Integration of transaction data signing with FIDO-based transaction validation
Intelligent Adaptive Authentication supports the FIDO UAF protocol for adaptive transaction data signing secured with FIDO-based transaction validation.
Prerequisites for securing adaptive transaction data signing with FIDO-based transaction validation
To ensure successful transaction data signing with FIDO-based transaction validation, the following prerequisites must be met:
- The user exists in OneSpan Cloud Authentication.
- The user has a registered FIDO authenticator for their account.
FIDO authenticator registration is handled in OneSpan Cloud Authentication. For more information about authenticator registration, see Register a FIDO-based authenticator.
- The rules
Rules are used to define sets of criteria to verify if an event (transaction and non-monetary event) matches any fraudulent behavior. If an event matches a previously defined rule, an alert can be raised. that generate the ChallengeFIDO response code have been configured in OneSpan Risk Analytics (see Configuration of risk analysis rules to generate the ChallengeFIDO response code).The transaction data signing flow will vary depending on the result of the risk evaluation performed by the Risk Management component. This component performs a real-time analysis of vast amounts of user, device, and historical data to calculate the risk involved. The result is returned as a risk response code (riskResponseCode).
- If the transaction validation request is regarded as risky, the Risk Management component will challenge the user with an additional transaction validation step. In case of transaction data signing with FIDO-based transaction validation, the Risk Management component will return a riskResponseCode of 14 (ChallengeFIDO). For more information regarding this scenario, see Adaptive transaction data signing secured with FIDO-based transaction validation.
- If the Risk Management component accepts the transaction validation request without an additional challenge, it will return a riskResponseCode of 0. In this scenario, no additional validation steps are required. For more information, see Adaptive transaction data signing - low risk validation request.
Adaptive transaction data signing secured with FIDO-based transaction validation
If the transaction validation request is regarded as risky, the Risk Management component will challenge the user with an additional transaction signing validation step. In case of adaptive transaction data signing with FIDO-based authentication, the Risk Management component will return a riskResponseCode of 14 (ChallengeFIDO). After the transaction has been validated using a FIDO-based authenticator, the Risk Management component will re-evaluate the request and accept or decline the transaction.
Adaptive transaction data signing secured with FIDO-based transaction validation - overview
Sequence of an adaptive transaction data signing operation secured with FIDO-based transaction validation
- The user starts the transaction data signing operation. The app collects CDDC data and sends the validation request with the CDDC data and the FIDO transaction data to the web server. The web server forwards the request to the OneSpan Trusted Identity platform API by calling https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
- The OneSpan Trusted Identity platform API forwards the request to the Risk Management component, which returns a riskResponseCode of 14 (ChallengeFIDO).
- The OneSpan Trusted Identity platform API initializes the transaction validation by sending a request to the FIDO Server.
- The FIDO Server generates a transaction signing request that is sent to the OneSpan Trusted Identity platform API.
- The OneSpan Trusted Identity platform API forwards the transaction signing request to the web server.
- The web server forwards the transaction validation request to the app.
- The app communicates with the FIDO authenticator to generate a transaction validation response.
If a FIDO UAF authenticator is used with a built-in display, it will show the transaction validation message on this screen when asking the user for confirmation.
- The app collects CDDC data and sends it with the FIDO transaction validation response to the web server, which forwards the request to the OneSpan Trusted Identity platform API by calling https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
- The OneSpan Trusted Identity platform API finalizes the transaction validation with the FIDO Server.
- The FIDO Server verifies the transaction validation response and returns a success response.
- The OneSpan Trusted Identity platform API sends all the gathered data with the result of the transaction validation response to the Risk Management component. This component assesses all factors involved and sends the response back to the OneSpan Trusted Identity platform API.
- The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.
- The web server finalizes the transaction singing operation by sending this response to the app.
To integrate adaptive transaction data signing secured with FIDO-based transaction validation
- Issue a transaction validation request with https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
- Method: POST
- Payload:
- objectType: "AdaptiveTransactionValidationInput"
- accountRef
- amount
- cddc
- currency
- relationshipRef
- transactionType
- data
- fidoTransactionMessage
- fidoProtocol: UAF11
- authenticationMessage
Contains the transaction data that are displayed to the user when signing.
- fidoTransactionMessage
- sessionID
- Response body:
- riskResponseCode: 14 (ChallengeFido)
- requestID
- sessionStatus: pending
- fidoAuthenticationRequest
- After confirming the transaction data with FIDO authenticator, issue a second transaction validation request with https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
- Method: POST
- Payload:
- objectType: "AdaptiveTransactionValidationInput"
- accountRef
- amount
- cddc
- currency
- relationshipRef
- transactionType
- data
- fido
- authenticationResponse
- requestID
- fido
- sessionID
- Response body:
- riskResponseCode: 0
- sessionStatus: accepted
- uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.
Adaptive transaction data signing - low risk validation request
If the transaction signing validation request is regarded as low risk, the Risk Management component will accept the request and return a riskResponseCode of 0 (accepted). In this case, no additional authentication steps are required.
Adaptive transaction data signing - overview
Sequence of an adaptive transaction data signing operation
- The user starts the transaction data signing operation. The app collects CDDC data and sends the login request with the CDDC data and the FIDO transaction data to the web server. The web server forwards the request to the OneSpan Trusted Identity platform API by calling https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
- The OneSpan Trusted Identity platform API sends a transaction validation request to the Risk Management component. This component accepts the transaction validation request.
- The OneSpan Trusted Identity platform API receives the accepted transaction validation request and sends it to the web server.
- The web server forwards the accepted transaction validation request to the app.
To integrate adaptive transaction data signing
- Issue a transaction validation request with https://{tenant}.{environment}.tid.onespan.cloud/v1/users{userID@domain}/transactions/validate.
- Method: POST
- Payload:
- objectType: "AdaptiveTransactionValidationInput"
- accountRef
- amount
- cddc
- currency
- relationshipRef
- transactionType
- data
- fidoTransactionMessage
- fidoProtocol: UAF11
- authenticationMessage
Contains the transaction data that are displayed to the user when signing.
- fidoTransactionMessage
- sessionID
- Response body:
- riskResponseCode: 0
- sessionStatus: accepted
- uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.