Push Notification-based transaction data signing

Push NotificationClosed Message that is pushed from a server to a user and is displayed on an end-user device, e.g. a mobile device. Push notifications are received by a particular app. This must be registered on the corresponding server to receive notifications. Notifications can be sent at any time, the users do not have to be actively using the app at that time.-based transaction data signing (TDS) is a method to validate transactions. It uses a push mode to enable any activated OneSpan Mobile Authenticator Studio or Mobile Security Suite Orchestration SDK application on a mobile device. This serves to generate a signature for data that is displayed on the mobile device.

For the validation request, a default timeout value of 60 seconds has been defined per tenant. To increase the validation period for Push Notification-based TDS within OneSpan Cloud Authentication, this timeout value can be increased.

Contact OneSpan Support to extend the timeout configuration for your tenant(s).

Supported devices:

  • OneSpan Mobile Authenticator Studio 4.18 and later
  • Mobile Security Suite Orchestration SDK

Prerequisites

To ensure successful Push Notification-based transaction data signing, the following prerequisites must be met:

To configure Push Notification

  1. After configuring your mobile app, you provide the configuration data to OneSpan. This data includes:

    • Android: the API keys and/(or certificates for Firebase Cloud Messaging (FCM)
    • iOS: the certificates and the Bundle ID

    You need to generate all the required certificates and provide them to OneSpan. For information how to generate these certificates, refer to the Apple and Android developer documentation.

  2. OneSpan Cloud Authentication uses this data and creates the configuration in the OneSpan Cloud Authentication database. The data is stored under a key referred to as app ID.
  3. The app ID must be set as the name of the mobile app (Mobile Application Name) in your Authentication component domain.
  4. Send a Push Notification. When sending, OneSpan Cloud Authentication uses the app ID that was configured in the domain to retrieve the necessary configuration data. This data is used to contact Google Firebase Cloud Messaging (Android) and APNs (iOS).

    For Android, the pairing to the ID of the Android application happens exclusively inside the PNS configuration of your Firebase Cloud Messaging account to which you provided the credentials.

    iOS: the Bundle ID must be provided to Apple for each request. If the iOS Bundle ID is missing in the mobile app configuration, the app ID configured in the Authentication component is used as Bundle ID.

    Once the Push Notification is sent to Google FCM/iOS APNs, the notification delivery to the mobile device (the user) is handled by these services, i.e., the notification is not controlled by OneSpan Cloud Authentication.

Sign transaction data via Push Notification

Push Notification-based transaction data signing via Mobile Authenticator Studio - overview

Push Notification-based transaction data signing via Mobile Security Suite Orchestration SDK - overview

Sequence of a transaction data signing operation via Push Notification

  1. The user initiates the operation from their browser.
  2. OneSpan Cloud Authentication generates a secure signing request.
  3. The user receives a Push Notification message with details of the transaction on their mobile device during the transaction validation process.
  4. The mobile app downloads the secure signing request as part of the Push Notification payload.
  5. The user opens the notification message which displays the data to be signed.
  6. The user either approves or rejects the signature of these data fields.
  7. The mobile app generates a Secure Channel response, i.e., a signature of the challenge, encrypts it, and returns it to OneSpan Cloud Authentication
  8. OneSpan Cloud Authentication validates the Secure Channel response to determine the result of the Push Notification-based authentication.

For more information, see Integration of Push Notification-based transaction data signing.

Reject Push Notification-based transaction data signing request

The user rejects the Push Notification-based transaction data signing request on their mobile device.

Reject Push Notification-based transaction data signing for Mobile Authenticator Studio - overview

Reject Push Notification-based transaction data signing for Mobile Security Suite Orchestration SDK - overview