wcl's account

To further clarify,  OOB (Out-Of-Band) authentication, is the process in which the user retrieves an authentication credential (like a One Time Password [OTP]) from some other electronic channel than the one that the user requested it on.  Electronic channels can be anything on a computer, like a web site, or Windows login, or VPN access.  The term OOB is typically used to refer to when an Email or SMS text is sent to the user and the message contains a One Time Password, which the user then types into the original electronic channel to authenticate themselves.  There are many other solutions that fit into this definition of OOB authentication, including the OneSpan Cronto color cryptogram.  Many of these are much more secure than Email or SMS virtual OTP.  It is important to point out that OOB authentication by itself is not two-factor authentication.  In some cases, OOB authentication can be accepted as one of the second forms of authentication that make up a two-factor authentication solution.  If you are interested to learn more about OOB authentication, please let us know.

Hi Nabil,

This happens when you refresh on a transaction that has already been processed, or if you refresh on a page after landing on the page the first time. Can you try in a new browser on your mobile device, or better in a private browsing session?

-Will

Nabil,

Looking at your request, I think I see an issue in where you are sending the request.  A change was just pushed out this morning to the environment, all of your requests should be sent to the https://gs.onespan.cloud/rpoc-saa/ domain, instead of the https://salesdemo-dealflo.uat.eu1.tid.onespan.cloud/.  For your request send it to:

https://gs.onespan.cloud/rpoc-saa/sales/#/esign/0f42d17d-d215-468c-a047-662b85816807?access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiIsImtpZCI6IjI4NTliZDQwLTAyOTAtNGE3ZC1hOWZhLWQ5YjMxYmRiMGZiYyJ9.eyJyb2xlIjoiQ3VzdG9tZXIiLCJzY29wZSI6WyJzZXNzaW9uX2NyZWF0aW9uX2F1dGhvcml6YXRpb25fY29kZSJdLCJ0cmFuc2FjdGlvbl91dWlkIjoiMGY0MmQxN2QtZDIxNS00NjhjLWEwNDctNjYyYjg1ODE2ODA3IiwiY2xpZW50X2lkIjoiUGF0aF9Tb2x1dGlvbnMiLCJqdGkiOiIzNDllZWNlNy1mNzlkLTRmMTktOGU5My01OTM2ZDQ4NjFhNTIiLCJpYXQiOjE2MzEwMjE1MDgsImV4cCI6MTYzMjMxNzUwOH0.JOhd23N_mtP695rdeqAeUs76TbjV7k0ZmZLDFvN5neJiuPd2t9vqixt6XJyKxkIU2A00X8etGIl552ocwmqDsw

-Will

Hi Nabil,

Sorry for the confusion, but we recently made a change (this morning during our recent release), please remove https://salesdemo-dealflo.uat.eu1.tid.onespan.cloud/ and replace it with https://gs.onespan.cloud/rpoc-saa/.

We are updating our documentation and emails to reflect this change.  All of your requests should now go to the endpoint gs.onespan.cloud/rpoc-saa

-Will

1. How we can integrate the IDV within our mobile application ? is it by redirecting to the mobile default browser to open the transaction URL (https://gs.onespan.cloud/rpoc-saa/sales/#/esign/{transaction_id}?access_token={access_token}) ? is this the only possible way ? knowing that it's not user friendly to switch from our mobile app to the device browser. 

Using the web browser is the recommended approach.  We have seen some customers use the webkit within an app to handle the requests directly, however, this is not officially supported from our product support group.

2. do you have a native mobile SDK / native plugin (Android and IOS) that we can integrate with our mobile app to open the IDV transaction from within our mobile app and complete the transaction (taking capture of national id doc then a face capture with smile ). Noting that we are using Ionic Framework in our mobile app, so if you have a Cordova Plugin then we can integrate it and call it from our app to open and complete the transaction. Or if you have an Angular Library / Javascript Library to perform the same so we can call it. Please could you feedback if you support one of the aforementioned options ?

We currently do not have a native mobile, js, or 3rd party library SDK for our IDV solution.  It is on our roadmap, but I do not have a date for release yet.

3. we have tried to open the IDV Transaction URL inside an iframe and we failed due to the security limitation of the 'X-Frame-Options' set to 'sameorigin'. It has been mentioned in latest release August 2021 (Version 2021-R3), is it possible to modify/remove this restriction?

For security reasons, we are not able to modify this in the demo/rapid proof of concept environment.  I will check what is possible in the UAT and PRD environments and get back with you.

4. we have tried to open the IDV Transaction URL from an in-app browser embedded inside our Ionic mobile app (by using the following cordova plugin https://github.com/apache/cordova-plugin-inappbrowser) but we have faced the following stopper exception "Unsupported Device , No camera found Please enable your camera or use another device" knowing that we have granted access to the camera (this.androidPermissions.PERMISSION.CAMERA) before opening the in-app browser, so we need to know from your side if you are checking on other permissions to be enabled from the browser , do we have to provide specific access/permissions to the browser ? or if you are supporting specific browsers and blocking the URL on some types/models of browsers  ? 

Since this is done within the webkit, it is actually a different type of permission.  You will need to accept the permissions to access the camera through the browser permission set, which is different than the application permission set.  I have upload some sample code that I have previously used to give you some help, please remember this is just sample code, and using a webkit is still not officially support by product support, the only officially support mechanism is directly through a web browser.

5. Are we obliged to complete the transaction only by opening the URL from a browser ? can't we collect data like document capture and selfie capture from our mobile app and then to call your IDV REST API to complete transaction by providing the images captured from our app ? for sure we will loose some feature related to liveness detection but on the other hand will integrate with you by REST Webservices call only without the need to redirect and complete the flow from the browser.

Currently the images must be captured through the workflow.  As you can see in the sample code there is the possibility of overriding this and allowing the user to upload an image as well, but it is still done through the workflow.  It is our recommendation, for security reasons, that the user be required to take a picture through the workflow only, so that the security checks can be done against the live image as the photo is being taken.

6. Can we have a separate IDV REST Webservice for OCR and Document Capture Verification only, without the Selfie / Smile Face Capture. So it will be called from our mobile app where we will provide the national id image as input parameter and expecting to receive in response the  validation scoring and fields / values extracted from the capture ? This service is the first part (Document Capture) of the IDV workflow, and we are asking if we can consume it from REST API (if available) without opening a browser and providing the transaction URL. the business advantage is that we can apply OCR Parsing and Document validation through IDV REST API automatically without the need of generating a Transaction URL so no need for human/customer intervention.

In the next release of the Demo and Rapid POC environment, we will be introducing a document capture only workflow.  This will allow for capturing and processing, including data extraction, for the document component only.  It will still work like the other workflows, only it will not ask for facial capture.  It is currently already available in our Professional Services Fast Track packages which are available through the sales group.

7. We have a concern in the list of supported browsers mentioned in the latest release note Version 2021-R3, for example it's mentioned that on Android mobile device, only Chrome is supported however we was confused because we tested on FireFox installed on Android and the URL worked, while the URL failed on Dolphin browser on Android. Please could we have detailed list of supported browsers ?

We officially only support the Chrome browser.  Other browsers and webkits may work, but they are not officially supported by the product support team.

8. Can we customize the look & feel of OneSpan IDV Transaction URL ? Changing the theme/css/style of the UI to be compatible with the look & feel of our mobile app ?

Yes we can.  We have the ability use custom font, custom logo image and hero image (welcome image), and to customize the colors of particular workflow objects, and even modify the translation of certain phrases.  In order to do this, please send me a private email and I will send you the instructions to get started, [email protected].