February Release – 23.R1
New features and enhancements—supported use cases
Documentation updates
The product documentation describing the FIDO-related infrastructure in OneSpan Cloud Authentication has been updated in the OneSpan Cloud Authentication User Guide.
For more information, see FIDO-based authentication.
Message-based transaction data signing via virtual signature
OneSpan Cloud Authentication now supports message-based transaction data signing via virtual signatures. With this feature, users can perform a transaction data signing operation by initiating a signature validation request to the OneSpan Trusted Identity platform API. The generated signature request contains a one-time password (OTP) and signature data fields. The OTP and the fields are sent to the user for confirmation, either via SMS, email, or voice call delivery.
-
Generate virtual signature endpoint. A new endpoint has been added for this transaction data signing operation:
POST /users/{[email protected]}/generate-virtual-signature
This endpoint accepts dataFields, credentials, and deliveryMethod as payload.
The following responses are included:
- 204: Virtual signature generated.
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: User account not found.
- 409: Failed to generate or deliver a virtual signature.
- 500: Internal error, sub-service failure, server crash.
For more information, refer to Integrate message-based transaction data signing.
Audit logging enhancement
In previous versions of OneSpan Cloud Authentication, each TID microservice had a different implementation for audit logging. The implementation has now been unified. The common aspects of the implementation have been moved to the common-auditing library, where each microservice now uses this library. The custom fields that are specific to the microservice, which were also logged prior to this change, are not affected by this enhancement.
The following TID microservices are impacted:
- authenticator-managementv2
- checkevent
- fido-universal-server
- relying-party
- user-managementv2
Fixes and other changes
Issue OAS-13897 (Support Case INC0010788): Mobile client receives incorrect error message when using the Orchestration SDK
In certain error scenarios, mobile clients that use the Orchestration SDK and integrate it with OneSpan Cloud Authentication receive error messages that are too verbose and contain internal processing details.
The following error messages are affected:
- The authenticator limit has been reached
- No device added
- No device registered
- Wrong device code supplied
- Wrong signature supplied
- User account suspended due to inactivity
- User is locked
- User is disabled
- No authenticators available
- Authenticator not supported
- Could not process encrypted message
- Static password has expired
Status: This issue has been fixed. Correct error messages are now returned to the clients. For unspecific internal server errors, the following generic error message is now returned: An unknown error has occurred.
In addition, the following changes were implemented to improve error messaging for Orchestration SDK clients:
- The error response of the POST /orchestration-commands endpoint now returns a log correlation ID that can be used to identify logs that belong to a certain error.
- If an error message cannot be propagated to the onOrchestrationServerError() callback method because the error command encoding fails, the message of the original error will now be returned as part of the error response of the POST /orchestration-commands endpoint.
Issues OAS-15177, OAS-15133, OAS-15323, OAS-15337, OAS-15338, OAS-15345—OAS-15348, OAS-16009, OAS-16033, and OAS-16262: Fixed vulnerabilities
This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:
- CVE-2022-42915 (curl vulnerability)
- CVE-2022-42889 (Apache Commons Text vulnerability)
- CVE-2022-37434 (zlib vulnerability)
- CVE-2022-32207 (curl vulnerability)
- CVE-2022-27404 (FreeType vulnerability)
- CVE-2022-23806 (Go vulnerability)
- CVE-2022-22965 (Spring MVC/Spring WebFlux vulnerability)
- CVE-2022-2068 (OpenSSL vulnerability)
- CVE-2022-1292 (OpenSSL vulnerability)
- CVE-2021-45046 (Log4shell vulnerability)
- CVE-2021-44228 (Log4shell vulnerability)
- CVE-2021-43527 (Network Security Services (NSS) vulnerability)
- CVE-2021-31535 (libx11 vulnerability)
- CVE-2021-27568 (netplex json-smart vulnerability)
- CVE-2021-20223 (SQLite vulnerability)
- CVE-2021-3711 (OpenSSL vulnerability)
- CVE-2020-12403 (Network Security Services (NSS) vulnerability)
- CVE-2020-11656 (SQLite vulnerability)
- CVE-2019-20367 (libbsd vulnerability)
- CVE-2019-19646 (SQLite vulnerability)
- CVE-2019-14697 (musl vulnerability)
- CVE-2019-12900 (bzip2 vulnerability)
- CVE-2019-8457 (SQLite vulnerability)
Issue OAS-15341 (Support Case INC0011168): API Client cannot be generated for the OneSpan Trusted Identity platform API
Due to a reference that is incorrectly listed inside the tid-api.json file for the POST /users/{[email protected]}/deregister-fido-uaf-authenticators endpoint, it is not possible to generate the API Client for the OneSpan Trusted Identity platform API.
Status: This issue has been fixed.
Issue OAS-16273: FIDO authenticator registration fails in certain situations
Duplicate entries in the FIDO metadata database have caused authenticator registration attempts to fail in certain situations.
Status: This issue has been fixed.
Issue OAS-16274: Secure Messaging service returned incorrect error message text
The Secure Messaging service of OneSpan Cloud Authentication incorrectly returned Failed to generate secure challenge not only for a failed call to generate a secure challenge, but also when calling the service to generate a signing request failed.
Status: This issue has been fixed. Since the error message was not stating clear enough that the cause of the error was an internal issue, the original error message was completely removed. Instead, when either of these two calls fail, OneSpan Cloud Authentication now returns the following error message: An internal error occurred while attempting to process the request.
In addition, a new error message has been created when a temporary user account has expired: Temporary user account expired. And the wording of other error messages has also been improved and streamlined.
Issue OAS-16457: Mapping issue for delivery method of virtual OTP
The User Management service, in particular the PUT /users/{[email protected]} endpoint to create users, accepted a null value as delivery method payload for sending a virtual OTP. At the same time, it was not able to map the null value to one of the expected values (Default, SMS, Email, Voice).
Status: This issue has been fixed. The service now maps the null value correctly to Default.
Known issues
Issue OAS-15853: Incorrect error message when transaction amount fields are provided as data type number
The POST /users/{[email protected]}/transactions/validate endpoint returns an incorrect error message if the transaction amount field is provided from the data type number, and if the transaction amount is large. In this case, the endpoint should return the error message "Invalid value type", because the transaction amount field was provided as a number and not as a String. Instead, it returns the incorrect error message "Amount: Value must follow -^-?[0-9]{1,20}(\\.[0-9]{1,3})?$,".
Solution: The transaction amount fields in the request body of the transactions/validate endpoint need to be provided as a String. Ensure that the value in the JSON request body is wrapped in double quotes.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
December Release – 22.R4
New features and enhancements—supported use cases
FIDO2 Automatic Onboarding feature for Sandbox environment
With the FIDO2 Automatic Onboarding feature, you can use FIDO2-based functionalities with OneSpan Cloud Authentication for the Sandbox environment without any manual configuration. To be able to use this feature, you have to create a new tenant in the Community Portal, and FIDO2 will be automatically configured to work with the .
For more information on the FIDO2 Automatic Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.
FIDO2 Self-Service Onboarding feature for Sandbox and Production environments
With the FIDO2 Self-Service Onboarding feature, you can configure FIDO2 by using the OneSpan Trusted Identity platform REST API endpoints for managing Relying Party Resources. In addition, you can enable the FIDO2-based functionalities with OneSpan Cloud Authentication for the Sandbox and Production environments.
-
Create a new FIDO2 Relying Party endpoint. A new FIDO2 Relying Party Resource can be created by calling the following endpoint:
with the following mandatory request body:
- origins. Set of valid origins matching the Relying Party ID, e.g. ["https://www.yourwebapp.example-tenant.com"].
-
publicKeyCredentialRpEntity
- id. This is the Relying Party ID, e.g. "yourwebapp.example-tenant.com".
- name. This is the name of the Relying Party.
- icon. This is the Relying Party logo.
The following responses are included:
-
201: FIDO2 Relying Party created.
The Relying Party UUID (the identifier for this newly created resource) will be returned.
- 400: Input data errors.
- 500: Internal error, sub-service failure, server crash.
-
Delete a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:
DELETE /fido2-relying-parties/{uuid}
The following responses are included:
- 204: Delete operation successful.
- 400: Input data errors.
- 404: FIDO2 Relying Party not found.
- 500: Internal error, sub-service failure, server crash.
-
Query all FIDO2 Relying Parties endpoint. A new endpoint has been added for this operation:
The following responses are included:
- 200: FIDO2 Relying Parties retrieved successfully.
- 400: Input data errors.
- 500: Internal error, sub-service failure, server crash.
-
Retrieving a specific FIDO2 Relying Party by ID endpoint. A new endpoint has been added for this operation:
GET /fido2-relying-parties/{uuid}
The following responses are included:
- 200: FIDO2 Relying Parties retrieved successfully.
- 400: Input data errors.
- 404: FIDO2 Relying Party not found.
- 500: Internal error, sub-service failure, server crash.
-
Set a FIDO2 Relying Party as default endpoint. A new endpoint has been added for this operation:
POST /fido2-relying-parties/{uuid}/make-default
The following responses are included:
- 204: Make default operation successful.
- 400: Input data errors.
- 404: FIDO2 Relying Party not found.
- 500: Internal error, sub-service failure, server crash.
-
Updating a FIDO2 Relying Party endpoint. A new endpoint has been added for this operation:
PATCH /fido2-relying-parties/{uuid}
The following responses are included:
- 200: FIDO2 Relying Party update successful.
- 400: Input data errors.
- 404: FIDO2 Relying Party not found.
- 500: Internal error, sub-service failure, server crash.
For more information on the FIDO2 Self-Service Onboarding feature for the Sandbox environment, see FIDO2 in the Sandbox environment.
For more information on the FIDO2 Self-Service Onboarding feature for the Production environment, see FIDO2 in the Production environment.
Unlock hardware authenticator via API call
When a user enters too many incorrect PINs into a hardware authenticator, the authenticator is locked. With the new feature, OneSpan Cloud Authentication now supports unlocking the authenticator via the OneSpan Trusted Identity platform API. To unlock the authenticator, it is necessary to send an unlocking challenge that will be generated when the authenticator is next turned on after it has been locked.
-
Unlock device endpoint. A new endpoint has been added for this unlock operation:
POST /authenticators/{serialNumber}/applications/{applName}/unlock
This endpoint accepts UnlockChallengeInput as payload.
This endpoint creates UnlockCodeOutput as output.
The following responses are included:
- 200: Unlock completed successfully, unlock code generated and returned in response.
- 400: The input is invalid.
- 404: Authenticator or application not found.
- 409: The authenticator unlock challenge is invalid.
- 500: Internal error, sub-service failure, server crash.
Validity period of Activation Message 1 is configurable
The validity period of Activation Message 1 can now be shortened for OneSpan Cloud Authentication. The default value of the activation message validity parameter can be lowered for the following policies:
- Identikey Administration Logon
- TID Provisioning for Multi-Device Licensing
Contact OneSpan Support to change this configuration.
For more information about this policy parameter and its default value, see Identikey Administration Logon (Policy) and TID Provisioning for Multi-Device Licensing (Policy).
Fixes and other changes
Issue OAS-10844 (Support Case CS0067585): Incorrect title parameter shown for generate-secure-challenge endpoint
The POST /users/{[email protected]}/generate-secure-challenge endpoint displays an incorrect message for the title parameter.
Status: This issue has been fixed.
Issue OAS-12509: Performance bottleneck in OneSpan Cloud Authentication web services
Further fixes have been implemented to remove the performance bottleneck in the OneSpan Cloud Authentication SOAP client library for the common Java web services. This allows handling a higher number of simultaneous requests without performance impairments.
Status: The new SOAP client library has now also been implemented for the services governing the following scenarios:
- Authenticator management
- Authenticator provisioning and activation
- Authenticator and authenticator application administration
- Workflows involving secure challenge requests for authentication and signature operations
- Transaction validation requests
- User account management
Issue OAS-14514: Orchestration SDK clients not receiving server error messages
If a mobile application is using the Orchestration SDK integrated with the OneSpan Trusted Identity platform, the onOrchestrationServerError() callback method is in many cases not invoked. This may lead to server error messages not being conveyed to the client app.
Status: This issue has been fixed. The onOrchestrationServerError() callback method is now fully supported by the OneSpan Trusted Identity platform. In case of a server-side error, the callback method will be invoked by the Orchestration SDK, and the server error message will be available to the client app via the field readableMessage.
Issues OAS-14647–OAS-14651: Fixed vulnerabilities
This version of OneSpan Cloud Authentication contains fixes for the following vulnerabilities:
- CVE-2021-45046 (Log4shell vulnerability)
- CVE-2021-44228 (Log4shell vulnerability)
- CVE-2021-31805 (Apache Struts vulnerability)
- CVE-2021-27568 (exception that is thrown from a function is not caught)
- CVE-2019-20445 (HttpObjectDecoder.java in Netty)
- CVE-2019-20444 (HttpObjectDecoder.java in Netty)
- CVE-2019-17495 (CSS injection vulnerability)
Issue OAS-15107: Incorrect serial number returned by the userregister (v1) and (v2) microservices
The userregister (v1) and (v2) microservices may return a serial number of a different authenticator type during authenticator registration and activation. This issue occurs if the following applies:
- a serial number is not specified in the payload, and
- an authenticator type is specified for offline multi-device licensing (MDL)
Status: This issue has been fixed.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
August Release – 22.R3
New features and enhancements—supported use cases
FIDO UAF onboarding for Sandbox and Production environments
The FIDO UAF onboarding process is now available on the OneSpan Community Portal for OneSpan Cloud Authentication.
For more information on FIDO UAF onboarding, see FIDO UAF onboarding in the Sandbox and Production environments.
Deletion of a OneSpan Trusted Identity platform user
When a OneSpan Trusted Identity platform user is deleted, all FIDO-relevant user data that is associated with this account is also deleted. This prevents reusing old user data, if the user is reactivated in a future instance.
Data fields for FIDO UAF channel binding now supported by the OneSpan Trusted Identity platform API
The OneSpan Trusted Identity platform API now supports the following data fields for FIDO UAF channel binding:
- cidPublicKey
- tlsUnique
The following FIDO-based endpoints are impacted by this enhancement:
Data fields for FIDO2 token binding now supported by the OneSpan Trusted Identity platform API
The OneSpan Trusted Identity platform API now supports the tokenBinding data field for FIDO2 token binding.
The following FIDO-based endpoints are impacted by this enhancement:
Decrypt information message
OneSpan Cloud Authentication now supports decrypting the body of a Secure Channel information message via the REST API. With the Decrypt Information Message feature, you can decrypt the body of a Secure Channel information message that is encrypted with the payload key of an instance of a multi-device licensing (MDL) authenticator.
-
Decrypt information message endpoint. A new endpoint has been added for this decrypting operation:
POST /authenticators/{serialNumber}/decrypt-information-message
This endpoint accepts informationMessage as payload.
The following responses are included:
- 200: Decrypted information message.
- 400: The input is invalid.
- 404: Authenticator not found.
- 409: Failed to decode information message.
- 500: Unexpected server error.
For more information, refer to Decrypt an Information Message Body.
Authenticator activation reset
With the new Reset Activation feature, OneSpan Cloud Authentication now supports resetting the activation information of an authenticator via the OneSpan Trusted Identity platform API.
For authenticators that are compliant with standard, i.e. single-device licensing (SDL), activation, the following parameters are reset:
- Activation count
- Activation locations
- Last activation date/time
For authenticators compliant with multi-device licensing (MDL) activation, the following parameters are reset:
- Provisioning activation count
- Activation challenge
- Last activation date/time
For MDL-compliant authenticators, this reset operation does not decrease the activation count (i.e. the number of activated instances), but resets the number of activations.
-
Reset activation endpoint. A new endpoint has been added for this reset operation:
POST /authenticators/{serialNumber}/reset-activation
The following responses are included:
- 200: Reset activation completed successfully.
- 400: The input is invalid.
- 404: Authenticator not found.
- 409: Failed to reset the activation.
- 500: Unexpected server error.
For more information, refer to Reset Authenticator Activation Information.
New options to query and/or update user information
OneSpan Cloud Authentication now offers new options to query and/or update user information. The following fields have been adapted and can now be used to query user information:
- hasAuthenticatorAssigned
- expired
- disabled
- lastAuthentication
- lastAuthenticationRequest
- maxDaysBetweenAuthentications
You can use this field to query and update user information based on the user's interval between authentications.
hasAdminPrivileges field now supported in OneSpan Cloud Authentication
OneSpan Cloud Authentication now supports the hasAdminPrivileges field for the following OneSpan Trusted Identity platform API endpoints:
You can now query a user based on the hasAdminPrivileges field in OneSpan Cloud Authentication.
Fixes and other changes
Issue OAS-12509: Performance bottleneck in OneSpan Cloud Authentication web services
In OneSpan Cloud Authentication, the SOAP client library for the common Java web services exhibits a bottleneck. This results in poor performance when many users are simultaneously trying to call the same service. To improve performance for users during high-traffic spikes, a new library is used.
Status: With the new library already in place, a higher number of simultaneous requests can now be handled without performance impairments for the following scenarios:
- User authentication and login
- Transaction validation
- Time synchronization between OneSpan Trusted Identity platform (i.e. host) and authenticator
- Orchestration SDK processing
- General improvement on internal processing operations (e.g. administration sessions)
Issue OAS-12661: Incorrect behavior when deregistering the FIDO UAF authenticator via AAID
When deregistering a FIDO UAF authenticator only via the Authenticator Attestation ID (AAID), the response received from the POST /users/{[email protected]}/deregister-fido-uaf-authenticators endpoint contains the list of all deregistered key IDs. Because the KeyID in the response should be empty, the certification tool reports a problem with the KeyID validation.
Status: This issue has been fixed. In addition, the behavior of the deregistration endpoint has been updated to also include the option to deregister the FIDO UAF authenticator using the AAID and KeyID.
Issue OAS-12798: Android phone
not behaving correctly when authenticating withThe Android phone as the assigned FIDO2 authenticator.
does not behave correctly during authentication with anStatus: This issue has been fixed. The FIDO2 Server did not correctly handle the case when the userHandle property was null, which caused the authentication attempt to fail.
Issue OAS-13223 (Support Case INC0010680): User registration error without optional static password
An error occurs when calling the POST /users/register endpoint. Attempts to register an additional authenticator without including a static password result in the following error: User registration failed: Initial static password not set.
Status: This issue has been fixed. It is now possible to use this endpoint multiple times to start the registration of a new authenticator.
Once a registration call has been made with a password, that password will then be required for all subsequent registration calls (as long as the password has not been reset).
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
May Release – 22.R2
New features and enhancements—supported use cases
The Sandbox environment. It facilitates the testing and simulation of the end-to-end capabilities of the FIDO2 ceremonies.
is a stand-alone component hosted in theOnce FIDO2 has been enabled, you can access the via https://yourtenant.sdb.tid.onespan.cloud/v1/fido-sample-relying-party.
For more information about the .
, seeFor more information on the OneSpan Trusted Identity platform API, see Using the and to test the registration and deregistration flowUsing the . The code samples demonstrate how to use the to test the authentication flowWebAuthn API for the registration, deregistration, and authentication flows.
interaction with the web browser and theFor more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.
FIDO2 onboarding for Sandbox and Production environments
The FIDO2 onboarding process is now available on the OneSpan Community Portal for OneSpan Cloud Authentication.
For more information on FIDO2 onboarding for the Sandbox environment, see FIDO2 onboarding in the Sandbox environment.
For more information on FIDO2 onboarding for the Production environment, see FIDO2 onboarding in the Production environment.
Event listeners implemented in TID microservices
Event listeners have been implemented in certain TID microservices to listen to the key expiration events of specific keys. After a Redis key expiration event is received, the related key is properly deleted.
The following TID microservices are impacted:
- checksessionstatusv2 (RequestStatus)
- authenticator-provisioningv2 (registrationsession)
- sandbox (sandbox-tenantdeletestatus, sandbox-tenantstatus)
- eventvalidationv2 (SessionRequestMapping)
- irm_macroservices_trusteddevicecmd (SessionStatus)
- oas-admin-pool (TenantAdminSession)
- checkactivationstatusv2 (CacheElement)
Validation of attestation modes by FIDO2 Server
When finalizing the registration process, the FIDO2 Server now validates if the attestation mode (aka Attestation Conveyance Preference) is compatible with the attestation statement that the authenticator sends. If the attestation statement is empty, the attestation mode must be NONE. It is not compatible if the attestation statement is empty and the attestation mode is set to DIRECT or INDIRECT.
emailAddress field now supported in OneSpan Cloud Authentication
OneSpan Cloud Authentication now supports the emailAddress field for the following OneSpan Trusted Identity platform API endpoint:
You can now query a user based on the emailAddress field in OneSpan Cloud Authentication.
displayName field now supported in OneSpan Cloud Authentication
OneSpan Cloud Authentication now supports the displayName field for the following OneSpan Trusted Identity platform API endpoints:
You can now query a user or update user data based on the displayName field in OneSpan Cloud Authentication.
Secure Channel default timeout increased to 180 seconds
The default timeout value for Secure Channel-based authentication and transaction data signing operations has been increased from 60 seconds to 180 seconds.
Contact OneSpan Support if you need to change this configuration.
Trusted facets list endpoint
A new FIDO endpoint has been added to the OneSpan Trusted Identity platform API to retrieve a trusted facets list for FIDO UAF certification. This is a list of all the approved entities related to the calling app.
The following failure responses are included:
- 500: Unexpected server error.
Online multi-device licensing provisioning
OneSpan Cloud Authentication now supports online multi-device licensing (MDL) provisioning to activate an authenticator. This functionality was available only for integrations of OneSpan Cloud Authentication that also included the OneSpan Orchestration SDK in the mobile application. With this new feature, the required DSAPP-SRP operations are now available through the OneSpan Trusted Identity platform API. During the activation process, an authenticator instance is created.
For this type of activation, an authenticator license is required.
-
Ephemeral key endpoint. A new endpoint has been added to generate an ephemeral key and secure the activation process:
POST /registrations/{registrationID}/generate-ephemeral-key
This endpoint accepts clientEphemeralPublicKey as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The registration session was not found.
- 409: Incorrect activation type.
- 500: Unexpected server error.
-
Generate activation message endpoint. A new endpoint has been added to generate the activation message:
POST /registrations/{registrationID}/generate-activation-message
This endpoint accepts clientEvidenceMessage as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The registration session was not found.
- 409: Incorrect activation type or authenticator does not support activation.
- 500: Unexpected server error.
-
Update PNID endpoint. A new endpoint has been added to update the Push Notification Identifier (PNID):
POST /users/{[email protected]}/authenticators/{serialNumber}/update-pnid
This endpoint accepts encryptedMessage as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The user account or authenticator was not found.
- 409: Failed to update the PNID for the authenticator.
- 500: Unexpected server error.
For more information, refer to Integration of provisioning for multi-device licensing (MDL) authenticators.
Improved offline multi-device licensing provisioning
The offline provisioning of multi-device licensing (MDL) authenticators has been improved. Because the device code input has become optional when initiating a registration session, two separate workflows are now available.
The following endpoint has been extended:
Accepted payload if the device code is present:
-
registrationID, with the following field:
- deviceCode
Accepted payload if the device code is not present:
- registrationID
For more information, refer to Integration of provisioning for multi-device licensing (MDL) authenticators.
Performance analysis improvement
A new tool for investigating the performance of OneSpan Cloud Authentication has been introduced. Until now, the investigation of any performance issues was based on logs. With the integration of a new performance analysis instrument, OpenTelemetry, it is now possible to provide a standardized method to handle traces for microservices. The availability of performance output for analysis reduces the time to find core performance issues, as well as operation costs, and the time required to fix performance-related issues.
Fixes and other changes
Issue OAS-8511: Audit logging not supported for FIDO UAF deregister endpoints
The POST /users/{[email protected]}/deregister-fido-uaf-keys and the POST /users/{[email protected]}/deregister-fido-uaf-authenticators endpoints do not support audit logging.
Status: This issue has been fixed.
Issue OAS-8645: Unhandled application types (Authenticator management)
The POST /authenticators/{serialNumber}/applications/{applName}/test endpoint supports two types of input data:
- otp, with response and hostCode as expected payload
- signature, with response and eight data fields (data1 ... data8) as expected payload
No issues occur if a Response-Only (RO) application is provided for the OTP flow, or a signature (SG) application for the signature flow. However, if a Challenge/Response (CR) application is provided for an OTP flow, OneSpan Cloud Authentication returns the STAT_CHALLENGEstatus code, which is mapped to ERROR.
Status: This issue has been fixed.
Issue OAS-10845: Incorrect default log level for Transactionv3 web service logs
The default level for log entries that are created by the Transactionv3 web service is DEBUG. On the staging and production environments of OneSpan Cloud Authentication, however, the default log level is INFO. Because of this, there is no log information available on the Transactionv3 service.
Status: This issue has been fixed.
Issue OAS-10850: FIDO UAF status codes do not match for the FIDO registration operations
The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO registration endpoints in the OneSpan Trusted Identity platform API.
Status: This issue has been fixed. The UAF status codes have been corrected in the OneSpan Trusted Identity platform API. For more information about UAF status codes, refer to the FIDO Alliance documentation.
Issue OAS-10852: FIDO UAF status codes do not match for the FIDO authentication operations
The FIDO Server returns FIDO UAF status code mismatches when the FIDO Conformance Tools are run against the FIDO authentication endpoints in the OneSpan Trusted Identity platform API.
Status: This issue has been fixed. The UAF status codes have been corrected in the OneSpan Trusted Identity platform API. For more information about UAF status codes, refer to the FIDO Alliance documentation.
Issue OAS-11268: Failing SOAP URL for admin pool
The OneSpan Cloud Authentication admin pool expects a SOAP URL entry for sessions. After an update of the Production environment, the old sessions are still alive but are missing the SOAP URL. If that URL is not present, the service does not fall back to anything, which results in a service outage.
Status: This issue has been fixed. OneSpan Cloud Authentication now creates new sessions that include the SOAP URL.
Issue OAS-11635: Log issues for user register microservice
For the user register microservice, OneSpan Cloud Authentication logs important messages incorrectly on lower log levels. In addition, the payload is logged incorrectly as a string value.
Status: This issue has been fixed. The log levels in the relevant microservice have been corrected, and the payload is now correctly formatted.
Issue OAS-11822: Incorrect error handling in Audit Logger service
The Audit Logger service does not report all errors correctly. In some cases, a request is marked as success, and the microservice is not notified that an error occurred.
Status: This issue has been fixed. In case of failure, the microservice is notified that the request has failed, and an AuditLoggerClientException error is returned.
Issue OAS-11841: FIDO UAF Relying Party mandatory fields
When configuring FIDO UAF for a tenant, a Relying Party entity has to be created via the FIDO UAF Policy Manager Service. The two fields tlsServerCertificateEndPoint and tlsServerCertificateHashEndPoint, which are part of the Relying Party entity, are mandatory fields. The Relying Party cannot be created if these two fields are null or empty. A possible workaround is to set dummy values for these two fields in case the Boolean fields tlsServerCertificateSupported and serverEndPointSupported are set to false.
Status: This issue has been fixed. Both fields can be null or empty if the Boolean fields are set to false. They need to be set only if the Boolean fields are set to true. With this, the tlsServerCertificateEndPoint and tlsServerCertificateHashEndPoint fields are no longer mandatory.
For general information about FIDO-based operations, refer to FIDO-Based Authentication and FIDO-Based Transaction Data Signing.
For information about integrating FIDO-based operations, refer to the following articles:
Issue OAS-11842: FIDO2 Relying Party setup mandatory fields
In the endpoint to set up the Relying Party for FIDO2, the publicKeyCredentialDescriptors element is mandatory in the request body. At this stage of creating the Relying Party, however, there are no registrations and thus no credential IDs that could be supplied in the request body. Thus, the mandatory nature of this element is incorrect.
Status: This issue has been fixed. It is now possible to set the publicKeyCredentialDescriptors to null or empty, or to not include it at all in the request body.
For general information about FIDO-based operations, refer to FIDO-based authentication and FIDO-based transaction data signing.
For information about integrating FIDO-based operations, refer to the following articles:
Issue OAS-11888: Log4J security vulnerability
The fido2-core library uses Log4J as an external dependency. This library contains the following critical vulnerabilities:
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
Status: This issue has been fixed. The fido2-core library has been updated to use Log4j version 2.17, which fixes these vulnerabilities.
The following microservices have a dependency on the fido2-core library:
- fido2-service
- fido2-config-manager
- fido-universal-server (uses the API from fido2-service)
Issue OAS-11895: Domain parameters for SOAP requests from orchestration messages
For the following SOAP commands in the Orchestration Messaging microservice, the tenant name is incorrectly used as a domain parameter:
- DecryptInformationMessageCommand
- EncryptRequestMessageCommand
The issue has been present in the services that served as the basis for, and were replaced by the Orchestration Messaging microservice.
Status: This issue has been fixed. The correct domain is now used in the relevant microservices, and misleading logs are removed.
Issue OAS-12060: FIDO2 authenticator registration fails when using attestation mode NONE
The FIDO2 authenticator registration fails if the attestation mode NONE is used in the request to initialize the registration when calling the POST /users/{[email protected]}/generate-fido-registration-request endpoint.
Status: This issue has been fixed.
Issue OAS-12339: Static password expired error not correctly handled during MDL device activation
When a user attempts to activate a multi-device licensing (MDL) compatible device after a static password has expired, the POST /registrations endpoint returns the status code error 500 with a generic error message. In this case, however, the endpoint should return status code error 409, with the error message Static password has expired.
Status: This issue has been fixed.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.5.1
- 5.4.4
- 5.4.2
- 5.4.1
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
March 2022
New features and enhancements—supported use cases
Static password optional for online activation
Setting a static password during online activation is now optional. This allows passwordless use of the system and prevents your customers from being exposed to static passwords. With this, expiring passwords no longer cause issues, e.g. because of locked user accounts.
Documentation updates
The product documentation that describes the registration and authenticator activation flow has been updated in the OneSpan Cloud Authentication Integration Guide.
Documentation on authentication policies now available
In OneSpan Cloud Authentication, policies specify various login settings which can affect how a user can log in to a specific site, and how the login is handled by OneSpan Cloud Authentication. The policies that govern the OneSpan Cloud Authentication authentication operations have now been documented here: Authentication policies. These articles aim to facilitate the understanding of the possibilities and limitations of OneSpan Cloud Authentication.
Documentation on Transport Layer Security settings now available
OneSpan Cloud Authentication uses the Transport Layer Security (TLS) protocol. Documentation on the required TLS settings is now available at Configuration of TLS settings. Ensure to observe the specified requirements for your integration of OneSpan Cloud Authentication.
Fixes and other changes
Issue OAS-11052: Issues with the creation of non-unique metadata statements
It is possible to create metadata statements that are not unique, e.g. create two or more metadata statements with the same tenant and AAGUID (FIDO2) or AAID (FIDO UAF). This leads to issues with registration and authentication operations since OneSpan Cloud Authentication throws uniqueness errors.
Status: This issue has been fixed. Only unique metadata statements can now be used.
Issue OAS-11267: Wrong log level information for orchestration errors
For orchestration errors, OneSpan Cloud Authentication logs important messages incorrectly on lower log levels. Therefore, the messages are not visible. Also, in some cases, the tenant information is not included.
Status: This issue has been fixed.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.4.2
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
December 2021
Fixes and other changes
Vulnerabilities in Apache Log4j2
Recently, the Apache foundation announced a number of security vulnerabilities in the Log4j2 library for Java applications. The affected authentication service libraries have been upgraded to mitigate remote code execution and denial-of-service attacks that could result from the vulnerabilities.
For the latest updates on the vulnerabilities and the upgrade status of the libraries used by OneSpan products, refer to the OneSpan Log4j Advisory page and the OneSpan Trust Center.
October 2021
New features and enhancements—supported use cases
FIDO metadata
OneSpan Cloud Authentication now supports FIDO Metadata Service 3.0.
For more information about FIDO metadata, refer to the FIDO Alliance documentation.
User-initiated authenticator time synchronization
If a user's hardware authenticator is out of sync, they can now initiate time synchronization for their authenticator. All OneSpan authenticators that can be out of sync, both time- and event-based, support this new feature.
-
Authenticator endpoint. A new endpoint has been added to allow the user-controlled time synchronization:
POST /users/{[email protected]}/sync-authenticator
This endpoint accepts SyncAuthenticatorInput as payload.
The following failure responses are included:
- 400: The input is invalid.
- 403: The command is prohibited for the tenant admin account.
- 404: The user was not found.
- 409: Conflict error.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.
Customize delivery method of virtual OTP
It is now possible to customize how the virtual one-time password (OTP) is delivered to the user (e.g. use your own gateway or another special, customized communication channel). A new channel is available which makes it possible to receive the OTP in the request response session. To ensure the generated virtual OTP is never returned directly to the user, it is stored inside a session that is to be queried separately.
Mild security risk
When you use this feature, the OTP is returned in the same session in which it has been requested. Because this forms a mild security risk, be advised to treat the virtual OTP as sensitive data. Make sure the data is transmitted via a different secure channel than the one in which it was requested (e.g. an SMS sent to a different device than the one from which the request was sent).
Enabling this feature does not deactivate the original delivery method for virtual OTPs! The custom delivery has to be requested in the request payload on a per-request basis.
The following endpoints have been extended:
-
POST /authenticators/{serialNumber}/applications/{applName}/generate-votp
Accepted payload: GenerateVOTPOutput.
-
POST /users/{[email protected]}/login
The delivery of the virtual OTP is triggered when the keyword votpCustomDelivery is sent via the passKey field of the LoginInput payload. The response will be 200 OK. The following payloads are accepted:
- LoginInput
- LoginOutput, with the following fields and values:
- sessionStatus, with the value pending
- requestID, with with a generated value, e.g. 47543e06-1c11-49b8-94ed-d9501f7fd3f2
For more detailed information on how to integrate this feature, see Integrating user login via notification.
Use of this feature is optional, it is not provided by default. Contact OneSpan Support for the activation of this feature. Once enabled, the virtual OTP will be delivered with the same method for all tenants that are grouped in the same authentication service deployment as the one where this feature has been enabled.
Fixes and other changes
Issue OAS-9793 (Support Case CS0042742): Cronto image rendering fails for orchestration command
The orchestration command that is returned by the POST /users/{[email protected]}/login endpoint cannot be rendered by the POST /visualcodes/render endpoint.
Status: This issue has been fixed.
Issue OAS-9932: FIDO timeout configuration
The Fido2RequestTimeout (FIDO2) and JwtTokenTimeout (FIDO UAF) timeout parameters now have a default value set to 10 seconds in the respective FIDO tenant configuration.
For more information, see Standard FIDO Settings for the Sandbox Environment.
Contact OneSpan Support if you need to change this configuration.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.4.2
- 5.4.1
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
September 2021
New features and enhancements—supported use cases
New FIDO UAF status code field in response body
A new field (uafStatusCode) has been added to the response body of the following endpoints that are related to the FIDO-based operations:
- POST /users/{[email protected]}/generate-fido-registration-request
- POST /users/{[email protected]}/register-fido-device
- POST /users/{[email protected]}/generate-fido-authentication-request
- POST /users/{[email protected]}login
- POST /users/{[email protected]}/transactions/validate
- POST /users/{[email protected]}/deregister-fido-uaf-authenticators
- POST /users/{[email protected]}/deregister-fido-uaf-keys
For a full list of UAF status codes, refer to the FIDO alliance documentation.
FIDO requestID mapping
The POST /users/{[email protected]}/generate-fido-authentication-request endpoint now always returns a requestID that needs to be passed as part of the request body during the second call for the FIDO login and transaction validation operations.
New restriction on number of assigned authenticators, but limit on derived authenticator instances removed
To avoid replay attacks, you can restrict the maximum number of authenticators assigned to a user for specific authenticator types. This applies to single-device licensing (SDL) and multi-device licensing (MDL) authenticators, and authenticator instances (MDL only).
The following restrictions apply:
- Authenticator type TYP03 (iOS): 10 instances per user
- Authenticator type TYP07 (Android): 10 instances per user
- Authenticator type DAL10: 1 per user
- Authenticator type VIR10: 1 per user
If a user account has 10 or more active instances of TYP03 or TYP07, it will not be possible to activate more until enough instances have been deleted to be at or under the 10-instance limit.
For information about the authenticator types and affected endpoints, refer to Restrict the Number of Authenticators Assigned Per User.
With the new restriction for the number of authenticators that are assigned to a user, the limit of a maximum of 30 authenticator instances that are derived from a single license has become obsolete. This activation count limit has now been removed.
Extend timeout configuration per tenant
It is now possible to extend the default timeout value of currently 60 seconds per tenant. This enables you to increase the validation period for Push Notification-based authentication within OneSpan Cloud Authentication.
Contact OneSpan Support to extend the timeout configuration for your tenant(s).
Fixes and other changes
Issue OAS-9593 (Support Case CS0064818): Authenticator instance number not returned on registration
For the offline activation of multi-device licensing (MDL) authenticators, some of the OneSpan Cloud Authentication endpoints return the serial number of the license instead of the serial number of the added or activated instance. This is incorrect since the endpoints have the capability of returning an instance number as serialNumber.
The affected endpoints are:
- POST /registrations
- POST /registrations/{registationID}/add-device
- POST /registrations/{registationID}/activate
Status: This issue has been fixed.
Issue OAS-9149 (Support Case CS0064666): Issues with multi-device licensing online activation
When a multi-device licensing online activation is started by calling the POST /users/register endpoint that has the RegisterUserInputEx payload for onlineMDL in OneSpan Cloud Authentication, additional activation steps performed on the mobile device are incorrectly verified against the Risk Management component.
Status: This issue has been fixed.
Issue OAS-8610: trusteddevicecmd web service throws exception after audit call
Every time the trusteddevicecmd web service audits a served call, it throws an exception because the connection to the central database fails, for lack of available and/or configured connection parameters.
Status: This issue has been fixed.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.4.1
- 5.4.0
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
July 2021
Fixes and other changes
Issue OAS-8999 (Support Case CS0062594): Incorrect information about staticPassword parameter for Create User API (Interactive API Reference)
In the Interactive API Reference, the static password parameter is documented to be mandatory for the Create User API. However, the API works without the static password and returns "isPasswordSet": false if the static password is not provided.
Status: This issue has been fixed. staticPassword is no longer documented as a mandatory parameter.
Issue OAS-8927 (Support Case CS0060474): No validation of remaining multi-device licensing (MDL) activations
The POST /users/register endpoint does not check if any activations for multi-device licensing (MDL) authenticators are still available. The MDL provisioning process is triggered regardless of whether license activations are still available.
Status: This issue has been fixed. If there are not enough activations available for the MDL license, the endpoint now returns the following error message: 409 License activation limit reached.
Issue OAS-8899: Probability to accept random OTP on first authenticator usage is too high
The probability that OneSpan Cloud Authentication accepts a random one-time password (OTP) on first authenticator usage is too high.
Status: This issue has been fixed. The relevant policies for authentication and signature validation scenarios have been changed. For more information about authentication policies, refer to Authentication policies.
May 2021
New features and enhancements—supported use cases
Identify authenticator instances with descriptions
To facilitate the identification of authenticator instances, e.g. when instances are deleted, OneSpan Cloud Authentication now provides the possibility to add an instance description.
This feature applies to multi-device licensing (MDL) authenticators and instances only.
Until now, authenticator instances could only be identified by their number. As a result, it was difficult to verify what the instance represents, to identify the device to which the relevant instance belongs, and to delete the correct instance. With the description, it is now possible to mark an instance according to its connection to the specific authenticator. You can update the description and use it as a criterion for authenticator queries.
The description is exposed on the TID platform API.
These are the API endpoints to add a description to an authenticator:
This is the API endpoint to update the description:
The description field is limited to a maximum of 255 characters.
Fixes and other changes
Issue OAS-7419 (Support Case CS0047407): Wrong error message when requesting virtual OTP via email or SMS
If an email address or phone number has not been assigned to a user in the Administration Web Interface or the REST API, a wrong error message is issued when a virtual OTP is requested via email or SMS.
Status: This issue has been fixed.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.3.1
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
April 2021
New features and enhancements—supported use cases
FIDO-based authentication
OneSpan Cloud Authentication now supports end-user login with FIDO-based authentication. FIDO (Fast IDentity Online) offers frameworks that enable passwordless authentication.
OneSpan Cloud Authentication supports the latest FIDO Alliance protocols.
This feature is not functional in the Sandbox environment.
For more information about FIDO-based authentication, see OneSpan Cloud Authentication User Guide.
-
Login endpoint. The login endpoint has been extended to support FIDO-based authentication requests:
POST /users/{[email protected]}/login
This endpoint now also accepts credentials.fidoAuthenticator as payload.
-
Registration endpoint. A new endpoint has been added to generate the FIDO registration request:
POST /users/{[email protected]}/generate-fido-registration-request
This endpoint accepts fidoProtocol, and for FIDO2: displayName, authenticatorSelection, and attestation as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.
-
Authentication endpoint. A new endpoint has been added to generate the FIDO authentication request:
POST /users/{[email protected]}/generate-fido-authentication-request
This endpoint accepts fidoProtocol, userVerification (only for FIDO2), and authenticationMessage (only for FIDO UAF) as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.
-
Transactions validation endpoint. The transactions validation endpoint has been updated to support FIDO-based transaction data signing requests for the UAF protocol:
POST /users/{[email protected]}/transcations/validate
This endpoint now also accepts data.fido as payload, with the following parameters:
- fidoProtocol
- authenticationResponse
For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.3.0
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
March 2021
New features and enhancements—supported use cases
Limited number of authenticator instances
To further increase the security, OneSpan Cloud Authentication now limits the number of authenticator instances that are derived from a single license. Since the one-time password (OTP) is validated across all available authenticator instances, reducing the number of authenticator instances also reduces the chances of an attacker using the correct OTP. Once the limit is reached, an administrator can reset the activation count for that license.
The maximum number is now limited to 30 authenticator instances.
Push Notification service
OneSpan Cloud Authentication now supports the latest Apple HTTP/2 certificate and authentication mode and the latest Google HTTP v1 mode.
The Apple Push Notification service HTTP/2 interface has been deployed and replaces the previous binary interface. No changes are needed for existing certificates. For new Apple applications, you need to provide either a PKCS#12 certificate for the certificate mode, or a PKCS#8 certificate for the authentication mode. For the Apple application, you can bundle multiple application identifiers (Apple staging identifier and production identifier). This feature is not accessible in the Sandbox environment.
The Firebase Cloud Messaging HTTP v1 interface has been deployed and provides strong security via short-lived access tokens. The previous modes are supported.
OneSpan recommends deploying the latest Push Notification server mode for Apple (authentication) and Google (short-lived token) to provide the highest security support.
Device binding
OneSpan Cloud Authentication now supports device binding of software authenticators (single-device licensing). After the activation data has been generated, an authenticator can be bound to a device. Two new endpoints have been added for the implementation of this feature.
Endpoint to call the relevant Authentication component administration command:
POST /authenticators/{serialNumber}/bind
This endpoint accepts derivationCode as payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
-
409: Failed to bind authenticator to device.
- Device binding not supported by the authenticator
- Authenticator already bound
- Invalid derivation code
- 500: Unexpected server error.
Endpoint to unbind an authenticator from its device:
POST /authenticators/{serialNumber}/unbind
This endpoint does not accept a payload.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
- 409: Failed to unbind the authenticator.
- Device binding not supported by the authenticator
- Authenticator not bound
- 500: Unexpected server error.
For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.
Deletion of authenticators
OneSpan Cloud Authentication now supports the deletion of authenticators. This applies to the deletion of standard licenses (based on the authenticator serial number) and the deletion of licenses and instances of multi-device licensing authenticators.
A new endpoint has been added to perform the delete operation:
DELETE /authenticators/{serialNumber}
This endpoint does not accept any payload but accepts the serialNumber as path parameter.
The following failure responses are included:
- 400: The input is invalid.
- 404: The authenticator was not found.
- 409: Failed to delete authenticator.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.2.0
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
January 2021
New features and enhancements—supported use cases
End-user login with Challenge/Response
OneSpan Cloud Authentication now supports end-user login with Challenge/Response applications. The login endpoint has been extended to support Challenge/Response authentication, and a new endpoint has been added to generate the challenge:
POST /users/{[email protected]}/generate-challenge
This endpoint accepts length and checkDigit as payload.
The following failure responses are included:
- 400: The input is invalid.
- 403: You cannot generate a challenge for a tenant admin (=system) account.
- 404: The user account was not found.
- 500: Unexpected server error.
For more information about this feature and integration instructions, see OneSpan Cloud Authentication Integration Guide.
Orchestration SDK—supported versions
OneSpan Cloud Authentication supports the following versions of the Orchestration SDK Client:
- 5.0.2
- 4.24.4
- 4.24.2
- 4.23.0
- 4.21.1
- 4.20.2
- 4.19.3
September 2020
New features and enhancements
Billing
The TID platform offers a billing solution: OneSpan Cloud Authentication billing is offered on request (for monetary and non-monetary events).
Fixes and other changes
Issue TIDDO-3459 (Support Case CS0033892): Android server key push notification blockage outage
The sandbox has been updated to support a new server key through the OneSpan Community Portal.
Issue TIDDO-3016 (Support Case CS0024159): TID error logging is unclear
The error that was returned when a user was locked has been corrected and now provides information on the issue.
Issue TIDDO-2502 (Support Case CS0021547): Staging environment slow
New improvements reduce the total registration online flow to 25% of the duration previously measured. The flow is consistent between the Register v2 and Register v3 services.
April 2020
New features and enhancements
Mobile Security Suite Orchestration SDK Push Notification support
OneSpan Cloud Authentication now supports Mobile Security Suite Orchestration SDK with Push Notification for the following operations:
- Authentication
- Transaction data signing (TDS)
- Authenticator provisioning of application secrets for online multi-device licensing (MDL)
TID platform API enhancements
The following enhancements have been implemented in the TID platform API:
- Changes to the Register and Unregister API to support Mobile Security Suite Client Orchestration SDK for OneSpan Cloud Authentication.
- The Authentication and Transaction APIs have been modified to support Mobile Security Suite Client Orchestration SDK for OneSpan Cloud Authentication.
OneSpan Mobile Security Suite Orchestration SDK 4.23.0 support
The provided sample code has been updated to support the TID platform API. For more information, refer to the OneSpan Mobile Security Suite Orchestration SDK 4.23.0 Release Notes.
March 2020
New features and enhancements
This is the first public release of OneSpan Cloud Authentication.
Supported use cases
Authentication
- Authenticate user with static password
-
Authenticate user with offline one-time password (OTP)
-
Supported hardware authenticators:
- Digipass with Response-Only support (e.g. DP GO-x)
-
Supported software authenticators:
- Mobile Authenticator Studio (MAS)
-
-
Authenticate user with Cronto image (Secure Channel-based authentication)
-
Supported hardware authenticators:
- Digipass with Cronto image support (e.g. DP 7XX)
-
Supported software authenticators:
- Mobile Authenticator Studio
-
-
Push Notification-based authentication.
-
Supported software authenticators:
- Mobile Authenticator Studio
-
Transaction data signing (TDS)
-
TDS offline
-
Supported hardware authenticators:
- Digipass with signature support
- Supported software authenticators:
- Mobile Authenticator Studio
-
-
TDS offline with Cronto image
-
Supported hardware authenticators:
- Digipass with Cronto image support (e.g. DP 7XX)
- Supported software authenticators:
- Mobile Authenticator Studio
-
-
TDS online with Push Notification
-
Supported software authenticators:
- Mobile Authenticator Studio
-
Administration
-
User management (supported API based user management use cases)
- Create user
- View user
- Update user
- Delete user
- Reset user password
- Unlock user
- Query users
-
Authenticator management (supported API based authenticator management use cases)
- View authenticator
- Update authenticator application
- General Virtual OTP
- Reset PIN for authenticator application
- Test authenticator application
- Generate activation data for a software authenticator
- Generate activation message for an authenticator
- Assign authenticator
- Unassign authenticator
- Move authenticator
- Query authenticators
- Import users with user import file (new use case supported via OneSpan Authentication Server Administration Web Interface)
-
Reporting (new use cases supported via OneSpan Authentication Server Administration Web Interface)
- Create report
- Run report
- View report
- Delete report
Authenticator provisioning of application secrets
-
Offline multi-device licensing (MDL) with Cronto image
-
Supported hardware authenticators:
- Digipass with Cronto image
-
Supported software authenticators:
- Mobile Authenticator Studio
-
Other notable changes
TID
Introduction TID API
A new TID platform API has been introduced that services all supported TID solutions:
- Intelligent Adaptive Authentication
- OneSpan Cloud Authentication
- Risk Analytics
OneSpan Risk Analytics Presentation Service
Performance issue in Latest Events page
In Risk Analytics Presentation Service, the Latest Events page in some cases took several minutes to fetch data when querying a high number of events. The query has been greatly improved to display data very quickly.
Inconsistency of fields between the Latest Events and Event Details screens
An inconsistency of the fields displayed in the Latest Events and Event Details screens has been fixed to display the same values in both screens. This problem mainly concerns the Beneficiary fields.
No audit for the actions in the Event Details screen
All actions performed in the Event Details screen like Fraud dispositions, Launch Action and Memos are now audited.
Risk Analytics Data Collector web service
Risk Analytics Data Collector web service synchronous events management
To prevent timeout issues and improve performance, the Data Collector web service now manages the incoming events synchronously.
OneSpan Risk Analytics Security Vulnerability Fixes
SQL injection
To prevent vulnerability issues due to SQL injection attacks, the Risk Analytics data access layer has been refactored. All internal methods using string types as input parameter, which are vulnerable to SQL injection attacks, have been rewritten to use an enumerated type as input parameter.
Cross-site scripting (XSS)
Sanitization of user input and output data has been implemented to ensure protection against cross-site scripting (XSS).
OneSpan Authentication Server
Responsive OneSpan Authentication Server Web Administration Service interface
The OneSpan Authentication Server Web Administration Service interface now responds faster and adapts its layout to the client that is used.
Improved look and feel (Web Administration Service)
The style sheets used by Web Administration Service have been reworked to provide a smoother user experience, use fewer resources, and support responsive design. Furthermore, the look and feel of Web Administration Service has been adapted to match the new OneSpan branding.
Software Digipass commands extended
The following software Digipass commands have been extended to return the user ID and the domain of the user that is associated to the activation, and the serial number of the activated Digipass:
- PROVISIONCMD_ACTIVATE
- PROVISIONCMD_DSAPPACTIVATE
- PROVISIONCMD_MDL_ACTIVATE
- dsappSRPActivate
In addition, the organizational unit attribute is returned for the PROVISIONCMD_ACTIVATE command.
List of supported characters for Web Administration Service, Tcl Command-Line Administration tool, and CSV import files
Web Administration Service, Tcl Command-Line Administration tool, and .csv import file have been updated to support the following special characters:
- (') (&) (#) for the User ID field
- (') (,) (&) (#) for the User Name field
Load balancing of reports and improved report handling
To optimize CPU and memory usage, multiple report tasks are now processed in serial order, with each OneSpan Authentication Server instance allowed to run one report task at a time. By default, multiple report tasks are distributed across all server instances and are thus automatically load balanced.
In a multi-server environment with a dedicated reporting server, this implies that if you want to run (scheduled) reports solely on the reporting server, you now need to disable the Reporting Scenario in the OneSpan Authentication Server Configuration Utility for all other OneSpan Authentication Server instances. In this case, the reporting server will be the only instance for report handling, and it will process and run one report task at a time. If the Reporting Scenario remains enabled on the other OneSpan Authentication Server instances, the load balancing applies and reports are run on any server instance.
Administration in environments with multiple OneSpan Authentication Server instances
OneSpan Authentication Server and its handling of administrative tasks have been enhanced to better facilitate the following administrative operations in deployments with multiple OneSpan Authentication Server instances:
- User import
- Digipass import
- Reporting tasks
Fixes and other changes
TID
New TID platform API
A new TID platform API has been introduced that services all supported TID solutions:
- Intelligent Adaptive Authentication
- OneSpan Cloud Authentication
- Risk Analytics
Faster Administration Web Interface
The OneSpan Authentication Server Administration Web Interface now responds faster and adapts its layout to the client that is used.
OneSpan Authentication Server
Issue OAS-1923: Number of audit messages and audit log size reduced (Upgrade and migration)
Description: During upgrade and data migration, OneSpan Authentication Server writes several audit messages and log entries. Audit message I-013003 for success is auditing an internal operation and does not add extra value to the audit log.
Affects: OneSpan Authentication Server 3.10–3.18
Status: This audit message has been removed.
Issue OAS-1553 (Support Case CS0009141): Number of audit messages and audit log size reduced (Upgrade and migration)
Description: During upgrade and data migration, OneSpan Authentication Server writes several audit messages and log entries. Audit message I-013003 for success is auditing an internal operation and does not add extra value to the audit log.
Affects: OneSpan Authentication Server 3.10–3.18
Status: This audit message has been removed.
Issue OAS-1413 (Support Case CS0011373): Online authentication no longer possible with primary Virtual Mobile Authenticator and backup offline authentication data (Authentication)
Description: When using Digipass Authentication for Windows Logon along with a software or hardware Digipass authenticator and a Primary Virtual Mobile Authenticator, and if backup offline authentication data is available, online authentication using Primary Virtual Mobile Authenticator is no longer possible. In this case, Primary Virtual Mobile Authenticator can be used for backup offline authentication only.
Affects: OneSpan Authentication Server 3.14–3.18
Status: This issue has been fixed.
OAS-1230 (Support Case CS0010697): Multiple report tasks running in parallel lead to server issues (Reporting)
Description: Multiple report tasks that are running in parallel on one OneSpan Authentication Server instance cause the server to stop working properly. The report tasks fail or are rescheduled, and active Administration Web Interface sessions are interrupted.
Affects: OneSpan Authentication Server 3.6–3.18
Status: This issue has been fixed. Report tasks are now processed in serial order, with each OneSpan Authentication Server instance allowed to run one report task at a time.
Issue OAS-1123 (Support Case CS0010282): Incorrect information about filtering the task list (Documentation)
Description: The Task Management page of the Administration Web Interface Help contains incorrect instructions to filter the task list.
Affects: OneSpan Authentication Server 3.6–3.18
Status: This issue has been fixed. Because the task list cannot be filtered, related information has been removed from the Administration Web Interface Help.
Issue OAS-1116: Incorrect formatting of HTML reports (Web Administration Service)
Description: When you scroll down in long HTML reports, the report footer moves with the report text to the top, and reveals a dark blue background, which makes the report data harder to read on-screen.
Affects: Web Administration Service 3.18 on Google Chrome
Status: This issue has been fixed.
Issue OAS-344 (Support Case PS-203899): Persistence cache deadlock
Description: When a high level of administrative logon transactions are performed in OneSpan Authentication Server, a deadlock can occur on a database level.
Affects: OneSpan Authentication Server 3.17–3.18
Status: This issue has been fixed.
Issues OAS-224, OAS-236, OAS-1408 (Support Cases PS-147052, PS-161360, CS0010760): Restriction of special characters for user name and user ID fields inconsistent (Web Administration Service)
Description: Users that contain special characters for user name/user ID can be created in the Tcl Command-Line Administration tool or imported via a .csv import file. When you attempt to edit this data in the User tab of the Web Administration Service, an error is shown that the User Name/ User ID fields contain unsupported characters.
Affects: OneSpan Authentication Server 3.6–3.18
Status: This issue has been fixed. The user creation process has been unified to exclude the following characters for Web Administration Service, Tcl Command-Line Administration tool, and .csv import file:
- for the field user name : /\:;|"<>[]@=+*?
- for the field user ID: /:;,|"<>[]=+*?
Issue 220 (Support Case PS-174286, CS0007918): Expire date higher than 2038 incorrectly stored (Web Administration Service)
Description: When the Expires At date for a user is set to 2038 or higher, it is incorrectly stored after saving.
Affects: Versions up to OneSpan Authentication Server 3.18
Status: This issue has been fixed.
Known issues
OneSpan Risk Analytics Presentation Service
Decision rule configuration
When a decision division is toggled to ON, Risk Analytics Presentation Service displays an inconsequential error that must be ignored.