Registration
If you want to use a mobile device in mobile authentication operations, register it beforehand.
Nevis Mobile Authentication offers two registration use cases:
- In-band registration For more information, see In-Band Registration in the Nevis Mobile Authentication Concept and Integration Guide.
- Out-of-band registration For more information, see Out-of-Band Registration in the Nevis Mobile Authentication Concept and Integration Guide.
Both can be configured with the Mobile Device Registration pattern via the Registration Type property.
Pattern Structure
The next figure shows the connections of the Mobile Device Registration pattern to other patterns:
The Mobile Device Registration pattern requires the following patterns:
- Authentication Realm, to configure the legacy login.
- Virtual Host, to expose the backend services.
- nevisFIDO Instance, to provide the FIDO UAF related services.
Legacy Login
The Mobile Device Registration pattern and its services must be protected, so that mobile devices can be securely matched onto existing user accounts. The protection mechanism is usually referred to as "legacy login", as opposed to the mobile login that is being registered.
A successful matching requires the implementation of a nevisIDM authentication flow as legacy login. For this, the use of the nevisIDM Password Login (pattern) as legacy login is recommended. Do not use, for example, an LDAP Authentication pattern as the legacy mechanism. This is because the Mobile Device Registration pattern only works together with nevisIDM, where the device information is registered.
Out-of-Band Registration
The following movie shows how to set up the Mobile Device Registration service for out-of-band registration. In this out-of-band registration use case, you integrate the legacy login flow into an Authentication Realm pattern, which is referenced by the Mobile Device Registration pattern:
QR Code Integration
Out-of-band registration is designed to be integrated into existing web applications. This integration happens via browser-rendered QR codes. The existing web application obtains the QR code data from the relevant nevisFIDO instance and renders the code on the UI. Therefore, the application must be able to connect to the nevisFIDO instance.
If you are interested in the details, check out Out-of-Band Registration in the Nevis Mobile Authentication Concept and Integration Guide.The next movie shows QR code integration into an existing web application. For this, it uses a demo application that is specifically prepared for this goal.
The existing web application (QR Demo Web App in the movie) and the Mobile Device Registration pattern/service must be protected by the same Authentication Realm!
In-Band Registration
For in-band registration, legacy login is generated automatically into the realm, since it is an exposed REST service consumed by the mobile app. Multi-step legacy login authentication flows are not supported by the Nevis Access App and cannot be configured using this pattern.
When in-band registration is selected as registration type, the authentication flow provided in the authentication realm will be transparently generated. But an Authentication Realm pattern has to be provided nevertheless. In case no browser authentication is configured in the realm, set up a User Information pattern.
The next movie shows how to configure in-band registration.
In-Band and Out-of-Band Registration Together
In-band and out-of-band registration can be configured together (independent of each other). You do this by selecting the option "both" in the Registration Type drop-down menu of the Mobile Device Registration pattern. The following movie shows how to proceed: