Secure Channel-based authentication

Secure Channel-based authentication is a type of authentication which supports the secure exchange of authentication data. It is used in combination with CrontoClosed Specific colorful cryptogram, similar to a QR code that is used for visual transaction signing. images or QR codes to exchange the Secure Channel messages. This type of authentication requires the use of authenticator licenses that are activated in the multi-device licensing (MDL)Closed OneSpan licensing model with a one-to-one relationship between a user account and an authenticator serial number license. With this licensing model, a user account can be optionally bound to several authenticator instances. Multi-Device Activation, which is an activation process in two steps, guarantess that only the intended user can perform the device activation. mode.

Secure Channel-based authentication is different from adaptive Secure Channel-based authentication.

Supported devices:

  • Hardware authenticators with Cronto image support (e.g. the Digipass 7xx-series)
  • OneSpan Mobile Authenticator Studio 4.18 and later
  • Mobile Security Suite Orchestration SDK

Prerequisites

To ensure a successful Secure Channel-based authentication, the following prerequisites must be met:

Authentication via Secure Channel

For Secure Channel-based user authentication operations, the sequences differ slightly, depending whether the authenticator used has internet connectivity or not.

Secure Channel-based authentication overview — authenticators with internet connectivity overview

Sequence of a Secure Channel-based user authentication operation with authenticators with internet connectivity

  1. The client application requests a Secure Channel challenge from the OneSpan Trusted Identity platform.
  2. The OneSpan Trusted Identity platform generates a secure challenge.
  3. The client issues a request to generate a Cronto image from the returned Secure Channel message.
  4. The authenticator captures the Cronto image and creates a one-time password (OTP) for this challenge.
  5. The authenticator sends the OTP to the OneSpan Trusted Identity platform for validation.
  6. The OneSpan Trusted Identity platform validates the OTP.
  7. The client application collects the result of the validation.
  8. If the OTP is successfully validated, the authentication is successful.

Secure Channel-based authentication overview — authenticators without internet connectivity overview

Sequence of a Secure Channel-based user authentication operation with authenticators without internet connectivity

  1. The client application requests a Secure Channel challenge from the OneSpan Trusted Identity platform.
  2. The OneSpan Trusted Identity platform generates a secure challenge.
  3. The client issues a request to generate a Cronto image from the returned Secure Channel message.
  4. The authenticator captures the Cronto image and creates a one-time password (OTP) for this challenge.
  5. The authenticator displays OTP to the user.
  6. The user enters the OTP into the client application.
  7. The client application sends the OTP to the OneSpan Trusted Identity platform for validation.
  8. The OneSpan Trusted Identity platform validates the OTP.
  9. The client application collects the result of the validation.
  10. If the OTP is successfully validated, the authentication is successful.