Integration of user login with Secure Channel

Secure ChannelClosed The Secure Channel feature encrypts the communication between device and server. It uses payload keys to protect the confidentiality and authenticity of the message's payload.-based authentication is a type of authentication which supports the secure exchange of authentication data. It is used in combination with CrontoClosed Specific colorful cryptogram, similar to a QR code that is used for visual transaction signing. images or QR codes to exchange the Secure Channel messages. This type of authentication requires the use of authenticator licenses that are activated in the multi-device licensing (MDL)Closed OneSpan licensing model with a one-to-one relationship between a user account and an authenticator serial number license. With this licensing model, a user account can be optionally bound to several authenticator instances. Multi-Device Activation, which is an activation process in two steps, guarantess that only the intended user can perform the device activation. mode.

Sequence of a login operation with Secure Channel

Before starting the operation, ensure the correct state of the user account by validating the output of the GET /users/{userID@domain} endpoint.

  1. The user initiates the adaptive authentication operation and triggers the client application to send a login request to the OneSpan Trusted Identity platform API by calling the https://{tenant}.{environment}.tid.onespan.cloud/v1/users/{userID@domain}/login endpoint.
    The default timeout value for Secure Channel-based authentication is set to 180 seconds. Contact OneSpan if you need to change this timeout configuration.
  2. The web service triggers a Risk Management component-event request for the login.
  3. The Risk Management component responds with a Cronto challenge (value = 11).
  4. The web service triggers a secure challenge to the Authentication component to generate a secure message.
  5. The web service returns the Risk Management component challenge together with the secure message to the client application.
  6. The client application uses the Visual Codes service to generate the Cronto image.
  7. The user captures the Cronto image with their authenticator which generates an OTP.
  8. The OTP is inserted in a new login request that is forwarded to the OneSpan Trusted Identity platform API for validation.
  9. Intelligent Adaptive Authentication returns the validation result of the OTP.

To Integrate user login with Secure Channel

  1. Issue a login request with the https://{tenant}.{environment}.tid.onespan.cloud/v1/users/{userid@domain}/login endpoint:
    • Method: POST
  2. Issue a generate Cronto image request with the https://{tenant}.{environment}.tid.onespan.cloud/v1/visualcodes/render endpoint:
    • Method: POST
  3. Issue a login request with the https://{tenant}.{environment}.tid.onespan.cloud/v1/users/{userid@domain}/login endpoint:
    • Method: POST
    • Payload:
      • objectType: “AdaptiveLoginInput”
      • credentials.authenticator.OTP
      • requestID

        Request ID from the first login request.

Use the Visual Codes service to generate Cronto images or QR codes

With Intelligent Adaptive Authentication you can integrate the Visual Codes service in your client applications. With this, the application can generate and embed a clear text- or encoded message into a Cronto image or a QR code. The visualcodes interface allows clients to render a visual code and get raw access to the image URL if the following parameters have been specified:

  • Message. A hexadecimal encoded message that is to be embedded in the image.
  • Format. The output format of the returned image (Cronto image or QR code).
  • Image size. The image size of the returned image.

Use Cronto authenticator to generate Cronto images or QR codes

With Intelligent Adaptive Authentication you can implement the functionality to support the use of a Cronto authenticator for user authentication and transaction signature validation. The Cronto authenticator scans a Cronto image or QR code and generates a signature for authentication purposes. Intelligent Adaptive Authentication supports the following use cases:

  • User registration and Cronto authenticator activation. If a valid authenticator license is available, a user can register a Cronto authenticator through the User Registration service and activate the authenticator.
  • Login. If the user has successfully registered and activated a Cronto authenticator associated to them, the user can log in. They will get challenged by Intelligent Adaptive Authentication (ChallengeSCTransaction code 11) to obtain the signature code generated by their Cronto authenticator.
  • Signature validation. If the user has successfully registered and activated a Cronto authenticator associated to them, the user can perform a transaction validation and get challenged by Intelligent Adaptive Authentication (ChallengeSCTransaction code 11) to obtain the signature code generated by their Cronto authenticator.