Once the mobile application has an active FIDO registration with the Nevis Mobile Authentication backend, it can make use of FIDO authentication and FIDO transaction confirmation operations. The FIDO transaction confirmation is technically the same as a FIDO authentication but with additional information, that give the user details on the transaction.
FIDO transaction confirmations are often used in a banking environment, where the user must explicitly confirm financial transactions. In this context, the user sees a text describing the transaction.
In a similar way to FIDO registration, we differentiate between the out-of-band transaction confirmation and in-band transaction confirmation scenarios.
The SDK does not differentiate between the different out-of-band mechanisms. It is the responsibility of the apps to receive the out-of-band messages and supply the SDK with the message payload.
- The user carried out a Registration first.
Out-of-band transaction confirmation
Out-of-band transaction confirmation offers the same options as out-of-band Authentication.
Using push notifications
Using push notifications for transaction confirmation is possible on a single device or on multiple devices. However, for same-device transaction confirmation, the mobile-only solution provides a better user experience. Aadditionally, it is able to serve as a fallback in case the push notification is not received by the mobile device.
The user must register for push notifications before being able to carry out an out-of-band transaction confirmation.
An out-of-band transaction confirmation scenario is one, in which a user wants to carry out a business process that needs the explicit consent of the user. This can for example be transferring money,
- The user starts a transaction
- The Nevis Mobile Authentication Backend initiates the transaction confirmation, and sends a push message payload to a push provider.
- An encrypted push notification is sent to the mobile device, that must be read by the mobile application.
- The mobile application passes the encrypted push notification to the SDK that carries out actual out-of-band transaction confirmation.
- If all the steps in the out-of-band transaction confirmation have succeeded, the business process gets the consent of the user, and it can proceed.
Using links (mobile-only solution)
- In the mobile-only solution, the user opens up the browser on the mobile device, where the authentication will take place.
- The user clicks a button, which contains a link to transfer the money. This opens the mobile application and provides the encrypted payload that must be read and processed.
- The mobile application passes the encrypted payload to the SDK that carries out the actual out-of-band transaction confirmation.
- If all of the steps in the out-of-band transaction confirmation succeed, the business process gets the consent of the user, and it can proceed.
Out-of-band transaction confirmation has the same general behavior as out-of-band authentication. The only difference is in the FIDO transaction confirmation subprocess, where a transaction text is displayed to the user.
The user fully confirms a transaction in the Nevis Mobile Authentication backend, once the SDK completes its post-processing successfully.
In-band transaction confirmation
In-band transaction confirmation is similar to in-band authentication. Apart from the additional transaction text, there is also a subtle difference in the use case.
- The mobile application initiates a transaction confirmation operation.
- The mobile application receives the transaction confirmation payload.
- The encrypted payload is passed to the SDK, which carries out the actual transaction confirmation.
Any business operation executed in the Nevis Mobile Authentication backend might result in in-band transaction confirmation, if a business rule in the backend imposes it. An in-band transaction confirmation succeeds if the FIDO transaction confirmation subprocess is able to sign the challenge, and the transaction text received from the Nevis Mobile Authentication backend.
The user fully confirms a transaction in the Nevis Mobile Authentication backend, once the SDK successfully completes its post-processing (see the BPMN in-band transaction confirmation figure above).
FIDO transaction confirmation
Regardless of whether we are in an out-of-band or in-band transaction confirmation use case, FIDO transaction confirmation always takes place. If mandatory user verification succeeds, the SDK can go on and sign the challenge and transaction text to complete FIDO transaction confirmation. Signing is carried out using the hardware-protected private key generated during FIDO registration.
Displaying the transaction confirmation text
During FIDO transaction confirmation, the app always has the option to parse the transaction confirmation text in a way that best suits the business needs.
Raw transaction text:
<html><i>Please</i> confirm the money transfer of <br><b>12'000</b> Swiss Francs<br> to John Doe</html>
Human readable transaction text:
Please confirm the money transfer of
12'000 Swiss Francs
to John Doe
The FIDO UAF 1.1 specification limits the size of the transaction confirmation text: the base64url-encoded raw transaction text must not exceed 200 characters!
The raw transaction text example above translates to a base64url encoded value of
ew0KCSJvcGVyYXRpb24iOiAidHJhbnNmZXIiLA0KCSJhbW91bnQiOiAxMjAwMCwNCgkiY3VycmVuY3kiOiAiQ0hGIg0KfQ, which is 95 characters long, and is therefore below the specified limit.
The Nevis Mobile Authentication Backend, specifically the nevisFIDO component, allows configuring the maximum allowed transaction confirmation text size. The default value adheres to the specification (200 characters) but a maximum of 2000 characters can be configured. The App UI dynamically adapts to the longer transaction message.