Integration of User Login and Event Validation with one-time password (OTP)

Intelligent Adaptive Authentication enables users to login to your web application and validate events by generating an one-time password (OTP). An authenticator (hardware or software) that supports Response-Only OTP generation is provisioned for the user.

During the allocation of the authenticator, hardware authenticators can either be defined to use Response-Only or time-based OTPs, and can be modified on an as-needed basis. ChallengeDevice2FA (value 5) depends on the Risk Management componentClosed The Risk Management component is a highly versatile, reliable, and scalable fraud management system used for monitoring online banking applications and payment processing across multiple channels; it helps to protect against anti-money-laundering (AML), online banking fraud, and to comply with regulations. rulesClosed Rules are used to define sets of criteria to verify if an event (transaction and non-monetary event) matches any fraudulent behavior. If an event matches a previously defined rule, an alert can be raised..

Response-Only-based adaptive authentication can use both the synchronous or asynchronous login mode. Event validation refers to the POST /users/{userID@domain}/events/validate endpoint. The endpoint should specify the event type as LoginAttempt.

Synchronous login mode Response-Only OTP

Login flow - synchronous mode Response-Only OTP

Login flow—synchronous mode Response-Only OTP

The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user. If the user signs the authentication request using the Intelligent Adaptive Authentication Response-Only (RO) OTP, ChallengeDevice2FA), the second login request is successfully accepted.

Sequence of a login operation in synchronous login mode with Response-Only OTP

Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.

  1. The user initiates the adaptive authentication login operation which triggers the client application to send a login and event validation request. This request includes the following parameters:

    • authenticator user
    • authenticator domain
    • Response-Only OTP
    • CDDC data
    • session identifier

    The user's credentials (static password) must not be included in the request input!

  2. The web service triggers a Risk Management component-event request for the login and event validation.
  3. The Risk Management component responds with a Response-Only OTP challenge (ChallengeDevice2FA).

    1. The web service returns the Response-Only OTP challenge (ChallengeDevice2FA) to the client application.
    2. The client application collects the Response-Only OTP.
  4. The client application sends a second login to the application server (provided by the authenticator owned by the user).
  5. The client application sends the Response-Only OTP to the web service.
  6. The web service validates the Response-Only OTP.

    1. Intelligent Adaptive Authentication returns the validation result of the OTP.
    2. The Login service forwards the validation result to the web service.
    3. The web service returns an HTTP 200 status code to the client application that authentication has been successful.
  7. The client application checks the status of the login request with the web service.
  8. The web service returns to the client application that the authentication has been successful.

Asynchronous login mode Response-Only OTP

Login flow - asynchronous mode Response-Only OTP

Login flow—asynchronous mode Response-Only OTP

The login sequence checks the browsing context and analyzes the risk of the user login operation. Depending on the rules set in the Risk Management component, the Login service challenges the user setting in the riskResponseCode field, if the challenge value is 5. If the user signs the authentication request with a Response-Only OTP, the second login request is accepted.

Sequence of a login operation in asynchronous login mode with Response-Only OTP

Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.

  1. The user initiates the adaptive authentication login, which triggers the client application to send a login and event validation request. This request includes the following parameters:

    • authenticator user
    • authenticator domain
    • CDDC data
    • session identifier (without the user's credentials).
  2. The Login service triggers a Risk Management component-event request for the login.
  3. The Risk Management component responds with a Response-Only OTP challenge (value 5).

    1. The Login service returns an HTTP 200 status code in the riskResponseCode field that is set to the two-factor challenge value (ChallengeDevice2FA).
    2. The client application sends a check-session request (concurrent with HTTP response step above). For more information, see GET /sessions/{requestID}.
    3. The web service returns an HTTP 200 status code to the client application.
  4. The client application collects the OTP (using the hardware or software authenticator).
  5. The client application sends a new login request to the Login service. This request includes the following parameters:

    • authenticator user
    • authenticator domain
    • CDDC data
    • same session identifier
    • request identifier
    • OTP
  6. The web service validates the password.

    1. Intelligent Adaptive Authentication validates the OTP.
    2. The Login service returns an HTTP 200 OK status code to the web service.
    3. The web service returns an HTTP 200 status code to the client application that authentication has been successful.
  7. The client application sends a check-session request, and the asynchronous session is closed successfully. For more information, see GET /sessions/{requestID}.

    1. The session status is returned to the web service.

OneSpan Intelligent Adaptive Authentication follows these steps for the asynchronous login mode:

  • The Intelligent Adaptive Authentication Login service, called with timeout set to 0. The login and event validation process is started, challenges the user (same process step as in the synchronous login mode), and immediately returns the current state of the session. In the Static Password use case, the check session state will always return Accepted.
  • The Check Session Status service returns the current session and notification states of the login request immediately, without waiting for the notification process to complete.

Next Steps

The next step for a full integration of an adaptive authentication solution is to integrate the Orchestration SDK into your mobile application.