OneSpan Cloud Authentication Release Notes

With the FIDO2 Automatic Onboarding feature, you can use FIDO2-based functionalities with OneSpan Cloud Authentication for the Sandbox environment without any manual configuration. To be able to use this feature, you have to create a new tenant in the Community Portal, and FIDO2 will be automatically configured to work with the FIDO2 Sample Relying Party web application.

For more information on the FIDO2 Automatic Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.

With the FIDO2 Self-Service Onboarding feature, you can configure FIDO2 by using the OneSpan Trusted Identity platform REST API endpoints for managing Relying Party Resources. In addition, you can enable the FIDO2-based functionalities with OneSpan Cloud Authentication for the Sandbox and Production environments.

• Create a new FIDO2 Relying Party endpoint. A new FIDO2 Relying Party Resource can be created by calling the following endpoint:

  POST ​/fido2-relying-parties

  with the following mandatory request body:

  • origins. Set of valid origins matching the Relying Party ID, e.g. ["https://www.yourwebapp.example-tenant.com"].

  • publicKeyCredentialRpEntity

    • id. This is the Relying Party ID, e.g. "yourwebapp.example-tenant.com".
    • name. This is the name of the Relying Party.
    • icon. This is the Relying Party logo.

  The following responses are included:

  • 201: FIDO2 Relying Party created.

    The Relying Party UUID (the identifier for this newly created resource) will be returned.
    

  • 400: Input data errors.
  • 500: Internal error, sub-service failure, server crash.

• Delete a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:

  DELETE ​/fido2-relying-parties​/{uuid}

  The following responses are included:

  • 204: Delete operation successful.
  • 400: Input data errors.
  • 404: FIDO2 Relying Party not found.
  • 500: Internal error, sub-service failure, server crash.

• Query all FIDO2 Relying Parties endpoint. A new endpoint has been added for this operation:

  GET ​/fido2-relying-parties

  The following responses are included:

  • 200: FIDO2 Relying Parties retrieved successfully.
  • 400: Input data errors.
  • 500: Internal error, sub-service failure, server crash.

• Retrieving a specific FIDO2 Relying Party by ID endpoint. A new endpoint has been added for this operation:

  GET ​/fido2-relying-parties/{uuid}

  The following responses are included:

  • 200: FIDO2 Relying Parties retrieved successfully.
  • 400: Input data errors.
  • 404: FIDO2 Relying Party not found.
  • 500: Internal error, sub-service failure, server crash.

• Set a FIDO2 Relying Party as default endpoint. A new endpoint has been added for this operation:

  POST /fido2-relying-parties/{uuid}/make-default

  The following responses are included:

  • 204: Make default operation successful.
  • 400: Input data errors.
  • 404: FIDO2 Relying Party not found.
  • 500: Internal error, sub-service failure, server crash.

• Updating a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:

  PATCH ​/fido2-relying-parties​/{uuid}

  The following responses are included:

  • 200: FIDO2 Relying Party update successful.
  • 400: Input data errors.
  • 404: FIDO2 Relying Party not found.
  • 500: Internal error, sub-service failure, server crash.

For more information on the FIDO2 Self-Service Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.

For more information on the FIDO2 Self-Service Onboarding feature for the Production environment, see FIDO2 in the Production environment.

When a user enters too many incorrect PINs into a hardware authenticator, the authenticator is locked. With the new feature, OneSpan Cloud Authentication now supports unlocking the authenticator via the OneSpan Trusted Identity platform API. To unlock the authenticator, it is necessary to send an unlocking challenge that will be generated when the authenticator is next turned on after it has been locked.

• Unlock device endpoint. A new endpoint has been added for this unlock operation:

  POST /authenticators/{serialNumber}/applications/{applName}/unlock

  This endpoint accepts UnlockChallengeInput as payload.

  This endpoint creates UnlockCodeOutput as output.

  The following responses are included:

  • 200: Unlock completed successfully, unlock code generated and returned in response.
  • 400: The input is invalid.
  • 404: Authenticator or application not found.
  • 409: The authenticator unlock challenge is invalid.
  • 500: Internal error, sub-service failure, server crash.

The validity period of Activation Message 1 can now be shortened for OneSpan Cloud Authentication. The default value of the activation message validity parameter can be lowered for the following policies:

• Identikey Administration Logon
• TID Provisioning for Multi-Device Licensing

Contact OneSpan Support to change this configuration.

For more information about this policy parameter and its default value, see Identikey Administration Logon (Policy) and TID Provisioning for Multi-Device Licensing (Policy).

The POST /users/{[email protected]}/generate-secure-challenge endpoint displays an incorrect message for the title parameter.

Status: This issue has been fixed.

Further fixes have been implemented to remove the performance bottleneck in the OneSpan Cloud Authentication SOAP client library for the common Java web services. This allows handling a higher number of simultaneous requests without performance impairments.

Status: The new SOAP client library has now also been implemented for the services governing the following scenarios:

• Authenticator management
• Authenticator provisioning and activation
• Authenticator and authenticator application administration
• Workflows involving secure challenge requests for authentication and signature operations
• Transaction validation requests
• User account management

If a mobile application is using the Orchestration SDK integrated with the OneSpan Trusted Identity platform, the onOrchestrationServerError() callback method is in many cases not invoked. This may lead to server error messages not being conveyed to the client app.

Status: This issue has been fixed. The onOrchestrationServerError() callback method is now fully supported by the OneSpan Trusted Identity platform. In case of a server-side error, the callback method will be invoked by the Orchestration SDK, and the server error message will be available to the client app via the field readableMessage.

This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:

• CVE-2021-45046 (Log4shell vulnerability)
• CVE-2021-44228 (Log4shell vulnerability)
• CVE-2021-31805 (Apache Struts vulnerability)
• CVE-2021-27568 (exception that is thrown from a function is not caught)
• CVE-2019-20445 (HttpObjectDecoder.java in Netty)
• CVE-2019-20444 (HttpObjectDecoder.java in Netty)
• CVE-2019-17495 (CSS injection vulnerability)

The userregister (v1) and (v2) microservices may return a serial number of a different authenticator type during authenticator registration and activation. This issue occurs if the following applies:

• a serial number is not specified in the payload, and
• an authenticator type is specified for offline multi-device licensing (MDL)

Status: This issue has been fixed.

The FIDO UAF onboarding process is now available on the OneSpan Community Portal for OneSpan Cloud Authentication.

For more information on FIDO UAF onboarding, see FIDO UAF onboarding in the Sandbox and Production environments.

When a OneSpan Trusted Identity platform user is deleted, all FIDO-relevant user data that is associated with this account is also deleted. This prevents reusing old user data, if the user is reactivated in a future instance.

The OneSpan Trusted Identity platform API now supports the following data fields for FIDO UAF channel binding:

• cidPublicKey
• tlsUnique

The following FIDO-based endpoints are impacted by this enhancement:

• POST /users/{[email protected]}/register-fido-device
• POST /users/{[email protected]}/login
• POST /users/{[email protected]}/transactions/validate
• POST /users/{[email protected]}/events/validate

The OneSpan Trusted Identity platform API now supports the tokenBinding data field for FIDO2 token binding.

The following FIDO-based endpoints are impacted by this enhancement:

• POST /users/{[email protected]}/register-fido-device
• POST /users/{[email protected]}/login
• POST /users/{[email protected]}/events/validate

OneSpan Cloud Authentication now supports decrypting the body of a Secure Channel information message via the REST API. With the Decrypt Information Message feature, you can decrypt the body of a Secure Channel information message that is encrypted with the payload key of an instance of a multi-device licensing (MDL) authenticator.

• Decrypt information message endpoint. A new endpoint has been added for this decrypting operation:

  POST /authenticators/{serialNumber}/decrypt-information-message

  This endpoint accepts informationMessage as payload.

  The following responses are included:

  • 200: Decrypted information message.
  • 400: The input is invalid.
  • 404: Authenticator not found.
  • 409: Failed to decode information message.
  • 500: Unexpected server error.

For more information, refer to Decrypt an Information Message Body.

With the new Reset Activation feature, OneSpan Cloud Authentication now supports resetting the activation information of an authenticator via the OneSpan Trusted Identity platform API.

For authenticators that are compliant with standard, i.e. single-device licensing (SDL), activation, the following parameters are reset:

• Activation count
• Activation locations
• Last activation date/time

For authenticators compliant with multi-device licensing (MDL) activation, the following parameters are reset:

• Provisioning activation count
• Activation challenge
• Last activation date/time

For MDL-compliant authenticators, this reset operation does not decrease the activation count (i.e. the number of activated instances), but resets the number of activations.

• Reset activation endpoint. A new endpoint has been added for this reset operation:

  POST /authenticators/{serialNumber}/reset-activation

  The following responses are included:

  • 200: Reset activation completed successfully.
  • 400: The input is invalid.
  • 404: Authenticator not found.
  • 409: Failed to reset the activation.
  • 500: Unexpected server error.

For more information, refer to Reset Authenticator Activation Information.

OneSpan Cloud Authentication now offers new options to query and/or update user information. The following fields have been adapted and can now be used to query user information:

• hasAuthenticatorAssigned
• expired
• disabled
• lastAuthentication
• lastAuthenticationRequest
• maxDaysBetweenAuthentications

  You can use this field to query and update user information based on the user's interval between authentications.

OneSpan Cloud Authentication now supports the hasAdminPrivileges field for the following OneSpan Trusted Identity platform API endpoints:

• GET /users

You can now query a user based on the hasAdminPrivileges field in OneSpan Cloud Authentication.

In OneSpan Cloud Authentication, the SOAP client library for the common Java web services exhibits a bottleneck. This results in poor performance when many users are simultaneously trying to call the same service. To improve performance for users during high-traffic spikes, a new library is used.

Status: With the new library already in place, a higher number of simultaneous requests can now be handled without performance impairments for the following scenarios:

• User authentication and login
• Transaction validation
• Time synchronization between OneSpan Trusted Identity platform (i.e. host) and authenticator
• Orchestration SDK processing
• General improvement on internal processing operations (e.g. administration sessions)

When deregistering a FIDO UAF authenticator only via the Authenticator Attestation ID (AAID), the response received from the POST /users/{[email protected]}/deregister-fido-uaf-authenticators endpoint contains the list of all deregistered key IDs. Because the KeyID in the response should be empty, the certification tool reports a problem with the KeyID validation.

Status: This issue has been fixed. In addition, the behavior of the deregistration endpoint has been updated to also include the option to deregister the FIDO UAF authenticator using the AAID and KeyID.

The FIDO2 Sample Relying Party web application does not behave correctly during authentication with an Android phone as the assigned FIDO2 authenticator.

Status: This issue has been fixed. The FIDO2 Server did not correctly handle the case when the userHandle property was null, which caused the authentication attempt to fail.

An error occurs when calling the POST /users/register endpoint. Attempts to register an additional authenticator without including a static password result in the following error: User registration failed: Initial static password not set.

Status: This issue has been fixed. It is now possible to use this endpoint multiple times to start the registration of a new authenticator.

Once a registration call has been made with a password, that password will then be required for all subsequent registration calls (as long as the password has not been reset).

The FIDO2 Sample Relying Party web application is a stand-alone component hosted in the Sandbox environment. It facilitates the testing and simulation of the end-to-end capabilities of the FIDO2 ceremonies.

Once FIDO2 has been enabled, you can access the FIDO2 Sample Relying Party web application via https://yourtenant.sdb.tid.onespan.cloud/v1/fido-sample-relying-party.

For more information about the FIDO2 Sample Relying Party web application, see FIDO2 Sample Relying Party web application.

For more information on the FIDO2 Sample Relying Party web application interaction with the web browser and the OneSpan Trusted Identity platform API, see Using the FIDO2 Sample Relying Party web application to test the registration and deregistration flow and Using the FIDO2 Sample Relying Party web application to test the authentication flow. The code samples demonstrate how to use the WebAuthn API for the registration, deregistration, and authentication flows.

For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.

The FIDO2 onboarding process is now available on the OneSpan Community Portal for OneSpan Cloud Authentication.

For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.

For more information on FIDO2 onboarding for the Production environment, see FIDO2 onboarding in the Production environment.

Event listeners have been implemented in certain TID microservices to listen to the key expiration events of specific keys. After a Redis key expiration event is received, the related key is properly deleted.

The following TID microservices are impacted:

• checksessionstatusv2 (RequestStatus)
• authenticator-provisioningv2 (registrationsession)
• sandbox (sandbox-tenantdeletestatus, sandbox-tenantstatus)
• eventvalidationv2 (SessionRequestMapping)
• irm_macroservices_trusteddevicecmd (SessionStatus)
• oas-admin-pool (TenantAdminSession)
• checkactivationstatusv2 (CacheElement)

When finalizing the registration process, the FIDO2 Server now validates if the attestation mode (aka Attestation Conveyance Preference) is compatible with the attestation statement that the authenticator sends. If the attestation statement is empty, the attestation mode must be NONE. It is not compatible if the attestation statement is empty and the attestation mode is set to DIRECT or INDIRECT.

OneSpan Cloud Authentication now supports the emailAddress field for the following OneSpan Trusted Identity platform API endpoint:

• GET /users

You can now query a user based on the emailAddress field in OneSpan Cloud Authentication.

OneSpan Cloud Authentication now supports the displayName field for the following OneSpan Trusted Identity platform API endpoints:

• GET /users
• PATCH /users/{[email protected]}

You can now query a user or update user data based on the displayName field in OneSpan Cloud Authentication.

The default timeout value for Secure Channel-based authentication and transaction data signing operations has been increased from 60 seconds to 180 seconds.

Contact OneSpan Support if you need to change this configuration.

A new FIDO endpoint has been added to the OneSpan Trusted Identity platform API to retrieve a trusted facets list for FIDO UAF certification. This is a list of all the approved entities related to the calling app.

GET ​/fido-uaf-app-facets

The following failure responses are included:

• 500: Unexpected server error.

OneSpan Cloud Authentication now supports online multi-device licensing (MDL) provisioning to activate an authenticator. This functionality was available only for integrations of OneSpan Cloud Authentication that also included the OneSpan Orchestration SDK in the mobile application. With this new feature, the required DSAPP-SRP operations are now available through the OneSpan Trusted Identity platform API. During the activation process, an authenticator instance is created.

For this type of activation, an authenticator license is required.

• Ephemeral key endpoint. A new endpoint has been added to generate an ephemeral key and secure the activation process:

  POST /registrations/{registrationID}/generate-ephemeral-key

  This endpoint accepts clientEphemeralPublicKey as payload.

  The following failure responses are included:

  • 400: The input is invalid.
  • 404: The registration session was not found.
  • 409: Incorrect activation type.
  • 500: Unexpected server error.

• Generate activation message endpoint. A new endpoint has been added to generate the activation message:

  POST /registrations/{registrationID}/generate-activation-message

  This endpoint accepts clientEvidenceMessage as payload.

  The following failure responses are included:

  • 400: The input is invalid.
  • 404: The registration session was not found.
  • 409: Incorrect activation type or authenticator does not support activation.
  • 500: Unexpected server error.

• Update PNID endpoint. A new endpoint has been added to update the Push Notification Identifier (PNID):

  POST /users/{[email protected]}/authenticators/{serialNumber}/update-pnid

  This endpoint accepts encryptedMessage as payload.

  The following failure responses are included:

  • 400: The input is invalid.
  • 404: The user account or authenticator was not found.
  • 409: Failed to update the PNID for the authenticator.
  • 500: Unexpected server error.

For more information, refer to Integration of provisioning for multi-device licensing (MDL) authenticators.

The offline provisioning of multi-device licensing (MDL) authenticators has been improved. Because the device code input has become optional when initiating a registration session, two separate workflows are now available.

The following endpoint has been extended:

POST /registrations

Accepted payload if the device code is present:

• registrationID, with the following field:

  • deviceCode

Accepted payload if the device code is not present:

• registrationID

For more information, refer to Integration of provisioning for multi-device licensing (MDL) authenticators.

A new tool for investigating the performance of OneSpan Cloud Authentication has been introduced. Until now, the investigation of any performance issues was based on logs. With the integration of a new performance analysis instrument, OpenTelemetry, it is now possible to provide a standardized method to handle traces for microservices. The availability of performance output for analysis reduces the time to find core performance issues, as well as operation costs, and the time required to fix performance-related issues.

The POST /users/{[email protected]}/deregister-fido-uaf-keys and the POST /users/{[email protected]}/deregister-fido-uaf-authenticators endpoints do not support audit logging.

Status: This issue has been fixed.

The POST /authenticators/{serialNumber}/applications/{applName}/test endpoint supports two types of input data:

• otp, with response and hostCode as expected payload
• signature, with response and eight data fields (data1 ... data8) as expected payload

No issues occur if a Response-Only (RO) application is provided for the OTP flow, or a signature (SG) application for the signature flow. However, if a Challenge/Response (CR) application is provided for an OTP flow, OneSpan Cloud Authentication returns the STAT_CHALLENGEstatus code, which is mapped to ERROR.

Status: This issue has been fixed.

The default level for log entries that are created by the Transactionv3 web service is DEBUG. On the staging and production environments of OneSpan Cloud Authentication, however, the default log level is INFO. Because of this, there is no log information available on the Transactionv3 service.

Status: This issue has been fixed.

The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO registration endpoints in the OneSpan Trusted Identity platform API.

Status: This issue has been fixed. The UAF status codes have been corrected in the OneSpan Trusted Identity platform API. For more information about UAF status codes, refer to the FIDO Alliance documentation.

The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO authentication endpoints in the OneSpan Trusted Identity platform API.

Status: This issue has been fixed. The UAF status codes have been corrected in the OneSpan Trusted Identity platform API. For more information about UAF status codes, refer to the FIDO Alliance documentation.

The OneSpan Cloud Authentication admin pool expects a SOAP URL entry for sessions. After an update of the Production environment, the old sessions are still alive but are missing the SOAP URL. If that URL is not present, the service does not fall back to anything, which results in a service outage.

Status: This issue has been fixed. OneSpan Cloud Authentication now creates new sessions that include the SOAP URL.

For the user register microservice, OneSpan Cloud Authentication logs important messages incorrectly on lower log levels. In addition, the payload is logged incorrectly as a string value.

Status: This issue has been fixed. The log levels in the relevant microservice have been corrected, and the payload is now correctly formatted.

The Audit Logger service does not report all errors correctly. In some cases, a request is marked as success, and the microservice is not notified that an error occurred.

Status: This issue has been fixed. In case of failure, the microservice is notified that the request has failed, and an AuditLoggerClientException error is returned.

When configuring FIDO UAF for a tenant, a Relying Party entity has to be created via the FIDO UAF Policy Manager Service. The two fields tlsServerCertificateEndPoint and tlsServerCertificateHashEndPoint, which are part of the Relying Party entity, are mandatory fields. The Relying Party cannot be created if these two fields are null or empty. A possible workaround is to set dummy values for these two fields in case the Boolean fields tlsServerCertificateSupported and serverEndPointSupported are set to false.

Status: This issue has been fixed. Both fields can be null or empty if the Boolean fields are set to false. They need to be set only if the Boolean fields are set to true. With this, the tlsServerCertificateEndPoint and tlsServerCertificateHashEndPoint fields are no longer mandatory.

For general information about FIDO-based operations, refer to FIDO-Based Authentication and FIDO-Based Transaction Data Signing.

For information about integrating FIDO-based operations, refer to the following articles:

• Integrating user login with -based authentication, and
• Integrating FIDO-based transaction data signing.

In the endpoint to set up the Relying Party for FIDO2, the publicKeyCredentialDescriptors element is mandatory in the request body. At this stage of creating the Relying Party, however, there are no registrations and thus no credential IDs that could be supplied in the request body. Thus, the mandatory nature of this element is incorrect.

Status: This issue has been fixed. It is now possible to set the publicKeyCredentialDescriptors to null or empty, or to not include it at all in the request body.

For general information about FIDO-based operations, refer to FIDO-based authentication and FIDO-based transaction data signing.

For information about integrating FIDO-based operations, refer to the following articles:

• Integrating user login with -based authentication
• Integrating FIDO-based transaction data signing

The fido2-core library uses Log4J as an external dependency. This library contains the following critical vulnerabilities:

• CVE-2021-44228
• CVE-2021-45046
• CVE-2021-45105

Status: This issue has been fixed. The fido2-core library has been updated to use Log4j version 2.17, which fixes these vulnerabilities.

The following microservices have a dependency on the fido2-core library:

• fido2-service
• fido2-config-manager
• fido-universal-server (uses the API from fido2-service)

For the following SOAP commands in the Orchestration Messaging microservice, the tenant name is incorrectly used as a domain parameter:

• DecryptInformationMessageCommand
• EncryptRequestMessageCommand

The issue has been present in the services that served as the basis for, and were replaced by the Orchestration Messaging microservice.

Status: This issue has been fixed. The correct domain is now used in the relevant microservices, and misleading logs are removed.

The FIDO2 authenticator registration fails if the attestation mode NONE is used in the request to initialize the registration when calling the POST /users/{[email protected]}/generate-fido-registration-request endpoint.

Status: This issue has been fixed.

When a user attempts to activate a multi-device licensing (MDL) compatible device after a static password has expired, the POST /registrations endpoint returns the status code error 500 with a generic error message. In this case, however, the endpoint should return status code error 409, with the error message Static password has expired.

Status: This issue has been fixed.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.5.1
• 5.4.4
• 5.4.2
• 5.4.1
• 5.4.0
• 5.3.1
• 5.3.0
• 5.2.0
• 5.0.2
• 4.24.4
• 4.24.2
• 4.23.0
• 4.21.1
• 4.20.2
• 4.19.3

Setting a static password during online activation is now optional. This allows passwordless use of the system and prevents your customers from being exposed to static passwords. With this, expiring passwords no longer cause issues, e.g. because of locked user accounts.

The product documentation that describes the registration and authenticator activation flow has been updated in the OneSpan Cloud Authentication Integration Guide.

In OneSpan Cloud Authentication, policies specify various login settings which can affect how a user can log in to a specific site, and how the login is handled by OneSpan Cloud Authentication. The policies that govern the OneSpan Cloud Authentication authentication operations have now been documented here: Authentication policies. These articles aim to facilitate the understanding of the possibilities and limitations of OneSpan Cloud Authentication.

OneSpan Cloud Authentication uses the Transport Layer Security (TLS) protocol. Documentation on the required TLS settings is now available at Configuration of TLS settings. Ensure to observe the specified requirements for your integration of OneSpan Cloud Authentication.

It is possible to create metadata statements that are not unique, e.g. create two or more metadata statements with the same tenant and AAGUID (FIDO2) or AAID (FIDO UAF). This leads to issues with registration and authentication operations since OneSpan Cloud Authentication throws uniqueness errors.

Status: This issue has been fixed. Only unique metadata statements can now be used.

For orchestration errors, OneSpan Cloud Authentication logs important messages incorrectly on lower log levels. Therefore, the messages are not visible. Also, in some cases, the tenant information is not included.

Status: This issue has been fixed.

If a user's hardware authenticator is out of sync, they can now initiate time synchronization for their authenticator. All OneSpan authenticators that can be out of sync, both time- and event-based, support this new feature.

• Authenticator endpoint. A new endpoint has been added to allow the user-controlled time synchronization:

  POST /users/{[email protected]}/sync-authenticator

  This endpoint accepts SyncAuthenticatorInput as payload.

  The following failure responses are included:

  • 400: The input is invalid.
  • 403: The command is prohibited for the tenant admin account.
  • 404: The user was not found.
  • 409: Conflict error.
  • 500: Unexpected server error.

For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.

It is now possible to customize how the virtual one-time password (OTP) is delivered to the user (e.g. use your own gateway or another special, customized communication channel). A new channel is available which makes it possible to receive the OTP in the request response session. To ensure the generated virtual OTP is never returned directly to the user, it is stored inside a session that is to be queried separately.

Mild security risk

When you use this feature, the OTP is returned in the same session in which it has been requested. Because this forms a mild security risk, be advised to treat the virtual OTP as sensitive data. Make sure the data is transmitted via a different secure channel than the one in which it was requested (e.g. an SMS sent to a different device than the one from which the request was sent).

Enabling this feature does not deactivate the original delivery method for virtual OTPs! The custom delivery has to be requested in the request payload on a per-request basis.

The following endpoints have been extended:

• POST /authenticators/{serialNumber}/applications/{applName}/generate-votp

  Accepted payload: GenerateVOTPOutput.

• POST /users/{[email protected]}/login

  The delivery of the virtual OTP is triggered when the keyword votpCustomDelivery is sent via the passKey field of the LoginInput payload.

  The response will be 200 OK. The following payloads are accepted:

  • LoginInput
  • LoginOutput, with the following fields and values:
    • sessionStatus, with the value pending
    • requestID, with with a generated value, e.g. 47543e06-1c11-49b8-94ed-d9501f7fd3f2

For more detailed information on how to integrate this feature, see Integrating user login via notification.

Use of this feature is optional, it is not provided by default. Contact OneSpan Support for the activation of this feature. Once enabled, the virtual OTP will be delivered with the same method for all tenants that are grouped in the same authentication service deployment as the one where this feature has been enabled.

The orchestration command that is returned by the POST /users/{[email protected]}/login endpoint cannot be rendered by the POST /visualcodes/render endpoint.

Status: This issue has been fixed.

The Fido2RequestTimeout (FIDO2) and JwtTokenTimeout (FIDO UAF) timeout parameters now have a default value set to 10 seconds in the respective FIDO tenant configuration.

For more information, see Standard FIDO Settings for the Sandbox Environment.

Contact OneSpan Support if you need to change this configuration.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.4.2
• 5.4.1
• 5.4.0
• 5.3.1
• 5.3.0
• 5.2.0
• 5.0.2
• 4.24.4
• 4.24.2
• 4.23.0
• 4.21.1
• 4.20.2
• 4.19.3

A new field (uafStatusCode) has been added to the response body of the following endpoints that are related to the FIDO-based operations:

• POST /users/{[email protected]}/generate-fido-registration-request
• POST /users/{[email protected]}/register-fido-device
• POST /users/{[email protected]}/generate-fido-authentication-request
• POST /users/{[email protected]}login
• POST /users/{[email protected]}/transactions/validate
• POST /users/{[email protected]}/deregister-fido-uaf-authenticators
• POST /users/{[email protected]}/deregister-fido-uaf-keys

For a full list of UAF status codes, refer to the FIDO alliance documentation.

The POST /users/{[email protected]}/generate-fido-authentication-request endpoint now always returns a requestID that needs to be passed as part of the request body during the second call for the FIDO login and transaction validation operations.

To avoid replay attacks, you can restrict the maximum number of authenticators assigned to a user for specific authenticator types. This applies to single-device licensing (SDL) and multi-device licensing (MDL) authenticators, and authenticator instances (MDL only).

The following restrictions apply:

• Authenticator type TYP03 (iOS): 10 instances per user
• Authenticator type TYP07 (Android): 10 instances per user
• Authenticator type DAL10: 1 per user
• Authenticator type VIR10: 1 per user

If a user account has 10 or more active instances of TYP03 or TYP07, it will not be possible to activate more until enough instances have been deleted to be at or under the 10-instance limit.

For information about the authenticator types and affected endpoints, refer to Restrict the Number of Authenticators Assigned Per User.

With the new restriction for the number of authenticators that are assigned to a user, the limit of a maximum of 30 authenticator instances that are derived from a single license has become obsolete. This activation count limit has now been removed.

It is now possible to extend the default timeout value of currently 60 seconds per tenant. This enables you to increase the validation period for Push Notification-based authentication within OneSpan Cloud Authentication.

Contact OneSpan Support to extend the timeout configuration for your tenant(s).

For the offline activation of multi-device licensing (MDL) authenticators, some of the OneSpan Cloud Authentication endpoints return the serial number of the license instead of the serial number of the added or activated instance. This is incorrect since the endpoints have the capability of returning an instance number as serialNumber.

The affected endpoints are:

• POST /registrations
• POST /registrations/{registationID}/add-device
• POST /registrations/{registationID}/activate

Status: This issue has been fixed.

When a multi-device licensing online activation is started by calling the POST /users/register endpoint that has the RegisterUserInputEx payload for onlineMDL in OneSpan Cloud Authentication, additional activation steps performed on the mobile device are incorrectly verified against the Risk Management component.

Status: This issue has been fixed.

Every time the trusteddevicecmd web service audits a served call, it throws an exception because the connection to the central database fails, for lack of available and/or configured connection parameters.

Status: This issue has been fixed.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.4.1
• 5.4.0
• 5.3.1
• 5.3.0
• 5.2.0
• 5.0.2
• 4.24.4
• 4.24.2
• 4.23.0
• 4.21.1
• 4.20.2
• 4.19.3

In the Interactive API Reference, the static password parameter is documented to be mandatory for the Create User API. However, the API works without the static password and returns "isPasswordSet": false if the static password is not provided.

Status: This issue has been fixed. staticPassword is no longer documented as a mandatory parameter.

The POST /users/register endpoint does not check if any activations for multi-device licensing (MDL) authenticators are still available. The MDL provisioning process is triggered regardless of whether license activations are still available.

Status: This issue has been fixed. If there are not enough activations available for the MDL license, the endpoint now returns the following error message: 409 License activation limit reached.

The probability that OneSpan Cloud Authentication accepts a random one-time password (OTP) on first authenticator usage is too high.

Status: This issue has been fixed. The relevant policies for authentication and signature validation scenarios have been changed. For more information about authentication policies, refer to Authentication policies.

To facilitate the identification of authenticator instances, e.g. when instances are deleted, OneSpan Cloud Authentication now provides the possibility to add an instance description.

This feature applies to multi-device licensing (MDL) authenticators and instances only.

Until now, authenticator instances could only be identified by their number. As a result, it was difficult to verify what the instance represents, to identify the device to which the relevant instance belongs, and to delete the correct instance. With the description, it is now possible to mark an instance according to its connection to the specific authenticator. You can update the description and use it as a criterion for authenticator queries.

The description is exposed on the TID platform API.

These are the API endpoints to add a description to an authenticator:

• POST /users/register
• POST /registrations

This is the API endpoint to update the description:

• PATCH /authenticators/{serialNumber}

The description field is limited to a maximum of 255 characters.

If an email address or phone number has not been assigned to a user in the Administration Web Interface or the REST API, a wrong error message is issued when a virtual OTP is requested via email or SMS.

Status: This issue has been fixed.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.3.1
• 5.3.0
• 5.2.0
• 5.0.2
• 4.24.4
• 4.24.2
• 4.23.0
• 4.21.1
• 4.20.2
• 4.19.3

OneSpan Cloud Authentication now supports end-user login with FIDO-based authentication. FIDO (Fast IDentity Online) offers frameworks that enable passwordless authentication.

OneSpan Cloud Authentication supports the latest FIDO Alliance protocols.

This feature is not functional in the Sandbox environment.

For more information about FIDO-based authentication, see OneSpan Cloud Authentication User Guide.

• Login endpoint. The login endpoint has been extended to support FIDO-based authentication requests:

  POST /users/{[email protected]}/login

  This endpoint now also accepts credentials.fidoAuthenticator as payload.

• Registration endpoint. A new endpoint has been added to generate the FIDO registration request:

  POST /users/{[email protected]}/generate-fido-registration-request

  This endpoint accepts fidoProtocol, and for FIDO2: displayName, authenticatorSelection, and attestation as payload.

  The following failure responses are included:

  • 400: The input is invalid.
  • 404: The authenticator was not found.
  • 500: Unexpected server error.

  For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.

• Authentication endpoint. A new endpoint has been added to generate the FIDO authentication request:

  POST /users/{[email protected]}/generate-fido-authentication-request

  This endpoint accepts fidoProtocol, userVerification (only for FIDO2), and authenticationMessage (only for FIDO UAF) as payload.

  The following failure responses are included:

  • 400: The input is invalid.
  • 404: The authenticator was not found.
  • 500: Unexpected server error.

  For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.

• Transactions validation endpoint. The transactions validation endpoint has been updated to support FIDO-based transaction data signing requests for the UAF protocol:

  POST /users/{[email protected]}/transcations/validate

  This endpoint now also accepts data.fido as payload, with the following parameters:

  • fidoProtocol
  • authenticationResponse

For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.3.0
• 5.2.0
• 5.0.2
• 4.24.4
• 4.24.2
• 4.23.0
• 4.21.1
• 4.20.2
• 4.19.3

To further increase the security, OneSpan Cloud Authentication now limits the number of authenticator instances that are derived from a single license. Since the one-time password (OTP) is validated across all available authenticator instances, reducing the number of authenticator instances also reduces the chances of an attacker using the correct OTP. Once the limit is reached, an administrator can reset the activation count for that license.

The maximum number is now limited to 30 authenticator instances.

OneSpan Cloud Authentication now supports the latest Apple HTTP/2 certificate and authentication mode and the latest Google HTTP v1 mode.

The Apple Push Notification service HTTP/2 interface has been deployed and replaces the previous binary interface. No changes are needed for existing certificates. For new Apple applications, you need to provide either a PKCS#12 certificate for the certificate mode, or a PKCS#8 certificate for the authentication mode. For the Apple application, you can bundle multiple application identifiers (Apple staging identifier and production identifier). This feature is not accessible in the Sandbox environment.

The Firebase Cloud Messaging HTTP v1 interface has been deployed and provides strong security via short-lived access tokens. The previous modes are supported.

OneSpan recommends deploying the latest Push Notification server mode for Apple (authentication) and Google (short-lived token) to provide the highest security support.

OneSpan Cloud Authentication now supports device binding of software authenticators (single-device licensing). After the activation data has been generated, an authenticator can be bound to a device. Two new endpoints have been added for the implementation of this feature.

Endpoint to call the relevant Authentication component administration command:

POST /authenticators/{serialNumber}/bind

This endpoint accepts derivationCode as payload.

The following failure responses are included:

• 400: The input is invalid.
• 404: The authenticator was not found.

• 409: Failed to bind authenticator to device.

  • Device binding not supported by the authenticator
  • Authenticator already bound
  • Invalid derivation code
• 500: Unexpected server error.

Endpoint to unbind an authenticator from its device:

POST /authenticators/{serialNumber}/unbind

This endpoint does not accept a payload.

The following failure responses are included:

• 400: The input is invalid.
• 404: The authenticator was not found.
• 409: Failed to unbind the authenticator.
  • Device binding not supported by the authenticator
  • Authenticator not bound
• 500: Unexpected server error.

For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.

OneSpan Cloud Authentication now supports the deletion of authenticators. This applies to the deletion of standard licenses (based on the authenticator serial number) and the deletion of licenses and instances of multi-device licensing authenticators.

A new endpoint has been added to perform the delete operation:

DELETE /authenticators/{serialNumber}

This endpoint does not accept any payload but accepts the serialNumber as path parameter.

The following failure responses are included:

• 400: The input is invalid.
• 404: The authenticator was not found.
• 409: Failed to delete authenticator.
• 500: Unexpected server error.

For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.2.0
• 5.0.2
• 4.24.4
• 4.24.2
• 4.23.0
• 4.21.1
• 4.20.2
• 4.19.3

OneSpan Cloud Authentication now supports end-user login with Challenge/Response applications. The login endpoint has been extended to support Challenge/Response authentication, and a new endpoint has been added to generate the challenge:

POST /users/{[email protected]}/generate-challenge

This endpoint accepts length and checkDigit as payload.

The following failure responses are included:

• 400: The input is invalid.
• 403: You cannot generate a challenge for a tenant admin (=system) account.
• 404: The user account was not found.
• 500: Unexpected server error.

For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.

OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:

• 5.0.2
• 4.24.4
• 4.24.2
• 4.23.0
• 4.21.1
• 4.20.2
• 4.19.3

OneSpan Cloud Authentication now supports Mobile Security Suite Orchestration SDK with Push Notification for the following operations:

• Authentication
• Transaction data signing (TDS)
• Authenticator provisioning of application secrets for online multi-device licensing (MDL)

The following enhancements have been implemented in the TID platform API:

• Changes to the Register and Unregister API to support Mobile Security Suite Client Orchestration SDK for OneSpan Cloud Authentication.
• The Authentication and Transaction APIs have been modified to support Mobile Security Suite Client Orchestration SDK for OneSpan Cloud Authentication.

• Authenticate user with static password

• Authenticate user with offline one-time password (OTP)

  • Supported hardware authenticators:

    • Digipass with Response-Only support (e.g. DP GO-x)

  • Supported software authenticators:

    • Mobile Authenticator Studio (MAS)

• Authenticate user with Cronto image (Secure Channel-based authentication)

  • Supported hardware authenticators:

    • Digipass with Cronto image support (e.g. DP 7XX)

  • Supported software authenticators:

    • Mobile Authenticator Studio

• Push Notification-based authentication.

  • Supported software authenticators:

    • Mobile Authenticator Studio

• TDS offline

  • Supported hardware authenticators:

    • Digipass with signature support
  • Supported software authenticators:
    • Mobile Authenticator Studio

• TDS offline with Cronto image

  • Supported hardware authenticators:

    • Digipass with Cronto image support (e.g. DP 7XX)
  • Supported software authenticators:
    • Mobile Authenticator Studio

• TDS online with Push Notification

  • Supported software authenticators:

    • Mobile Authenticator Studio

• User management (supported API based user management use cases)

  • Create user
  • View user
  • Update user
  • Delete user
  • Reset user password
  • Unlock user
  • Query users

• Authenticator management (supported API based authenticator management use cases)

  • View authenticator
  • Update authenticator application
  • General Virtual OTP
  • Reset PIN for authenticator application
  • Test authenticator application
  • Generate activation data for a software authenticator
  • Generate activation message for an authenticator
  • Assign authenticator
  • Unassign authenticator
  • Move authenticator
  • Query authenticators
• Import users with user import file (new use case supported via OneSpan Authentication Server Administration Web Interface)

• Reporting (new use cases supported via OneSpan Authentication Server Administration Web Interface)

  • Create report
  • Run report
  • View report
  • Delete report

• Offline multi-device licensing (MDL) with Cronto image

  • Supported hardware authenticators:

    • Digipass with Cronto image

  • Supported software authenticators:

    • Mobile Authenticator Studio

A new TID platform API has been introduced that services all supported TID solutions:

• Intelligent Adaptive Authentication
• OneSpan Cloud Authentication
• Risk Analytics

The following software Digipass commands have been extended to return the user ID and the domain of the user that is associated to the activation, and the serial number of the activated Digipass:

• PROVISIONCMD_ACTIVATE
• PROVISIONCMD_DSAPPACTIVATE
• PROVISIONCMD_MDL_ACTIVATE
• dsappSRPActivate

In addition, the organizational unit attribute is returned for the PROVISIONCMD_ACTIVATE command.

Web Administration Service, Tcl Command-Line Administration tool, and .csv import file have been updated to support the following special characters:

• (') (&) (#) for the User ID field
• (') (,) (&) (#) for the User Name field

To optimize CPU and memory usage, multiple report tasks are now processed in serial order, with each OneSpan Authentication Server instance allowed to run one report task at a time. By default, multiple report tasks are distributed across all server instances and are thus automatically load balanced.

In a multi-server environment with a dedicated reporting server, this implies that if you want to run (scheduled) reports solely on the reporting server, you now need to disable the Reporting Scenario in the OneSpan Authentication Server Configuration Utility for all other OneSpan Authentication Server instances. In this case, the reporting server will be the only instance for report handling, and it will process and run one report task at a time. If the Reporting Scenario remains enabled on the other OneSpan Authentication Server instances, the load balancing applies and reports are run on any server instance.

OneSpan Authentication Server and its handling of administrative tasks have been enhanced to better facilitate the following administrative operations in deployments with multiple OneSpan Authentication Server instances:

• User import
• Digipass import
• Reporting tasks

A new TID platform API has been introduced that services all supported TID solutions:

• Intelligent Adaptive Authentication
• OneSpan Cloud Authentication
• Risk Analytics

Description: During upgrade and data migration, OneSpan Authentication Server writes several audit messages and log entries. Audit message I-013003 for success is auditing an internal operation and does not add extra value to the audit log.

Affects: OneSpan Authentication Server 3.10–3.18

Status: This audit message has been removed.

Description: During upgrade and data migration, OneSpan Authentication Server writes several audit messages and log entries. Audit message I-013003 for success is auditing an internal operation and does not add extra value to the audit log.

Affects: OneSpan Authentication Server 3.10–3.18

Status: This audit message has been removed.

Description: When using Digipass Authentication for Windows Logon along with a software or hardware Digipass authenticator and a Primary Virtual Mobile Authenticator, and if backup offline authentication data is available, online authentication using Primary Virtual Mobile Authenticator is no longer possible. In this case, Primary Virtual Mobile Authenticator can be used for backup offline authentication only.

Affects: OneSpan Authentication Server 3.14–3.18

Status: This issue has been fixed.

Description: Multiple report tasks that are running in parallel on one OneSpan Authentication Server instance cause the server to stop working properly. The report tasks fail or are rescheduled, and active Administration Web Interface sessions are interrupted.

Affects: OneSpan Authentication Server 3.6–3.18

Status: This issue has been fixed. Report tasks are now processed in serial order, with each OneSpan Authentication Server instance allowed to run one report task at a time.

Description: The Task Management page of the Administration Web Interface Help contains incorrect instructions to filter the task list.

Affects: OneSpan Authentication Server 3.6–3.18

Status: This issue has been fixed. Because the task list cannot be filtered, related information has been removed from the Administration Web Interface Help.

Description: When you scroll down in long HTML reports, the report footer moves with the report text to the top, and reveals a dark blue background, which makes the report data harder to read on-screen.

Affects: Web Administration Service 3.18 on Google Chrome

Status: This issue has been fixed.

Description: When a high level of administrative logon transactions are performed in OneSpan Authentication Server, a deadlock can occur on a database level.

Affects: OneSpan Authentication Server 3.17–3.18

Status: This issue has been fixed.

Description: Users that contain special characters for user name/user ID can be created in the Tcl Command-Line Administration tool or imported via a .csv import file. When you attempt to edit this data in the User tab of the Web Administration Service, an error is shown that the User Name/ User ID fields contain unsupported characters.

Affects: OneSpan Authentication Server 3.6–3.18

Status: This issue has been fixed. The user creation process has been unified to exclude the following characters for Web Administration Service, Tcl Command-Line Administration tool, and .csv import file:

• for the field user name : /\:;|"<>[]@=+*?
• for the field user ID: /:;,|"<>[]=+*?

Description: When the Expires At date for a user is set to 2038 or higher, it is incorrectly stored after saving.

Affects: Versions up to OneSpan Authentication Server 3.18

Status: This issue has been fixed.

When a decision division is toggled to ON, Risk Analytics Presentation Service displays an inconsequential error that must be ignored.