Transaction Confirmation
Once the application has an active FIDO registration with the Nevis Mobile Authentication backend, it can make use of FIDO transaction confirmation operations. The FIDO transaction confirmation is technically the same as a FIDO authentication, but with additional information regarding the details of the transaction.
Transaction confirmation allows the user to authorize transactions on his mobile phone. Transactions can consist of simple text messages, which the user can confirm with his mobile authentication credentials. This is useful for any kind of operation where trusted, verified user consent is required.
Transaction confirmations are often used in a banking environment, where the user must explicitly confirm financial transactions. In this context, the user sees a text describing the transaction. This transaction message text is shown without any modification during the transaction, to ensure the user that this exact message will be signed with his credentials. This is according to the FIDO specification: What You See is What You Sign → WYSIWYS.
For a detailed description, see Out-of-Band Transaction Confirmation.
The application only supports text-based transaction confirmation.
Push notification content vs. transaction confirmation content
When using push messages for out-of-band operations, distinguish between the push notification content and the transaction confirmation content. These are two separate pieces of information, transmitted at different stages:
- Push notification content — Appears in the operating system notification drawer when the push message arrives on the device. It is defined in the
dispatchInformation.notificationfield of the Firebase Cloud Messaging Dispatcher request. The push notification only alerts the user and opens the app. It does not carry transaction details into the app. - Transaction confirmation content — Appears inside the Access App when the user approves or rejects a transaction. It is provided in the
getUafRequest.context.transactionfield of the same dispatch request. After the app redeems the dispatched token, nevisFIDO returns the transaction content in theAuthenticationRequestfor display and signing.
The following table summarizes the distinction:
| Push notification | Transaction confirmation | |
|---|---|---|
| Where it appears | OS notification drawer (lock screen, notification center) | Inside the Access App during approval |
| How to set it | dispatchInformation.notification.title | getUafRequest.context.transaction |
| When it is delivered | Immediately, via the push message through FCM | After the app redeems the token via the nevisFIDO API |
| Sensitive data | ❌ Do not include sensitive information | ✅ Suitable for sensitive transaction details |
| Encryption / transport | Not encrypted — visible to push infrastructure | Not part of the push notification payload; returned by nevisFIDO after token redemption |
The dispatchInformation.notification field (title) is not encrypted and is visible to the push notification infrastructure (Firebase Cloud Messaging). Do not include sensitive transaction details such as amounts, account numbers, or personal data in this field.
The encrypted data payload (nma_data) carries the token, redeem URL, and optionally custom dispatchInformation.data. It does not contain the transaction confirmation content. The transaction confirmation content configured in getUafRequest.context.transaction is returned to the app by nevisFIDO after the app redeems the dispatched token. Use the getUafRequest.context.transaction field for any information the user needs to review and approve inside the app.
For details on the encryption algorithms and key management for the push data payload, see Encryption in the FCM Dispatcher reference.
Example: Dispatch request with transaction confirmation content
The following example shows the structure of a dispatch token request using the FCM dispatcher:
{
"dispatchTargetId" : "0ea3abe9-c26c-4401-b5d5-2c1f4a4fd2eb",
"dispatcher" : "firebase-cloud-messaging",
"dispatchInformation" : {
"notification" : {
"title" : "Dirk Gently Bank - Confirm the payment"
},
"data" : {
"channelLinking" : {
"mode" : "visualString",
"content" : "AB"
}
}
},
"getUafRequest" : {
"context" : "{\"username\":\"jeff\"}",
"op" : "Auth"
}
}
For transaction confirmation, set the getUafRequest.context.transaction field with the content to display inside the app during approval. The following example shows what the getUafRequest body looks like with a text-based transaction:
{
"context" : "{\"username\":\"jeff\",\"transaction\":[{\"contentType\":\"text/plain\",\"content\":\"Q29uZmlybSB5b3VyIHB1cmNoYXNlIGZvciBhIHZhbHVlIG9mIENIRjIwMC4\"}]}",
"op" : "Auth"
}
The context field is a stringified JSON object, and the content field inside transaction is base64url-encoded.
For full details on the context and transaction fields, see the Authentication Request Service in the nevisFIDO reference guide.
Text Formatting
You can format the transaction confirmation text with a limited set of supported HTML tags. To enable text formatting, enclose the transaction confirmation text in the HTML tags <html></html>.
The following tags and formatting options are supported:
- bold:
<b></b> - line break:
<br> - emphasis:
<em></em> - italic:
<i></i> - strong:
<strong></strong> - underline :
<u></u>
<html>Confirm payment of <br><strong>200 CHF</strong><br> to John Doe</html>
The Access App sanitizes the supplied transaction confirmation text. That is, the app removes all unsupported tags as well as any attributes from the text before display.
Using custom fonts can lead to issues if a formatting option is not supported by the supplied font type. Therefore, Nevis recommends using the mobile OS default fonts.