Push and login

Push and login consists of an out-of-band authentication initiated on a website and validated with a mobile application. The authentication request is transmitted via a push notification. The user must initiate the push and login process by using the website of an application server communicating with OneSpan Authentication Server. A push notification will be sent to the mobile application, which must implement the following steps:

1. Retrieve the login details related to the authentication session from DIGIPASS Gateway.
2. Display the login details to the user for approval.

3. If the user approves the login request:

   1. Authenticate the user with a given authentication method (e.g. PIN or fingerprint recognition).
   2. Sign the login request and transmit the generated signature to DIGIPASS Gateway.

4. If the user rejects the login request:

   • Transmit the cancellation request to DIGIPASS Gateway.

5. Display a status message in the mobile application.

   The application server can now display the result of the authentication request to the user on the website.

Push and login workflow (Overview) provides a high-level overview of the integration of OneSpan Mobile Security Suite in the mobile application, and does not show all required calls to the OneSpan SDKs.

For more information, refer to the OneSpan Mobile Security Suite documentation.

Push notification message content

The content of the push notification is contained in a Secure Channel message, which must be decrypted using the Digipass SDK. Once decrypted, the content of the push notification is encoded as a plain text string with each parameter separated by a semicolon (see Push notification content parameters).

Push notification content parameters

Parameter	Description
Version	Version of the encoding protocol. Length: 2 digits Possible values: 01. Current encoding.
Message type	The type of message contained in the encoded string. Length: 2 digits Possible values: 03. Content is a challenge key for an authentication request.
Challenge key	The unique identifier used by OneSpan Authentication Server to identify a login request. It will be used during the entire login request process. Length: 10 hexadecimal characters.

"01;03;0123456789"

Login request content

The login details are protected in a Secure Channel message which must be decrypted with the Digipass SDK. Once decrypted, the login details are encoded as a plain text string with each parameter separated by a semicolon (see Login details parameters).

Login details parameters

Parameter	Description
Version	Version of the encoding protocol. Length: 2 digits Possible values: 01. Current encoding.
Message type	The type of message contained in the encoded string. Length: 2 digits Possible values: 04. Login details.
Service name	The variable specified by the application server when calling the authUser method of OneSpan Authentication Server, triggering the push notification.
Crypto app index	The index of the cryptographic application used to sign the login details. Lenght: 1 digit Possible values: 1–8
User identifier	The unique identifier used by OneSpan Authentication Server to identify a user. This must be stored in the persistent memory. Length: Up to 255 UTF-8 characters.
Domain	The unique identifier used by OneSpan Authentication Server to identify a group of users. This must be stored in the persistent memory. Length: Up to 255 UTF-8 characters.

"01;04;myService;3;myUserID;myDomain"

If the user approves the login request and is successfully authenticated, the login request must be signed with the Digipass SDK using the Secure Channel message received from DIGIPASS Gateway that contains the login details.

If the user rejects the login request, the challenge key must be encrypted in a Secure Channel message with the Digipass SDK.