Authentication Cloud
The Nevis Authentication Cloud provides authentication as a service. It extends your infrastructure with passwordless authentication and transaction signing services.
In terms of the SDK, several integration scenarios are possible depending on your specific use case. The SDK supported use cases of registration, authentication, transaction confirmation and deregistration can all be achieved with the mobile application as the trigger of the operation, or with one of these operations initiated from another backend system.
Tokens explained
The authentication cloud returns several different tokens for different purposes, you'll need to have a basic understanding regarding the purpose of the tokens as you will encounter them in the integration scenarios.
The two tokens of most importance you will encounter in the mobile authentication integration scenarios are the status and transaction tokens.
Status token
The status token allows you to "track" the status of registration or approval operations. It is returned by the Auth Cloud registration endpoint as
enrollment.statusToken
and the Auth Cloud approval endpoint asstatusToken
.The status token serves two purposes, it is used to poll the Auth Cloud status endpoint to verify the status of the original operation and to obtain the transaction token from the same status endpoint.
Transaction token
The transaction token contains the verifiable result of the current status. It is returned by the Auth Cloud status endpoint as
token
.Use this token with the Auth Cloud introspect endpoint after the status endpoint reports the desired state as final verification.
In-app scenarios and the Authentication Cloud
From a conceptual point of view, the Authentication Cloud only supports out of band scenarios. However, the SDK provides convenience APIs for registration, which behave as if the operation was executed in-band by encapsulating the calls required for registration against the Authentication Cloud HTTP API.
In-app registration
The in-app registration scenario describes how a user registers the mobile application to use FIDO UAF-based authentication. As registration requires an authenticated user, the scenario involves the user first authenticating using an existing means of authentication.
- The first HTTP API call to the cloud backend is done against the Auth Cloud registration endpoint. This endpoint is usually called by another backend application, for example a custom backend to start a user enrollment. The user enrolment is necessary to create the user in the backend before an actual mobile authentication registration can be performed.
- Your backend passed the enroll response back to your mobile application. The SDK will use this to perform the actual registration. It makes sense to temporarily store the
enrollment.statusToken
for verifying the enrolment status at the very end. - You use the SDKs Auth Cloud API registration operation to start the actual registration process. The process will involve asking the user to provide biometric, PIN or device passcode authentication information.
- After the SDK notifies that the registration completed successfully, the app must send the
enrollment.statusToken
to the custom backend which in turn uses the token to call the Auth Cloud status endpoint to obtain the transaction token. - The
token
(transaction token) returned by the status endpoint is now used to obtain the introspection result from the Auth Cloud introspect endpoint to verify whether the operation was really executed and completed successfully by your Authentication Cloud instance.
Concept
For more information regarding the registration concept, see the SDK Concept Guide chapter.
Mobile SDK Developers
For hands-on information on how to use the SDK to achieve in-app registration, see the Developer Guides Operations chapter.
Authentication Cloud API
For more information regarding the Authentication Cloud API, visit Register Your Mobile App.
In-app authentication
After registration, the user is able to authenticate in-app using FIDO UAF-based authentication. First, the mobile application initiates the authentication flow by contacting the backend. This is usually done through a custom backend, such as a custom application or API gateway.
- You use the SDKs authentication operation to start the authentication process. The process will involve asking the user to provide biometric, PIN or device passcode authentication information.
- After a successful authentication, the SDK will return a
JWT
containing the transaction token. To validate the token, call the Auth Cloud introspect endpoint. - The custom backend should add measures to prevent replay attacks, for example only accepting tokens issues in the last 30 seconds or keeping a list of already checked tokens.
Concept
For more information regarding the registration concept, see the SDK Concept Guide chapter.
Mobile SDK Developers
For hands-on information on how to use the SDK to achieve in-app authentication, see the Developer Guides Operations chapter.
Authentication Cloud API
For more information regarding the Authentication Cloud API, visit Authenticate transactions with QR code or deep link or Authenticate transactions with push notification
Authentication Cloud Concept
For more information about available authentication methods, visit the Authentication methods comparison chapter.
Out-of-band registration
- The first HTTP API call to the cloud backend is done against the Auth Cloud registration endpoint. This endpoint is usually called by another backend application, for example a custom backend to start a user enrollment. The user enrolment is necessary to create the user in the backend before an actual mobile authentication registration can be performed.
- The Nevis Authentication cloud returns the enroll response to your backend. The
enrollment.appLinkUri
contains the link required for the registration process. Theenrollment.statusToken
can be used to check the enrollment progress. - The
appLinkUri
link can be displayed to the user as clickable link in cases the user operates on a mobile device or rendered in a QR code to allow the user to scan the code using the mobile application or the mobile phones' camera app. - The
statusToken
obtained in step 2 is used to poll the Nevis Authentication cloud backend using the Auth Cloud status endpoint. By polling the status, your custom backend and web application will be able to determine when the registration was completed successfully and proceed afterwards with your scenario, like showing the user a success message or redirecting them. - During an ongoing registration, the status API will return
pending
, indicating that the registration has not been completed yet and has not failed so far. - You use the SDKs out of band registration operation to start the actual registration process. The process will involve asking the user to provide biometric, PIN or device passcode authentication information. The SDK requires the
appLinkUri
for this, which the app needs to pass after the link has been clicked or the QR code scanned. - After the user completed the out-of-band registration in the mobile application, the Auth Cloud status endpoint will return
succeeded
alongside the transactiontoken
. - The
token
(transaction token) returned by the status endpoint is now used to obtain the introspection result from the Auth Cloud introspect endpoint to verify whether the operation was really executed and completed successfully by your Authentication Cloud instance.
Concept
For more information regarding the registration concept, see the SDK Concept Guide chapter.
Mobile SDK Developers
For hands-on information on how to use the SDK to achieve out-of-band registration, see the Developer Guides Operations chapter.
Authentication Cloud API
For more information regarding the Authentication Cloud API, visit Register your mobile app.
Out-of-band authentication
- The first HTTP API call to the cloud backend is done against the Auth Cloud approval endpoint. This endpoint is usually called by another backend application, for example a custom backend to start a user authentication. The
channel
defines how the message should be transmitted. - The Nevis Authentication cloud returns the approval response to your backend. The
appLinkUri
contains the link required for the authentication process. THeqrCode
contains a base64 encoded image which can be rendered. ThestatusToken
can be used to check the enrollment progress. - The
appLinkUri
link can be displayed to the user as clickable link in cases the user operates on a mobile device, otherwise theqrCode
can be rendered to allow the user to scan the code using the mobile application or the mobile phones' camera app. - The
statusToken
obtained in step 2 is used to poll the Nevis Authentication cloud backend using the Auth Cloud status endpoint. By polling the status, your custom backend and web application will be able to determine when the authentication was completed successfully and proceed afterwards with your scenario, like showing the user a success message or redirecting them. The response also contains thetoken
which can be used with the Auth Cloud introspect endpoint. - During an ongoing authentication, the status API will return
pending
, indicating that the authentication has not been completed yet and has not failed so far. - You use the SDKs out-of-band authentication operation to start the actual authentication process. The process will involve asking the user to provide biometric, PIN or device passcode authentication information. The SDK requires the
outOfBandPayload
for this which the app needs to pass either after the link has been clicked or the QR code scanned. - After the user completed the out-of-band authentication in the mobile application, call the Auth Cloud introspect endpoint using the
statusToken
received in step 2. The introspect endpoint will reply withactive
indicating the successful authentication. Additionally, the backend should add measures to avoid replay attacks, like only accepting tokens issues in the last 30 seconds, keeping a list of tokens already checked or similar measures.
- The status endpoint provides information of an ongoing operation. In addition, it returns the
token
which can be used to query the introspect endpoint. - The introspect endpoint is used to check whether a token is valid, and whether the token was actually issued by your Authentication Cloud instance.
The custom backend should call either the status or the introspect endpoint depending on the scenario progress.
Concept
For more information regarding the out-of-band authentication concept, see the SDK Concept Guide chapter. Be aware that link, QR code or push messages are available for out-of-band authentication.
Mobile SDK Developers
For hands-on information on how to use the SDK to achieve out-of-band authentication, see the Developer Guides Operations chapter.
Authentication Cloud API
For more information regarding the Authentication Cloud API, visit Mobile App.
Authentication Cloud Concept
For more information about available authentication methods, visit the Authentication methods comparison chapter.
The FIDO transaction confirmation is technically the same as a FIDO authentication, but additional information is present in the authentication information request, which gives the user details of the transaction.
For this reason, this chapter does not separately list the transaction confirmation flows. See the Concept Operations chapter for additional details.