November Release – 23.R2
Deprecated or removed components and services
SOAP interface: end of support
As of December 31, 2023, OneSpan will end support for the SOAP interface in Intelligent Adaptive Authentication.
We recommend customers who are using Intelligent Adaptive Authentication with SOAP to switch to the standard REST interface.
Removal of services
In version August Release – 22.R3 (see August Release – 22.R3) we announced the deprecation of a number of services, including the provided endpoints therein.
The services and endpoints listed below will be removed from Intelligent Adaptive Authentication with the next version. We recommend customers who are using any of these services and endpoints to migrate to the OneSpan Trusted Identity platform API before December 31, 2023!
For every removed service, a replacement is already available in the OneSpan Trusted Identity platform API.
In the Adaptive Authentication API Reference service API, the following services will be removed:
- userregister (v1)
- login (v2)
- checksessionstatus (v2)
- transaction (v2)
- eventvalidation (v2)
- checkactivationstatus (v1)
- userunregister (v1)
- user-management (v1)
- authenticator-management (v1)
- authenticator-provisioning (v1)
- visualcode (v1)
In the Risk Analytics API Reference service API, the following services will be removed:
- eventvalidation (v2)
- transaction (v2)
- bulkfile-upload (v1)
The following standalone services which are not part of a service API will also be removed:
- eventvalidation (v1)
- login (v1)
- transaction (v1)
- checksessionstatus (v1)
- fido-metadata
New features and enhancements—supported use cases
Third-party licenses
For information on third-party dependencies associated with Intelligent Adaptive Authentication, see Third-party licenses and Third-party notices.
New policy: TID Activation for Multi-Device Licensing
A new policy has been added, TID Activation for Multi-Device Licensing to facilitate activating an authenticator instance in multi-device licensing (MDL) mode. This policy provides settings to allow the activation of all types of authenticators and/or authenticator instance types. It completes the authenticator provisioning by validating a signature that is generated by the newly activated authenticator instance.
For more information, see TID Activation for Multi-Device Licensing (Policy).
Also, a new field has been added to the TID Provisioning for Multi-Device Licensing policy, dp_types. With this new field you can indicate which authenticator types are permitted. For more information, see TID Provisioning for Multi-Device Licensing (Policy).
FIDO2 Bank Demo Web App
The FIDO2 Bank Demo Web App is a stand-alone component hosted in the Sandbox environment that allows you to test and simulate basic capabilities of the FIDO2 ceremonies.
Once FIDO2 has been enabled, you can access the FIDO2 Bank Demo Web App via https://yourtenant.sdb.tid.onespan.cloud/v1/mybank-fido.
For more information about the FIDO2 Bank Demo Web App, see FIDO2 Bank Demo Web App.
For more information on the FIDO2 Bank Demo Web App interaction with the web browser and the OneSpan Trusted Identity platform API, see Test User Registration with the FIDO2 Bank Demo Web App and Test User Authentication with the FIDO2 Bank Demo Web App. The code samples demonstrate how to use the WebAuthn API for the registration and authentication flows.
For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.
Check user account existence
Intelligent Adaptive Authentication now supports the option to check if a user account exists in OneSpan Trusted Identity platform. This basic check enables you to verify the existence of an account without the need to fetch any additional details about this user.
Check if a user account exists endpoint. A new endpoint has been added for this operation:
The responses include:
- 204: User account exists.
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: User account not found.
- 500: Internal error, sub service failure, server crash.
Improved communication between Intelligent Adaptive Authentication web services
With an overall application improvement, the internal communication between the Intelligent Adaptive Authentication web services has been improved, resulting in reduced communication and response times.
Fixes and other changes
Issues OAS-16263, OAS-16443, OAS-16822—OAS-16826, OAS-17246, OAS-17375, OAS-18015, and OAS-18195: Fixed vulnerabilities
This version of Intelligent Adaptive Authentication contains fixes for the following vulnerabilities:
- CVE-2023-29491 (ncurses vulnerability)
- CVE-2023-23914 (Curl vulnerability)
- CVE-2023-20873 (Spring Boot vulnerability)
- CVE-2023-20862 (Spring Security vulnerability)
- CVE-2023-20860 (Spring Framework vulnerability)
- CVE-2023-1436 (Jettison vulnerability)
- CVE-2023-1370 (JSON vulnerability)
- CVE-2023-0464 (OpenSSL vulnerability)
- CVE-2023-0286 (OpenSSL vulnerability)
- CVE-2023-0215 (OpenSSL vulnerability)
- CVE-2022-41853 (HyperSQL vulnerability)
- CVE-2022-31692 (Spring Security vulnerability)
- CVE-2022-31197 (PostgreSQL vulnerability)
- CVE-2022-25647 (Gson vulnerability)
- CVE-2022-23221 (H2 vulnerability)
- CVE-2022-22978 (Spring Security vulnerability)
- CVE-2022-22971 (Spring framework vulnerability)
- CVE-2022-22970 (Spring framework vulnerability)
- CVE-2022-22968 (Spring framework vulnerability)
- CVE-2022-4450 (OpenSSL vulnerability)
- CVE-2022-1471 (SnakeYaml vulnerability)
- CVE-2021-46848 (GNU Libtasn1 vulnerability)
- CVE-2021-42392 (H2 vulnerability)
- CVE-2021-36159 (libfetch vulnerability)
- CVE-2020-11612 (zlib vulnerability)
- CVE-2018-1000873 (Fasterxml Jackson vulnerability)
- CVE-2016-1000344 (Bouncy Castle vulnerability)
Issue OAS-16295: authenticatorAttachment field no longer has default value
When no authenticator attachment is provided in OneSpan Trusted Identity platform for the , the client app automatically selects platform as the default option.
Status: This issue has been fixed. The authenticatorAttachment field for the POST /users/{userID@domain}/generate-fido-registration-request endpoint no longer has a default value. If this field is not provided, the client app will then select all platform and cross-platform authenticators that are allowed.
Issue OAS-16395 (Support Case INC0011585): Data validation in the Checkevent service
The Checkevent service does not validate application data.
Status: This issue has been fixed. The Checkevent service has been enhanced to check if application data is present on the check mobile event input.
Issue OAS-16704: Orchestration error messages (Documentation)
When integrating orchestration with Intelligent Adaptive Authentication, it was difficult to correctly handle error messages that originated from the cloud web services. The error messages that were provided were unclear.
Status: This issue has been fixed. A list of relevant error messages for orchestration has been added to the Intelligent Adaptive Authentication Integration Guide. See Error Handling in Orchestration for this list.
Issue OAS-17129: Data store entries deleted during update
The method used to update a data store entry causes the library to delete the entry before recreating it. This results in short periods where the relevant record is not available and leads to unexpected errors for certain flows. Instead of a valid entry, the users receive a 404 Element_NOT_FOUND error.
Status: This issue has been fixed. The data store is now updated with a different method.
Issue OAS-17217 (Support Case CS0121382): CORS issue for authenticator provisioning in the Sandbox environment
When the POST /registrations/{registrationID}/add-device is called with an HTTP OPTIONS request method, a CORS (Cross-Origin Resource Scripting) error 403 occurs, thus preventing the user to send requests to this API endpoint.
Status: This issue has been fixed. The endpoint has been adapted to include access control in the response header.
Issue OAS-17335: Grace period does not expire after MDL activation
In previous versions, the grace period of an authenticator (instance) only expired automatically after a successful authentication with a one-time password (OTP) but not after a multi-device licensing (MDL) activation.
Status: This issue has been fixed. Now, the grace period automatically expires after the user authenticates with an OTP, or activates an authenticator in MDL mode using either an OTP or a signature validation, since all of these indicate that the authenticator has been correctly activated and is working properly.
Issue OAS-17340 (Support Case INC0011794): Incorrect information in the TID openAPI definition
The openAPI definition of the TID GET /users endpoint contains the following incorrect information:
- The UserOutput object incorrectly specifies that the lastPasswordUpdate and mdcProfile fields are required.
- The response of the GET /users endpoint was incorrectly wrapped in an array.
Status: This issue has been fixed.
Issue OAS-17501 (Support Case INC0011984): Incorrect default timeout for Secure Channel-based authentication and transaction data signing operations
The default timeout for the Secure Channel-based authentication and transaction data signing operations in Intelligent Adaptive Authentication is incorrectly set to 60 seconds.
Status: This issue has been fixed. The default timeout for the Secure Channel-based authentication and transaction data signing operations is now set to 180 seconds.
Contact OneSpan Support if you need to change this configuration.
Issue OAS-17617 (Support Case CHG0032270): Manual changes to policy parameters not updated after redeploying Intelligent Adaptive Authentication
The manual changes for the policy values regarding the minimum lock duration, lock duration multiplier, and the maximum unlock tries are not updated or reset to default values after Intelligent Adaptive Authentication is redeployed.
Status: This issue has been fixed. Additional fields for these policy values have been added to the relevant Intelligent Adaptive Authentication microservice. With this, after Intelligent Adaptive Authentication is redeployed, these fields are updated to the values configured for the customer, or reset to their default values.
Known issues
Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number
The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".
Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.7.0
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
February Release – 23.R1
New features and enhancements—supported use cases
Adaptive message-based transaction data signing via virtual signature
Intelligent Adaptive Authentication now supports adaptive message-based transaction data signing via virtual signatures. With this feature, you can perform a transaction data signing operation with a signature validation request to the OneSpan Trusted Identity platform API. The generated signature request contains a one-time password (OTP) and signature data fields. The OTP and the fields are sent to the user for confirmation, either via SMS, email, or voice call delivery.
-
Generate virtual signature endpoint. A new endpoint has been added for this transaction data signing operation:
POST /users/{userID@domain}/generate-virtual-signature
This new endpoint accepts dataFields, credentials, and deliveryMethod as payload.
The following responses are included:
- 204: Virtual signature generated.
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: User account not found.
- 409: Failed to generate or deliver a virtual signature.
- 500: Internal error, sub-service failure, server crash.
For more information, refer to Integrate adaptive message-based transaction data signing.
Audit logging enhancement
In previous versions of Intelligent Adaptive Authentication, each TID microservice had a different implementation for audit logging. The implementation has now been unified. The common aspects of the implementation have been moved to the common-auditing library, where each microservice now uses this library. The custom fields that are specific to the microservice, which were also logged prior to this change, are not affected by this enhancement.
The following TID microservices are impacted:
- authenticator-managementv2
- checkevent
- fido-universal-server
- relying-party
- user-managementv2
Fixes and other changes
Issue OAS-13897 (Support Case INC0010788): Mobile client receives incorrect error message when using the Orchestration SDK
In certain error scenarios, mobile clients that use the Orchestration SDK and integrate it with Intelligent Adaptive Authentication receive error messages that are too verbose and contain internal processing details.
The following error messages are affected:
- The authenticator limit has been reached
- No device added
- No device registered
- Wrong device code supplied
- Wrong signature supplied
- User account suspended due to inactivity
- User is locked
- User is disabled
- No authenticators available
- Authenticator not supported
- Could not process encrypted message
- Static password has expired
Status: This issue has been fixed. Correct error messages are now returned to the clients. For unspecific internal server errors, the following generic error message is now returned: An unknown error has occurred.
In addition, the following changes were implemented to improve error messaging for Orchestration SDK clients:
- The error response of the POST /orchestration-commands endpoint now returns a log correlation ID that can be used to identify logs that belong to a certain error.
- If an error message cannot be propagated to the onOrchestrationServerError() callback method because the error command encoding fails, the message of the original error will now be returned as part of the error response of the POST /orchestration-commands endpoint.
Issues OAS-15177, OAS-15133, OAS-15323, OAS-15337, OAS-15338, OAS-15345, OAS-15346, OAS-15347, OAS-15348, OAS-16009, OAS-16033, and OAS-16262: Fixed vulnerabilities
This version of Intelligent Adaptive Authentication contains fixes for the following vulnerabilities:
- CVE-2022-42915 (curl vulnerability)
- CVE-2022-42889 (Apache Commons Text vulnerability)
- CVE-2022-37434 (zlib vulnerability)
- CVE-2022-32207 (curl vulnerability)
- CVE-2022-27404 (FreeType vulnerability)
- CVE-2022-23806 (Go vulnerability)
- CVE-2022-22965 (Spring MVC/Spring WebFlux vulnerability)
- CVE-2022-2068 (OpenSSL vulnerability)
- CVE-2022-1292 (OpenSSL vulnerability)
- CVE-2021-45046 (Log4shell vulnerability)
- CVE-2021-44228 (Log4shell vulnerability)
- CVE-2021-43527 (Network Security Services (NSS) vulnerability)
- CVE-2021-31535 (libx11 vulnerability)
- CVE-2021-27568 (netplex json-smart vulnerability)
- CVE-2021-20223 (SQLite vulnerability)
- CVE-2021-3711 (OpenSSL vulnerability)
- CVE-2020-12403 (Network Security Services (NSS) vulnerability)
- CVE-2020-11656 (SQLite vulnerability)
- CVE-2019-20367 (libbsd vulnerability)
- CVE-2019-19646 (SQLite vulnerability)
- CVE-2019-14697 (musl vulnerability)
- CVE-2019-12900 (bzip2 vulnerability)
- CVE-2019-8457 (SQLite vulnerability)
Issue OAS-15341 (Support Case INC0011168): API Client cannot be generated for the OneSpan Trusted Identity platform API
Due to a reference that is incorrectly listed inside the tid-api.json file for the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint, it is not possible to generate the API Client for the OneSpan Trusted Identity platform API.
Status: This issue has been fixed.
Issue OAS-16273: FIDO authenticator registration fails in certain situations
Duplicate entries in the FIDO metadata database have caused authenticator registration attempts to fail in certain situations.
Status: This issue has been fixed.
Issue OAS-16274: Secure Messaging service returned incorrect error message text
The Secure Messaging service of Intelligent Adaptive Authentication incorrectly returned Failed to generate secure challenge not only for a failed call to generate a secure challenge, but also when calling the service to generate a signing request failed.
Status: This issue has been fixed. Since the error message was not stating clear enough that the cause of the error was an internal issue, the original error message was completely removed. Instead, when either of these two calls fail, Intelligent Adaptive Authentication now returns the following error message: An internal error occurred while attempting to process the request.
In addition, a new error message has been created when a temporary user account has expired: Temporary user account expired. And the wording of other error messages has also been improved and streamlined.
Issue OAS-16457: Mapping issue for delivery method of virtual OTP
The User Management service, in particular the PUT /users/{userID@domain} endpoint to create users, accepted a null value as delivery method payload for sending a virtual OTP. At the same time, it was not able to map the null value to one of the expected values (Default, SMS, Email, Voice).
Status: This issue has been fixed. The service now maps the null value correctly to Default.
Known issues
Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number
The POST /users/{userID@domain}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".
Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
August Release – 22.R3
Deprecated components and services
Deprecated services
A number of services, including the provided endpoints therein, will be deprecated for Intelligent Adaptive Authentication in the fourth quarter of 2023.
For every service that will be deprecated, a replacement is already available in the OneSpan Trusted Identity platform API.
In the Adaptive Authentication API Reference service API, the following services will be deprecated:
- userregister (v1)
- login (v2)
- checksessionstatus (v2)
- transaction (v2)
- eventvalidation (v2)
- checkactivationstatus (v1)
- userunregister (v1)
- user-management (v1)
- authenticator-management (v1)
- authenticator-provisioning (v1)
- visualcode (v1)
In the Risk Analytics API Reference service API, the following services will be deprecated:
- eventvalidation (v2)
- transaction (v2)
- bulfile-upload (v1)
The following standalone services which are not part of a service API will also be deprecated:
- eventvalidation (v1)
- login (v1)
- transaction (v1)
- checksessionstatus (v1)
- fido-metadata
New features and enhancements—supported use cases
FIDO UAF onboarding for Sandbox and Production environments
The FIDO UAF onboarding process is now available on the OneSpan Community Portal for Intelligent Adaptive Authentication.
For more information on FIDO UAF onboarding, see FIDO UAF onboarding in the Sandbox and Production environments.
Deletion of a OneSpan Trusted Identity platform user
When a OneSpan Trusted Identity platform user is deleted, all FIDO-relevant user data that is associated with this account is also deleted. This prevents reusing old user data, if the user is reactivated in a future instance.
Data fields for FIDO UAF channel binding now supported by the OneSpan Trusted Identity platform API
The OneSpan Trusted Identity platform API now supports the following data fields for FIDO UAF channel binding:
- cidPublicKey
- tlsUnique
The following FIDO-based endpoints are impacted by this enhancement:
Data fields for FIDO2 token binding now supported by the OneSpan Trusted Identity platform API
The OneSpan Trusted Identity platform API now supports the tokenBinding data field for FIDO2 token binding.
The following FIDO-based endpoints are impacted by this enhancement:
Decrypt information message
Intelligent Adaptive Authentication now supports decrypting the body of a Secure Channel information message via the REST API. With the Decrypt Information Message feature, you can decrypt the body of a Secure Channel information message that is encrypted with the payload key of an instance of a multi-device licensing (MDL) authenticator.
-
Decrypt information message endpoint. A new endpoint has been added for this decrypting operation:
POST /authenticators/{serialNumber}/decrypt-information-message
This endpoint accepts informationMessage as payload.
The following responses are included:
- 200: Decrypted information message.
- 400: The input is invalid.
- 404: Authenticator not found.
- 409: Failed to decode information message.
- 500: Unexpected server error.
For more information, refer to Decrypt an Information Message Body.
Authenticator activation reset
With the new Reset Activation feature, Intelligent Adaptive Authentication now supports resetting the activation information of an authenticator via the OneSpan Trusted Identity platform API.
For authenticators that are compliant with standard, i.e. single-device licensing (SDL), activation, the following parameters are reset:
- Activation count
- Activation locations
- Last activation date/time
For authenticators compliant with multi-device licensing (MDL) activation, the following parameters are reset:
- Provisioning activation count
- Activation challenge
- Last activation date/time
For MDL-compliant authenticators, this reset operation does not decrease the activation count (i.e. the number of activated instances), but resets the number of activations.
-
Reset activation endpoint. A new endpoint has been added for this reset operation:
POST /authenticators/{serialNumber}/reset-activation
The following responses are included:
- 200: Reset activation completed successfully.
- 400: The input is invalid.
- 404: Authenticator not found.
- 409: Failed to reset the activation.
- 500: Unexpected server error.
For more information, refer to Reset Authenticator Activation Information.
New options to query and/or update user information
Intelligent Adaptive Authentication now offers new options to query and/or update user information. The following fields have been adapted and can now be used to query user information:
- hasAuthenticatorAssigned
- expired
- disabled
- lastAuthentication
- lastAuthenticationRequest
- maxDaysBetweenAuthentications
You can use this field to query and update user information based on the user's interval between authentications.
hasAdminPrivileges field now supported in Intelligent Adaptive Authentication
Intelligent Adaptive Authentication now supports the hasAdminPrivileges field for the following OneSpan Trusted Identity platform API endpoints:
You can now query a user based on the hasAdminPrivileges field in Intelligent Adaptive Authentication.
Fixes and other changes
Issue OAS-12509: Performance bottleneck in Intelligent Adaptive Authentication web services
In Intelligent Adaptive Authentication, the SOAP client library for the common Java web services exhibits a bottleneck. This results in poor performance when many users are simultaneously trying to call the same service. To improve performance for users during high-traffic spikes, a new library is used.
Status: With the new library already in place, a higher number of simultaneous requests can now be handled without performance impairments for the following scenarios:
- User authentication and login
- Transaction validation
- Event validation
- Time synchronization between OneSpan Trusted Identity platform (i.e. host) and authenticator
- Orchestration SDK processing
- General improvement on internal processing operations (e.g. administration sessions)
Issue OAS-12661: Incorrect behavior when deregistering the FIDO UAF authenticator via AAID
When deregistering a FIDO UAF authenticator only via the Authenticator Attestation ID (AAID), the response received from the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint contains the list of all deregistered key IDs. Because the KeyID in the response should be empty, the certification tool reports a problem with the KeyID validation.
Status: This issue has been fixed. In addition, the behavior of the deregistration endpoint has been updated to also include the option to deregister the FIDO UAF authenticator using the AAID and KeyID.
Issue OAS-12798: Android phone
not behaving correctly when authenticating withThe Android phone as the assigned FIDO2 authenticator.
does not behave correctly during authentication with anStatus: This issue has been fixed. The FIDO2 Server did not correctly handle the case when the userHandle property was null, which caused the authentication attempt to fail.
Issue OAS-13223 (Support Case INC0010680): User registration error without optional static password
An error occurs when calling the POST /users/register endpoint. Attempts to register an additional authenticator without including a static password result in the following error: User registration failed: Initial static password not set.
Status: This issue has been fixed. It is now possible to use this endpoint multiple times to start the registration of a new authenticator.
Once a registration call has been made with a password, that password will then be required for all subsequent registration calls (as long as the password has not been reset).
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
May Release – 22.R2
New features and enhancements—supported use cases
The Sandbox environment. It facilitates the testing and simulation of the end-to-end capabilities of the FIDO2 ceremonies.
is a stand-alone component hosted in theOnce FIDO2 has been enabled, you can access the via https://yourtenant.sdb.tid.onespan.cloud/v1/fido-sample-relying-party.
For more information about the .
, seeFor more information on the OneSpan Trusted Identity platform API, see Using the and to test the registration and deregistration flowUsing the . The code samples demonstrate how to use the to test the authentication flowWebAuthn API for the registration, deregistration, and authentication flows.
interaction with the web browser and theFor more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.
FIDO2 onboarding for Sandbox and Production environments
The FIDO2 onboarding process is now available on the OneSpan Community Portal for Intelligent Adaptive Authentication.
For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.
For more information on FIDO2 onboarding for the Production environment, see FIDO2 onboarding in the Production environment.
Event listeners implemented in TID microservices
Event listeners have been implemented in certain TID microservices to listen to the key expiration events of specific keys. After a Redis key expiration event is received, the related key is properly deleted.
The following TID microservices are impacted:
- checksessionstatusv2 (RequestStatus)
- authenticator-provisioningv2 (registrationsession)
- sandbox (sandbox-tenantdeletestatus, sandbox-tenantstatus)
- eventvalidationv2 (SessionRequestMapping)
- irm_macroservices_trusteddevicecmd (SessionStatus)
- oas-admin-pool (TenantAdminSession)
- checkactivationstatusv2 (CacheElement)
Validation of attestation modes by FIDO2 Server
When finalizing the registration process, the FIDO2 Server now validates if the attestation mode (aka Attestation Conveyance Preference) is compatible with the attestation statement that the authenticator sends. If the attestation statement is empty, the attestation mode must be NONE. It is not compatible if the attestation statement is empty and the attestation mode is set to DIRECT or INDIRECT.
emailAddress field now supported in Intelligent Adaptive Authentication
Intelligent Adaptive Authentication now supports the emailAddress field for the following OneSpan Trusted Identity platform API endpoint:
You can now query a user based on the emailAddress field in Intelligent Adaptive Authentication.
displayName field now supported in Intelligent Adaptive Authentication
Intelligent Adaptive Authentication now supports the displayName field for the following OneSpan Trusted Identity platform API endpoints:
You can now query a user or update user data based on the displayName field in Intelligent Adaptive Authentication.
Secure Channel default timeout increased to 180 seconds
The default timeout value for Secure Channel-based authentication and transaction data signing operations has been increased from 60 seconds to 180 seconds.
Contact OneSpan Support if you need to change this configuration.
Trusted facets list endpoint
A new FIDO endpoint has been added to the OneSpan Trusted Identity platform API to retrieve a trusted facets list for FIDO UAF certification. This is a list of all the approved entities related to the calling app.
The following failure responses are included:
- 500: Unexpected server error.
Online multi-device licensing provisioning
Intelligent Adaptive Authentication now supports online multi-device licensing (MDL) provisioning to activate an authenticator. This functionality was available only for integrations of Intelligent Adaptive Authentication that also included the OneSpan Orchestration SDK in the mobile application. With this new feature, the required DSAPP-SRP operations are now available through the OneSpan Trusted Identity platform API. During the activation process, an authenticator instance is created.
For this type of activation, an authenticator license is required.
-
Ephemeral key endpoint. A new endpoint has been added to generate an ephemeral key and secure the activation process:
POST /registrations/{registrationID}/generate-ephemeral-key
This endpoint accepts clientEphemeralPublicKey as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The registration session was not found.
- 409: Incorrect activation type.
- 500: Unexpected server error.
-
Generate activation message endpoint. A new endpoint has been added to generate the activation message:
POST /registrations/{registrationID}/generate-activation-message
This endpoint accepts clientEvidenceMessage as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The registration session was not found.
- 409: Incorrect activation type or authenticator does not support activation.
- 500: Unexpected server error.
-
Update PNID endpoint. A new endpoint has been added to update the Push Notification Identifier (PNID):
POST /users/{userID@domain}/authenticators/{serialNumber}/update-pnid
This endpoint accepts encryptedMessage as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The user account or authenticator was not found.
- 409: Failed to update the PNID for the authenticator.
- 500: Unexpected server error.
For more information, refer to Integrate provisioning for multi-device licensing (MDL).
Improved offline multi-device licensing provisioning
The offline provisioning of multi-device licensing (MDL) authenticators has been improved. Because the device code input has become optional when initiating a registration session, two separate workflows are now available.
The following endpoint has been extended:
Accepted payload if the device code is present:
-
registrationID, with the following field:
- deviceCode
Accepted payload if the device code is not present:
- registrationID
For more information, refer to Integrate provisioning for multi-device licensing (MDL).
Performance analysis improvement
A new tool for investigating the performance of Intelligent Adaptive Authentication has been introduced. Until now, the investigation of any performance issues was based on logs. With the integration of a new performance analysis instrument, OpenTelemetry, it is now possible to provide a standardized method to handle traces for microservices. The availability of performance output for analysis reduces the time to find core performance issues, as well as operation costs, and the time required to fix performance-related issues.
Fixes and other changes
Issue OAS-8511: Audit logging not supported for FIDO UAF deregister endpoints
The POST /users/{userID@domain}/deregister-fido-uaf-keys and the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoints do not support audit logging.
Status: This issue has been fixed.
Issue OAS-8645: Unhandled application types (Authenticator management)
The POST /authenticators/{serialNumber}/applications/{applName}/test endpoint supports two types of input data:
- otp, with response and hostCode as expected payload
- signature, with response and eight data fields (data1 ... data8) as expected payload
No issues occur if a Response-Only (RO) application is provided for the OTP flow, or a signature (SG) application for the signature flow. However, if a Challenge/Response (CR) application is provided for an OTP flow, Intelligent Adaptive Authentication returns the STAT_CHALLENGEstatus code, which is mapped to ERROR.
Status: This issue has been fixed.
Issue OAS-10845: Incorrect default log level for Transactionv3 web service logs
The default level for log entries that are created by the Transactionv3 web service is DEBUG. On the staging and production environments of Intelligent Adaptive Authentication, however, the default log level is INFO. Because of this, there is no log information available on the Transactionv3 service.
Status: This issue has been fixed.
Issue OAS-10850: FIDO UAF status codes do not match for the FIDO registration operations
The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO registration endpoints in the OneSpan Trusted Identity platform API.
Status: This issue has been fixed. The UAF status codes have been corrected in the OneSpan Trusted Identity platform API. For more information about UAF status codes, refer to the FIDO Alliance documentation.
Issue OAS-10852: FIDO UAF status codes do not match for the FIDO authentication operations
The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO authentication endpoints in the OneSpan Trusted Identity platform API.
Status: This issue has been fixed. The UAF status codes have been corrected in the OneSpan Trusted Identity platform API. For more information about UAF status codes, refer to the FIDO Alliance documentation.
Issue OAS-11268: Failing SOAP URL for admin pool
The Intelligent Adaptive Authentication admin pool expects a SOAP URL entry for sessions. After an update of the Production environment, the old sessions are still alive but are missing the SOAP URL. If that URL is not present, the service does not fall back to anything, which results in a service outage.
Status: This issue has been fixed. Intelligent Adaptive Authentication now creates new sessions that include the SOAP URL.
Issue OAS-11635: Log issues for user register microservice
For the user register microservice, Intelligent Adaptive Authentication logs important messages incorrectly on lower log levels. In addition, the payload is logged incorrectly as a string value.
Status: This issue has been fixed. The log levels in the relevant microservice have been corrected, and the payload is now correctly formatted.
Issue OAS-11822: Incorrect error handling in Audit Logger service
The Audit Logger service does not report all errors correctly. In some cases, a request is marked as success, and the microservice is not notified that an error occurred.
Status: This issue has been fixed. In case of failure, the microservice is notified that the request has failed, and an AuditLoggerClientException error is returned.
Issue OAS-11841: FIDO UAF Relying Party mandatory fields
When configuring FIDO UAF for a tenant, a Relying Party entity has to be created via the FIDO UAF Policy Manager Service. The two fields tlsServerCertificateEndPoint and tlsServerCertificateHashEndPoint, which are part of the Relying Party entity, are mandatory fields. The Relying Party cannot be created if these two fields are null or empty. A possible workaround is to set dummy values for these two fields in case the Boolean fields tlsServerCertificateSupported and serverEndPointSupported are set to false.
Status: This issue has been fixed. Both fields can be null or empty if the Boolean fields are set to false. They need to be set only if the Boolean fields are set to true. With this, the tlsServerCertificateEndPoint and tlsServerCertificateHashEndPoint fields are no longer mandatory.
For information about integrating FIDO-based operations, refer to the following articles:
Issue OAS-11842: FIDO2 Relying Party setup mandatory fields
In the endpoint to set up the Relying Party for FIDO2, the publicKeyCredentialDescriptors element is mandatory in the request body. At this stage of creating the Relying Party, however, there are no registrations and thus no credential IDs that could be supplied in the request body. Thus, the mandatory nature of this element is incorrect.
Status: This issue has been fixed. It is now possible to set the publicKeyCredentialDescriptors to null or empty, or to not include it at all in the request body.
For information about integrating FIDO-based operations, refer to the following articles:
Issue OAS-11888: Log4J security vulnerability
The fido2-core library uses Log4J as an external dependency. This library contains the following critical vulnerabilities:
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
Status: This issue has been fixed. The fido2-core library has been updated to use Log4j version 2.17, which fixes these vulnerabilities.
The following microservices have a dependency on the fido2-core library:
- fido2-service
- fido2-config-manager
- fido-universal-server (uses the API from fido2-service)
Issue OAS-11895: Domain parameters for SOAP requests from orchestration messages
For the following SOAP commands in the Orchestration Messaging microservice, the tenant name is incorrectly used as a domain parameter:
- DecryptInformationMessageCommand
- EncryptRequestMessageCommand
The issue has been present in the services that served as the basis for, and were replaced by the Orchestration Messaging microservice.
Status: This issue has been fixed. The correct domain is now used in the relevant microservices, and misleading logs are removed.
Issue OAS-12060: FIDO2 authenticator registration fails when using attestation mode NONE
The FIDO2 authenticator registration fails if the attestation mode NONE is used in the request to initialize the registration when calling the POST /users/{userID@domain}/generate-fido-registration-request endpoint.
Status: This issue has been fixed.
Issue OAS-12339: Static password expired error not correctly handled during MDL device activation
When a user attempts to activate a multi-device licensing (MDL) compatible device after a static password has expired, the POST /registrations endpoint returns the status code error 500 with a generic error message. In this case, however, the endpoint should return status code error 409, with the error message Static password has expired.
Status: This issue has been fixed.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.1
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
March 2022
New features and enhancements—supported use cases
Static password optional for online activation
Setting a static password during online activation is now optional. This allows passwordless use of the system and prevents your customers from being exposed to static passwords. With this, expiring passwords no longer cause issues, e.g. because of locked user accounts.
Documentation updates
The product documentation that describes the registration and authenticator activation flow has been updated in the Intelligent Adaptive Authentication Integration Guide.
Documentation on authentication policies now available
In Intelligent Adaptive Authentication, policies specify various login settings which can affect how a user can log in to a specific site, and how the login is handled by Intelligent Adaptive Authentication. The policies that govern the Intelligent Adaptive Authentication authentication operations have now been documented here: Authentication policies. These articles aim to facilitate the understanding of the possibilities and limitations of Intelligent Adaptive Authentication.
Documentation on Transport Layer Security settings now available
Intelligent Adaptive Authentication uses the Transport Layer Security (TLS) protocol. Documentation on the required TLS settings is now available at Configuration of TLS settings. Ensure to observe the specified requirements for your integration of Intelligent Adaptive Authentication.
Fixes and other changes
Issue OAS-11052: Issues with the creation of non-unique metadata statements
It is possible to create metadata statements that are not unique, e.g. create two or more metadata statements with the same tenant and AAGUID (FIDO2) or AAID (FIDO UAF). This leads to issues with registration and authentication operations since Intelligent Adaptive Authentication throws uniqueness errors.
Status: This issue has been fixed. Only unique metadata statements can now be used.
Issue OAS-11267: Wrong log level information for orchestration errors
For orchestration errors, Intelligent Adaptive Authentication logs important messages incorrectly on lower log levels. Therefore, the messages are not visible. Also, in some cases, the tenant information is not included.
Status: This issue has been fixed.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
December 2021
Fixes and other changes
Vulnerabilities in Apache Log4j2
Recently, the Apache foundation announced a number of security vulnerabilities in the Log4j2 library for Java applications. The affected authentication service libraries have been upgraded to mitigate remote code execution and denial-of-service attacks that could result from the vulnerabilities.
For the latest updates on the vulnerabilities and the upgrade status of the libraries used by OneSpan products, refer to the OneSpan Log4j Advisory page and the OneSpan Trust Center.
October 2021
New features and enhancements—supported use cases
FIDO metadata
Intelligent Adaptive Authentication now supports FIDO Metadata Service 3.0.
For more information about FIDO metadata, refer to the FIDO Alliance documentation.
User-initiated authenticator time synchronization
If a user's hardware authenticator is out of sync, they can now initiate time synchronization for their authenticator. All OneSpan authenticators that can be out of sync, both time- and event-based, support this new feature.
-
Authenticator endpoint. A new endpoint has been added to allow the user-controlled time synchronization:
POST /users/{userID@domain}/sync-authenticator
This endpoint accepts SyncAuthenticatorInput as payload.
The following failure responses are included:
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: The user was not found.
- 409: Conflict error.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.
Customize delivery method of virtual OTP
It is now possible to customize how the virtual one-time password (OTP) is delivered to the user (e.g. use your own gateway or another special, customized communication channel). A new channel is available which makes it possible to receive the OTP in the request response session. To ensure the generated virtual OTP is never returned directly to the user, it is stored inside a session that is to be queried separately.
Mild security risk
When you use this feature, the OTP is returned in the same session in which it has been requested. Because this forms a mild security risk, be advised to treat the virtual OTP as sensitive data. Make sure the data is transmitted via a different secure channel than the one in which it was requested (e.g. an SMS sent to a different device than the one from which the request was sent).
Enabling this feature does not deactivate the original delivery method for virtual OTPs! The custom delivery has to be requested in the request payload on a per-request basis.
The following endpoints have been extended:
-
POST /authenticators/{serialNumber}/applications/{applName}/generate-votp
Accepted payload: GenerateVOTPOutput.
-
POST /users/{userID@domain}/login
The delivery of the virtual OTP is triggered upon user request and when the keyword session is sent via the votpDeliveryOverride field of the AdaptiveLoginInput payload (without providing the credentials fields). The response will be 200 OK. The following payloads are accepted:
- AdaptiveLoginInput
- LoginOutput, with the following fields and values:
- sessionStatus, with the value pending
- riskResponseCode, with an integer value
- requestID, with with a generated value, e.g. 47543e06-1c11-49b8-94ed-d9501f7fd3f2
-
POST /users/{userID@domain}/events/validate
Accepted payloads:
- AdaptiveEventValidationInput
- eventType, with the value LoginAttempt
For more detailed information on how to integrate this feature, see Integrating user login and event validation via notification.
Use of this feature is optional, it is not provided by default. Contact OneSpan Support for the activation of this feature. Once enabled, the virtual OTP will be delivered with the same method for all tenants that are grouped in the same authentication service deployment as the one where this feature has been enabled.
Fixes and other changes
Issue OAS-9793 (Support Case CS0042742): Cronto image rendering fails for orchestration command
The orchestration command that is returned by the POST /users/{userID@domain}/login endpoint cannot be rendered by the POST /visualcodes/render endpoint.
Status: This issue has been fixed.
Issue OAS-9932: FIDO timeout configuration
The Fido2RequestTimeout (FIDO2) and JwtTokenTimeout (FIDO UAF) timeout parameters now have a default value set to 10 seconds in the respective FIDO tenant configuration.
For more information, see Standard FIDO Settings for the Sandbox Environment.
Contact OneSpan Support if you need to change this configuration.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.4.2
- 5.4.1
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
September 2021
New features and enhancements—supported use cases
New FIDO UAF status code field in response body
A new field (uafStatusCode) has been added to the response body of the following endpoints that are related to the FIDO-based operations:
- POST /users/{userID@domain}/generate-fido-registration-request
(handled in OneSpan Cloud Authentication) - POST /users/{userID@domain}/register-fido-device
(handled in OneSpan Cloud Authentication) - POST /users/{userID@domain}login
- POST /users/{userID@domain}/transactions/validate
- POST /users/{userID@domain}/events/validate
For a full list of UAF status codes, refer to the FIDO alliance documentation.
FIDO-based authentication
Intelligent Adaptive Authentication now supports end-user login with FIDO-based authentication. FIDO (Fast IDentity Online) offers frameworks that enable passwordless authentication.
Intelligent Adaptive Authentication supports the latest FIDO Alliance protocols.
This feature is not functional in the sandbox environment.
Login endpoint. The login endpoint has been extended to support FIDO-based authentication requests:
In the first call, this endpoint now accepts fidoAuthentication as payload, with the following parameters:
- fidoProtocol
- userVerification (FIDO2 only)
- auhtenticationMessage (FIDO UAF only)
In the second call, this endpoint now accepts credentials as payload, with the following parameter:
- fidoAuthenticator
The failure responses include:
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: The user account was not found.
- 409: Failed to login user.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.
Transactions validation endpoint. The transactions validation endpoint has been updated to support FIDO-based transaction data signing requests for the UAF protocol:
POST /users/{uuid}/transcations/validate
In the first call, this endpoint now accepts data as payload, with the following parameter:
- fidoTransactionMessage
In the second call, this endpoint now accepts data as payload, with the following parameter:
- fido
The failure responses include:
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: The user account was not found.
- 409: Failed to validate transaction.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.
Events validation endpoint. The events validation endpoint has been updated to support FIDO-based event signing requests for the FIDO UAF and FIDO2 protocols:
POST /users/{uuid}/events/validate
In the first call, this endpoint now accepts fidoAuthentication as payload, with the following parameters:
- fidoProtocol
- userVerification (FIDO2 only)
- auhtenticationMessage (FIDO UAF only)
In the second call, this endpoint now accepts credentials as payload, with the following parameter:
- fidoAuthenticator
The failure responses include:
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: The user account was not found.
- 409: Failed to validate event.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.
New restriction on number of assigned authenticators, but limit on derived authenticator instances removed
To avoid replay attacks, you can restrict the maximum number of authenticators assigned to a user for specific authenticator types. This applies to single-device licensing (SDL) and multi-device licensing (MDL) authenticators, and authenticator instances (MDL only).
The following restrictions apply:
- Authenticator type TYP03 (iOS): 10 instances per user
- Authenticator type TYP07 (Android): 10 instances per user
- Authenticator type DAL10: 1 per user
- Authenticator type VIR10: 1 per user
If a user account has 10 or more active instances of TYP00, TYP03, or TYP07, it will not be possible to activate more until enough instances have been deleted to be at or under the 10-instance limit.
For information about the authenticator types and affected endpoints, refer to Restrict the Number of Authenticators Assigned Per User.
With the new restriction for the number of authenticators that are assigned to a user, the limit of a maximum of 30 authenticator instances that are derived from a single license has become obsolete. This activation count limit has now been removed.
Extend timeout configuration per tenant
It is now possible to extend the default timeout value of currently 60 seconds per tenant. This enables you to increase the validation period for Push Notification-based authentication within Intelligent Adaptive Authentication.
Contact OneSpan Support to extend the timeout configuration for your tenant(s).
Fixes and other changes
Issue OAS-9593 (Support Case CS0064818): Authenticator instance number not returned on registration
For the offline activation of multi-device licensing (MDL) authenticators, some of the Intelligent Adaptive Authentication endpoints return the serial number of the license instead of the serial number of the added or activated instance. This is incorrect since the endpoints have the capability of returning an instance number as serialNumber.
The affected endpoints are:
- POST /registrations
- POST /registrations/{registationID}/add-device
- POST /registrations/{registationID}/activate
Status: This issue has been fixed.
Issue OAS-8610: trusteddevicecmd web service throws exception after audit call
Every time the trusteddevicecmd web service audits a served call, it throws an exception because the connection to the central database fails, for lack of available and/or configured connection parameters.
Status: This issue has been fixed.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.4.1
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
July 2021
Fixes and other changes
Issue OAS-8999 (Support Case CS0062594): Incorrect information about staticPassword parameter for Create User API (Interactive API Reference)
In the Interactive API Reference, the static password parameter is documented to be mandatory for the Create User API. However, the API works without the static password and returns "isPasswordSet": false if the static password is not provided.
Status: This issue has been fixed. staticPassword is no longer documented as a mandatory parameter.
Issue OAS-8927 (Support Case CS0060474): No validation of remaining multi-device licensing (MDL) activations
The POST /users/register endpoint does not check if any activations for multi-device licensing (MDL) authenticators are still available. The MDL provisioning process is triggered regardless of whether license activations are still available.
Status: This issue has been fixed. If there are not enough activations available for the MDL license, the endpoint now returns the following error message: 409 License activation limit reached.
Issue OAS-8899: Probability to accept random OTP on first authenticator usage is too high
The probability that Intelligent Adaptive Authentication accepts a random one-time password (OTP) on first authenticator usage is too high.
Status: This issue has been fixed. The relevant policies for authentication and signature validation scenarios have been changed. For more information about authentication policies, refer to Authentication policies.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.4.1
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
May 2021
New features and enhancements—supported use cases
Identify authenticator instances with descriptions
To facilitate the identification of authenticator instances, e.g. when instances are deleted, Intelligent Adaptive Authentication now provides the possibility to add an instance description.
This feature applies to multi-device licensing (MDL) authenticators and instances only.
Until now, authenticator instances could only be identified by their number. As a result, it was difficult to verify what the instance represents, to identify the device to which the relevant instance belongs, and to delete the correct instance. With the description, it is now possible to mark an instance according to its connection to the specific authenticator. You can update the description and use it as a criterion for authenticator queries.
The description is exposed on the TID platform API.
These are the API endpoints to add a description to an authenticator:
This is the API endpoint to update the description:
The description field is limited to a maximum of 255 characters.
Fixes and other changes
Issue OAS-7572 (Support Case CS0052820): No correlation ID for logs from data collector
The correlation ID is not logged for entries from the data collector component that is used by Intelligent Adaptive Authentication for risk analysis.
Status: This issue has been fixed. The fix improves the traceability of Intelligent Adaptive Authentication processes and allows to filter logs by correlation ID.
Issue OAS-7419 (Support Case CS0047407): Wrong error message when requesting virtual OTP via email or SMS
If an email address or phone number has not been assigned to a user in the Administration Web Interface or the REST API, a wrong error message is issued when a virtual OTP is requested via email or SMS.
Status: This issue has been fixed.
Issue OAS-7003 (Support Case CS0049073): Unknown HTTP-500 internal server errors
Intelligent Adaptive Authentication throws unknown HTTP-500 internal server errors when the POST /users/{userID@domain}/events/validate and the POST /users/{userID@domain}/transactions/validate endpoints trigger an orchestration flow while the user is locked, e.g. because of too many failed logon attempts.
Status: This issue has been fixed.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
April 2021
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
March 2021
New features and enhancements—supported use cases
Limited number of authenticator instances
To further increase the security, Intelligent Adaptive Authentication now limits the number of authenticator instances that are derived from a single license. Since the one-time password (OTP) is validated across all available authenticator instances, reducing the number of authenticator instances also reduces the chances of an attacker using the correct OTP. Once the limit is reached, an administrator can reset the activation count for that license.
The maximum number is now limited to 30 authenticator instances.
Push Notification service
Intelligent Adaptive Authentication now supports the latest Apple HTTP/2 certificate and authentication mode and the latest Google HTTP v1 mode.
The Apple Push Notification service HTTP/2 interface has been deployed and replaces the previous binary interface. No changes are needed for existing certificates. For new Apple applications, you need to provide either a PKCS#12 certificate for the certificate mode, or a PKCS#8 certificate for the authentication mode. For the Apple application, you can bundle multiple application identifiers (Apple staging identifier and production identifier). This feature is not accessible in the Sandbox environment.
The Firebase Cloud Messaging HTTP v1 interface has been deployed and provides strong security via short-lived access tokens. The previous modes are supported.
OneSpan recommends deploying the latest Push Notification server mode for Apple (authentication) and Google (short-lived token) to provide the highest security support.
Device binding
Intelligent Adaptive Authentication now supports device binding of software authenticators (single-device licensing). After the activation data has been generated, an authenticator can be bound to a device. Two new endpoints have been added for the implementation of this feature.
Endpoint to call the relevant Authentication component administration command:
POST /authenticators/{serialNumber}/bind
This endpoint accepts derivationCode as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
-
409: Failed to bind authenticator to device.
- Device binding not supported by the authenticator
- Authenticator already bound
- Invalid derivation code
- 500: Unexpected server error.
Endpoint to unbind an authenticator from its device:
POST /authenticators/{serialNumber}/unbind
This endpoint does not accept a payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
- 409: Failed to unbind the authenticator.
- Device binding not supported by the authenticator
- Authenticator not bound
- 500: Unexpected server error.
For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.
Deletion of authenticators
Intelligent Adaptive Authentication now supports the deletion of authenticators. This applies to the deletion of standard licenses (based on the authenticator serial number) and the deletion of licenses and instances of multi-device licensing authenticators.
A new endpoint has been added to perform the delete operation:
DELETE /authenticators/{serialNumber}
This endpoint does not accept any payload but accepts the serialNumber as path parameter.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
- 409: Failed to delete authenticator.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
January 2021
New features and enhancements—supported use cases
Administration Web Interface endpoint change
A new Administration Web Interface endpoint (/authui) is exposed in the TID platform API. The existing endpoint will continue to be exposed, however, it will redirect to the /authui endpoint.
New fields to process entity and contract IDs in Corporate Banking
New web service fields (entityRef and contractRef) were introduced for corporate banking environments in the platform API. These new fields now make it possible for corporate banks to process additional information for corporate users, and make non-monetary events or transactions on behalf of some other external corporations and/or companies, i.e. the entities. As a consequence, these new fields were introduced to identify corporate banking users interacting with partner banking applications during login, event validation, or transaction activities.
End-user login and event validation with Challenge/Response
Intelligent Adaptive Authentication now supports end-user login with Challenge/Response applications. The login and event validation endpoints have been extended to support Challenge/Response authentication.
For more information about this feature and integration instructions, see Intelligent Adaptive Authentication Integration Guide.
Orchestration SDK—supported versions
Intelligent Adaptive Authentication supports the following versions of the Orchestration SDK Client:
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
September 2020
New features and enhancements—supported use cases
Voice OTP
Support for the delivery of OTP via voice call.
The use of this feature is restricted and must be approved by the Product Manager.
Billing
The TID platform offers a billing solution: Intelligent Adaptive Authentication billing is offered during a session.
Open Banking support
New fields for monetary and non-monetary requests and new events are now available to support Open Banking.
Behavioral external server support
New fields in monetary and non-monetary interfaces are now available to support an external behavioral server. The information from these new fields can be used in extra rules for Risk Analytics Decision Analytics.
Extended size of the cookieSession and customString fields
- The maximum size of the cookieSession field was extended; these fields can now have up to 4000 characters (instead of previously 250 characters).
-
The maximum size of the customString fields was extended; these fields can now have up to 4000 characters (instead of previously 1000 characters).
New event types
New non-monetary event types were added; these are now available while the customer is using the APIs.
Event validation and login flows merged
Event validation now supports the full login flow. This makes the two end points an equivalent of the non-monetary event LoginAttempt.
Performance improvements:
Registration has been improved to deliver better performance.
Documentation updates
The product documentation has been updated, the Integration Guide now describes the transaction and event validation flows.
Fixes and other changes
Issue TIDDO-3855 (Support Case CS0018299): externalRef field ignored for mobile event
April 2020
New features and enhancements
CDDC metadata support
Support for the Mobile Security Suite Client Device Data Collector metadata (mobile CDDC) in the Register and Unregister APIs.
TID platform API enhancements
The following enhancements have been applied the TID platform API for Intelligent Adaptive Authentication:
- Changes have been introduced to the Register and Unregister API to support Mobile Security Suite Client Orchestration SDK for Intelligent Adaptive Authentication.
-
Changes have been introduced to the Authentication and Transaction API. These have been modified to support Mobile Security Suite Client Orchestration SDK for for Intelligent Adaptive Authentication.
These improvements include changes to the Register and Unregister API that align these services to support Mobile Security Suite Client Orchestration SDK for for Intelligent Adaptive Authentication.
November 2019
New features and enhancements
Support new requestID field
-
Intelligent Adaptive Authentication now tracks the processing progress for TID requests through a new requestID field.
- The Orchestration SDK has been updated to support passing this new field to and from TID web services.
Support Risk Analytics event association
Support sending trusted device Risk Analytics events in the trusteddevicecmd web service that are mapped from the initial Risk Analytics events.
Improved Risk Analytics handling in multi-factor call flows
Loginv2, eventValidationv2, and Transactionv2 have been updated to return the Risk Analytics status for mobileCDDC data for adaptive authentication events initiated from a web browser.
July 2019 (Version 1.2)
New features and enhancements
Support offline multi-device activation (MDA) with Cronto
- Supported authenticators: DP7xx and Cronto software
- Intelligent Adaptive Authentication now supports activating authenticators via multi-device licensing (MDL) using Cronto images.
- For integration convenience, Intelligent Adaptive Authentication provides a web service capable to generate and deliver Cronto images.
- The TIDsandbox does not support evaluating this new activation type out of the box.
Support Cronto-based adaptive authentication and transaction validation
- Supported authenticators: DP7xx and Cronto software
- Intelligent Adaptive Authentication now supports challenging a user to authenticate using a Cronto image containing a secure challenge. In addition, the solution supports performing a transaction validation using a Cronto image.
- The TID sandbox does not support evaluating this feature.
Support user management
- Intelligent Adaptive Authentication now supports management of TID users. An exhaustive list of all supported user management operations can be found both in the user management swagger pages and documentation pages.
- The TID sandbox supports evaluating user management. User management supports querying all tenant users. This query might return TID service account details. This service account is protected and cannot be modified.
Support authenticator management
- Intelligent Adaptive Authentication now supports management of TID authenticators. An exhaustive list of all supported authenticator management operations can be found both in the authenticator management swagger pages and documentation pages.
- The TID sandbox supports evaluating authenticator management.
Fixes and other changes
API documentation
- Intelligent Adaptive Authentication v1 API documentation has been removed for API endpoints that exist as v2 (login, transaction, event).
- API v1 documentation has been removed from the swagger pages. API v1 endpoints are still accessible/available.
July 2019 (Version 1.1)
New features and enhancements
Support local authentication using Response-Only Digipass authenticators
- Supported authenticators: 1-button DP (GO-x), keypad authenticators (DP2xx)
- Challenge/Response not supported
- Can be evaluated in TID sandbox
Support local transaction validation
- Supported authenticators: Keypad authenticators (DP2xx)
- Can be evaluated in TID sandbox
Support adaptive authentication with out-of-band OTP delivery via SMS and email
- Intelligent Adaptive Authentication now supports challenging a user to authenticate using a one-time password (OTP) delivered via SMS or email.
- The TID sandbox supports evaluating this out-of-band OTP delivery via email only.
Support adaptive authentication with one-time password (OTP) and static password
- Intelligent Adaptive Authentication now supports challenging a user to authenticate using a Response-Only one-time password (OTP) or static password.
- The TID sandbox supports evaluating both new adaptive authentication types.
- Intelligent Adaptive Authentication using Challenge/Response-based one-time password (OTP) is currently not supported.