Secure Channel-based transaction data signing

Secure Channel-based transaction data signing (TDS) is a type of transaction data signing that supports the secure exchange of signing data. Secure Channel-based TDS is typically used in combination with Cronto images or QR codes to exchange the Secure Channel messages. This type of transaction data signing requires the use of authenticator licenses that are activated in the multi-device licensing (MDL)Closed OneSpan licensing model with a one-to-one relationship between a user account and an authenticator serial number license. With this licensing model, a user account can be optionally bound to several authenticator instances. Multi-Device Activation, which is an activation process in two steps, guarantess that only the intended user can perform the device activation. mode.

With this feature, you enable your users to sign a transaction, represented by a number of signature data fields, on their mobile device. This operation happens via a Secure Channel, in combination with a CrontoClosed Specific colorful cryptogram, similar to a QR code that is used for visual transaction signing. image or QR code.

Supported devices:

  • Hardware authenticators with Cronto image support (e.g. the Digipass 7xx-series)
  • OneSpan Mobile Authenticator Studio 4.18 and later
  • Mobile Security Suite Orchestration SDK


To ensure a successful Secure Channel-based transaction data signing, the following prerequisites must be met:

Sign transaction data via Secure Channel

Push Notification-based transaction data signing — overview

Sequence of a Secure Channel-based transaction data signing operation

  1. The user initiates the operation from their browser, and the client application requests a secure challenge.
  2. OneSpan Trusted Identity platform generates a secure challenge.
  3. The authenticator generates a signing field request message.
  4. The data to be signed is included in a Secure Channel message and sent to the client application.
  5. The client issues a request to generate a Cronto image from the returned Secure Channel message.
  6. OneSpan Trusted Identity platform generates a Cronto image and displays it to the user. The user scans the Cronto image with their Cronto device.
  7. With the scanned image, the Cronto device generates the signature.
  8. The user enters the signature in the client application.
  9. The client application sends the signature to OneSpan Trusted Identity platform for validation.
  10. The transaction data is successfully signed, or the operation is rejected.