Mobile authentication

Introduction

With mobile authentication the Onegini mobile platform offers a two factor authentication mechanism in a user friendly and secure way. You can take advantage of the mobile authentication to add a second factor authentication for your product, that can be used to improve security of selected actions like logging into your website or accepting a payment transaction.

The mobile authentication feature is an extensive feature that has a number of different possibilities. E.g. there are different ways that mobile authentication is triggered / received on a mobile device:

  • With push notifications; The user gets a push notification on his phone to alert him that a mobile authentication transaction is pending.
  • With an One-Time-Password (OTP); The user provides an OTP in order to confirm a mobile authentication transaction. Since the OTP is long it is likely that the OTP is transformed into a QR code and the user scans this code with his mobile device.

The mobile authentication with Push mechanism offers different ways of user authentication so you can ask your users for additional verification when accepting a mobile authentication request.

Configuration

Before mobile authentication can be used, you should configure the Token Server to support this functionality. Please follow Mobile authentication configuration guide to set it up.

When the Token Server is configured, you can enroll and handle mobile authentication requests using the Onegini SDK.

Enrollment

During the mobile authentication enrollment step the user is registered for mobile authentication. The enrollment is done by exchanging public PGP keys with the Token Server. It enables the basic mobile authentication feature which allows handling OTP requests.

1. APP -> SDK: Enroll for mobile authentication with completion block.
2. SDK -> Token Server: A PGP key pair is generated, the public key is send to the Token Server.
3. Token Server --> SDK: The Token Server will also generate a key pair and return its public key.
4. SDK -> APP: The result of the enrollment flow is reported to the handler.

Mobile authentication enrollment is started by calling the -[ONGUserClient enrollForMobileAuth:] method. Below you can see example code to initialize mobile authentication enrollment:

[[ONGUserClient sharedInstance] enrollForMobileAuth:^(BOOL enrolled, NSError * _Nullable error) {}];

Successive invocations of enrollment for mobile authentication will re-enroll the device only if the mobile authentication override is enabled in The Token Server configuration. See the Token Server mobile authentication configuration for more information on the server side configuration of mobile authentication.

Enrolling for mobile authentication will NOT enroll automatically for the push. To enroll for push please follow Push Mobile Authentication Enrollment guide.

Note: It is advised to perform the enrollForMobileAuth step as soon as possible in your application as it is quite resource intensive becuause it generates a private key and certificate.

Request handling

In order to handle mobile authentication request the user needs to be enrolled for mobile authentication. To verify if the user is already enrolled, you should use isUserEnrolledForMobileAuth: method on the ONGUserClient.

The Onegini SDK is capable of handling two types of mobile authentication requests. For more information on handling each mobile authentication type, please refer to the corresponding request handling guides.