FIDO-based transaction data signing

FIDO-based transaction data signing (TDS) is a transaction validation method emphasized by protocols that reduce the reliance on passwords.

OneSpan Cloud Authentication supports the FIDO UAF protocol for transaction data signing.

Prerequisites for transaction data signing with a FIDO-based authenticator

The following prerequisites have to be met before you can start the transaction data signing process:

  • The user must exist in OneSpan Cloud Authentication.
  • The user must have a registered FIDO authenticator for their account.

FIDO-based transaction data signing flow

Sequence of a FIDO-based transaction data signing operation

  1. The app starts the transaction signing process. This triggers the web server to initiate the authentication to the OneSpan Trusted Identity platform API.

    The web server adds a transaction validation message, which is transferred to the OneSpan Trusted Identity platform API during the authentication initialization.

  2. The OneSpan Trusted Identity platform API initializes the authentication with the FIDO Server.
  3. The FIDO Server proceeds to generate an authentication request that is sent to the OneSpan Trusted Identity platform API. The FIDO Server generates an authentication request with an embedded transaction validation message.
  4. The OneSpan Trusted Identity platform API receives the authentication request and sends it to the web server.
  5. The web server forwards the request to the app.

  6. The app communicates with the FIDO authenticator to generate an authentication response.

    If a FIDO UAF authenticator is used with a built-in display, it will show the transaction validation message on this screen when asking the user for confirmation.

  7. The app forwards the authentication response along with the transaction data to the web server, which forwards this data to the OneSpan Trusted Identity platform API.
  8. The OneSpan Trusted Identity platform API finalizes the transaction data signing with the FIDO Server.
  9. The FIDO Server generates a verification response that is sent to the OneSpan Trusted Identity platform API.
  10. The OneSpan Trusted Identity platform API receives the verification response and sends it to the web server.
  11. To conclude the transaction data signing process, the web server sends this verification response to the app.