have to be actively using the app at that time. can be used as an out-of-band (OOB) two-step authentication method. The push mode enables client applications on mobile devices to authenticate a user. During the authentication process, the user receives a notification prompt on the mobile device and completes the authentication process by tapping on the device (push and login).Push Notification-based authentication is a Secure Channel operation.

Supported integrations:

• With OneSpan Mobile Authenticator Studio 4.18 and later.

  In the push mode, a new OneSpan Mobile Authenticator Studio app is enabled on a mobile device to authenticate the user. The user receives a notification prompt on their mobile device during the authentication process and completes this process by tapping the mobile device.

• With the OneSpan Orchestration SDK..

  Remote authentication is performed by a trusted device where the appropriate protection is selected according to the passkey selection. The following protection options are available:

  • Device-based
  • PIN-based
  • Fingerprint-based

Prerequisites

To ensure a successful Push Notification-based authentication, the following prerequisites must be met:

• A Mobile Authenticator Studio/ Mobile Security Suite Orchestration SDK mobile application has been successfully activated and customized.

  For a short overview, see Offline activation of a OneSpan Mobile Authenticator Studio mobile application. For more detailed information about the customization and instructions on the necessary steps for two-step offline activation, refer to the OneSpan Mobile Authenticator Studio Customization Guide.

  For more information about the integration of the Orchestration SDK, see the Orchestration SDK Integration Guide at Documentation > Mobile Security Suite > Integration Guides.

• The user has shared their static password with the back-end system of the TID platform.
• Configure Push Notification for use with OneSpan Cloud Authentication.

To configure Push Notification

1. After configuring your mobile app, you provide the configuration data to OneSpan. This data includes:

   • Android: the API keys and/(or certificates for Firebase Cloud Messaging (FCM)
   • iOS: the certificates and the Bundle ID

   You need to generate all the required certificates and provide them to OneSpan. For information how to generate these certificates, refer to the Apple and Android developer documentation.

2. OneSpan Cloud Authentication uses this data and creates the configuration in the OneSpan Cloud Authentication database. The data is stored under a key referred to as app ID.
3. The app ID must be set as the name of the mobile app (Mobile Application Name) in your Authentication component domain.

4. Send a Push Notification. When sending, OneSpan Cloud Authentication uses the app ID that was configured in the domain to retrieve the necessary configuration data. This data is used to contact Google Firebase Cloud Messaging (Android) and APNs (iOS).

   For Android, the pairing to the ID of the Android application happens exclusively inside the PNS configuration of your Firebase Cloud Messaging account to which you provided the credentials.

   iOS: the Bundle ID must be provided to Apple for each request. If the iOS Bundle ID is missing in the mobile app configuration, the app ID configured in the Authentication component is used as Bundle ID.

   Once the Push Notification is sent to Google FCM/iOS APNs, the notification delivery to the mobile device (the user) is handled by these services, i.e., the notification is not controlled by OneSpan Cloud Authentication.

Authentication via Push Notification

Sequence of a user authentication operation via Push Notification

1. The user authenticates with their credentials:

   Mobile Authenticator Studio: the user enters the Push Notification keyword push and their static password.

   Mobile Security Suite: the user enters the Push Notification keyword that you configured for the Orchestration SDK and their PIN. The keyword specifies which authentication method will be used to unlock the mobile app.

   The following keywords can be configured to trigger a push notification:

   • NoPIN
   • PIN
   • Fingerprint
2. OneSpan Cloud Authentication generates a secure challenge.
3. The user receives a Push Notification message on their mobile device.
4. The mobile app downloads the secure challenge as part of the Push Notification payload.
5. The user approves the request to log in.
6. The authenticator of the mobile app generates a Secure Channel response, i.e., a signature of the challenge, encrypts it, and returns it to OneSpan Cloud Authentication.
7. OneSpan Cloud Authentication validates the Secure Channel response to determine the result of the Push Notification-based authentication

For information how to integrate this, see Integration of Push Notification-based authentication.

Reject a Push Notification-based authentication request