Mobile authentication with OTP
Introduction
The OneWelcome Mobile Security Platform offers an ability of mobile authentication with a One Time Password (OTP). Mobile authentication with OTP provides users an easy and secure way for two factor authentication or single factor authentication where no passwords are required. A good use case is for example letting a user login to your web application using his/her mobile device by scanning a QR code displayed within a browser. This essentially allows the user to authenticate using his/her mobile device. It is also not relying on third party services like APNs or FCM. All of the communication stays between App, web application and Mobile Security Platform.
Example Scenario
An Example implementation could work like this: A web application fetches the OTP from the Token Server and displays it on the login page in the form of a QR code. Then the user opens your mobile application and scans the QR code with his camera and is automatically logged in into your website. Of course it's up to you to choose how to implement it, the above scenario is just an example.
Setup and Requirements
OTP mobile authentication requires configuration on the Token Server side. Please follow the Mobile Authentication guide in order to setup the OTP mobile authentication type.
Enrollment
It is only required to enroll for mobile authentication to use OTP. If the user is not enrolled, you can perform enrollment by following the Enrollment guide.
Request Handling
An generic overview on how mobile authentication functions is shown in the diagram below:
As you can see from the diagram above, the application has the following responsibilities:
- Passing the mobile authentication request received from the initiator to the SDK
-
Responding to the confirmation request
- (optionally ) Displaying a dialog to the end-user when his confirmation is required
- Sending the end-user response back to the SDK
-
Handling completion of the mobile authentication request
Once you have retrieved an OTP in your application you need to hand it over in order to let our SDK process it. Use handleMobileAuthWithOtp for passing OTP code.
The SDK only allows for one mobile authentication flow to occur at the same time. When a second flow is started a platform exception will be thrown.
The SDK will then fire two event actions which notify you about the status of the OTP authentication:
| Event | Description |
|---|---|
| OpenAuthOtpEvent | Fired when the authentication has started but has not yet been accepted. You can use the message from the event, to display some info to the end-user and ask for his permission to continue |
| CloseAuthOtpEvent | Fired when the authentication has completed, you can use this event to close any dialogs that you have opened |
Additional information regarding the attributes these events might have and how to handle them can be found in Event handling. Here is a small example on how you could listen to these events:
Responding to Authentication Requests
In order to finish the authentication, you need to either accept or deny the authentication request. This can be done with acceptMobileAuthConfirmation() and denyMobileAuthConfirmation() as described in OtpAcceptDenyCallback.
After calling one of these functions, the original promise which you received from calling handleMobileAuthWithOtp will resolve.
