Communication channels

The Nevis Mobile Authentication solution makes use of two communication channel types called the out-of-band and the in-band channel.

The following figure shows the basic concept, for both the in-band and out-of-band communication mode:

info

Out-of-band communication is the opposite of in-band communication, where all messages are transferred through the same channel.

In-band or in-app

Use cases using the in-band channel only involve the Nevis Mobile Authentication SDK and the Nevis Mobile Authentication backend. These use cases are the easiest ones to implement, since the systems involved in the communication flows are kept to a minimum.

Out-of-band

Out-of-band use cases use channels other than the main communication channel for sending messages. This makes it possible to authenticate on a separate device by delivering messages through separate channels. For example, this allows users to authenticate on their mobile devices while accessing the business application from their laptop. The supported out-of-band channels are push notifications, links, QR codes and fetch.

info

• For additional conceptual information regarding out-of-band message transmission, see the Out of Band Message Transmission chapter in the nevisFIDO documentation.
• For additional information regarding push notification handling, see the Dispatch Target Management chapter in the nevisFIDO documentation.

Using push notifications

One method for delivering messages from the Nevis Mobile Authentication backend to the mobile application is through the push notification channel.

The process begins when the Nevis backend sends an encrypted payload to the Firebase Cloud Messaging service (1). This payload is then delivered to the specified device as a push message (2). Upon receiving the push message, the mobile application processes it and invokes the SDK (3), and the operation is completed through interaction with the Nevis backend (4). This channel supports all out-of-band use cases, enabling the mobile application to participate in any FIDO operation triggered externally.

The Nevis Mobile Authentication SDK provides an API which is responsible for registering, updating and deregistering push notification capabilities with the Nevis Mobile Authentication backend. Any interaction with the push notification provider is managed separately by the mobile application. Typically, a dedicated SDK is used to ease integration with the provider.

For a detailed description of the push notification use case, see Push notifications in out-of-band scenarios.

Developer information

Visit push support for additional information or the official Firebase Cloud Messaging documentation.

One method for delivering messages from the Nevis Mobile Authentication backend to the mobile application is through the push notification channel.

Using fetch

Any available out-of-band (oob) channel, such as push, link, or QR code, triggers the corresponding operation to be made available for fetching (1). Upon user interaction, for example, the application can query the SDK for ongoing oob operations (2). The SDK then communicates with the Nevis backend to retrieve and return a list of ongoing oob operations (3). Finally, the operation is completed through interaction with the Nevis backend (4).

Developer information

See Out-of-band payload from pending operations for more detailed developer information.

Using QR codes

The Nevis backend generates a QR code to be displayed in the web application (1). The QR code is scanned using either the mobile operating system's camera app or a custom app's built-in camera functionality (2). Once scanned, the mobile application invokes the mobile SDK with the information obtained from the QR code (3). From this point, the SDK completes the associated operation by communicating with the Nevis backend (4).

Using links

Out-of-band operations using links enable mobile-only scenarios.

A link is displayed in the web browser on the mobile device (1). When the user clicks the link, either in the mobile browser or a separate mobile application, it opens the mobile application using the Nevis Mobile Authentication SDK (2). Similar to the QR code process, the SDK processes the payload included in the link and completes the operation by interacting with the Nevis backend (3).

Channel types and actors

The following figure shows both channel types and the actors involved:

Use cases using the in-band channel only involve the Nevis Mobile Authentication SDK and the Nevis Mobile Authentication backend.

1. The mobile client contacts the backend.
2. The backend sends the response back to the client.

Use cases using the out-of-band channel involve additional actors. For example a laptop accessing a protected business application and a push notification provider. In these scenarios, several other systems already communicated between each other before the SDK and the backend initiate their first interaction.

1. A user agent or third party actor contacts the backend.
2. The backend issues an out-of-band message (through QR code or push notification).
3. The mobile client obtains the message.
4. The mobile client contacts the backend using information provided in the out-of-band message.
5. The backend sends the response back to the client.