Mobile Authentication

The Mobile Identity module offers a mobile authentication mechanism in a user friendly and secure way. You can, for instance, take advantage of mobile authentication to add second factor authentication to your product that can be used to improve the security of selected actions, like logging in to your website or accepting a transaction payment.

The mobile authentication feature is an extensive feature that has a number of different possibilities. For example, there are different ways that mobile authentication is triggered or received on a mobile device:

With a One-Time-Password (OTP), the user provides an OTP in order to confirm a mobile authentication transaction. Since the OTP is long, it is likely that the OTP is transformed into a QR code and the user scans this code with their mobile device.

The application has the following responsibilities:

1. Passing the mobile authentication request received from the initiator to the Mobile SDK
2. Responding to the confirmation request
   1. (optionally ) Displaying a dialog to the user when their confirmation is required
   2. Sending the user response back to the Mobile SDK
3. Handling completion of the mobile authentication request

Setting up mobile authentication

Configure the IDAAS-core to support this functionality. When the IDAAS-core is configured, you can enroll and handle mobile authentication requests using the Mobile SDK.

Enrollment

The enrollMobileAuthentication method enables the basic mobile authentication feature. Mobile authentication with OTP is possible after you enrolled the user.

Successive invocations of enrollment for mobile authentication will re-enroll the device only if the mobile authentication override is enabled in the IDAAS-core configuration.

await Onegini.instance.userClient.enrollMobileAuthentication()
  .catchError((onError) {
        print("An error occured: $onError");
  }).then((value) => {
    print("Mobile Authentication enabled!");
  });

Request handling

The OneWelcome Flutter SDK is currently capable of handling one type of mobile authentication requests.

• OTP

Mobile authentication with OTP

The Mobile Identity module offers an ability of mobile authentication with a One-Time Password (OTP). Mobile authentication with OTP provides users an easy and secure way for two-factor authentication or single-factor authentication where no passwords are required. A good use case is, for example, letting a user log in to your web application using their mobile device by scanning a QR code displayed within a browser. This essentially allows the user to authenticate using their mobile device. It is also not relying on third-party services like APNs or FCM. All of the communication stays between app, web application, and IDAAS-core.

Example scenario

An example implementation could work like this: A web application fetches the OTP from the IDAAS-core and displays it on the login page in the form of a QR code. Then the user opens your mobile application and scans the QR code with his camera and is automatically logged in into your website. Of course it's up to you to choose how to implement it.

Setup and requirements

OTP mobile authentication requires configuration on the IDAAS-core side.

Enrollment

It is only required to enroll for mobile authentication to use OTP. If the user is not enrolled, you can perform enrollment.

Request handling

An generic overview on how mobile authentication functions is shown in the diagram below:

As you can see from the diagram above, the application has the following responsibilities:

1. Passing the mobile authentication request received from the initiator to the SDK

2. Responding to the confirmation request

   1. (optionally ) Displaying a dialog to the end-user when his confirmation is required

   2. Sending the end-user response back to the SDK

3. Handling completion of the mobile authentication request

Once you have retrieved an OTP in your application, you need to hand it over to the React Native SDK in order to let the SDK process it. Use handleMobileAuthWithOtp for passing OTP code.

var qrCodeData = "otpcode"
await Onegini.instance.userClient.handleMobileAuthWithOtp(qrCodeData)
  .catchError((onError) {
        print("An error occured: $onError");
  }).then((value) => {
    print("Mobile Authentication finished!");
  });

The SDK returns two events that notify you about the status of the OTP authentication.

• OpenAuthOtpEvent: Fired when the authentication has started, but has not yet been accepted. You can use the message from the event to display some info to the user and ask for their permission to continue.
• CloseAuthOtpEvent: Fired when the authentication has completed, you can use this event to close any dialogs that you have opened.

Additional information regarding the attributes these events might have and how to handle them can be found in event handling. Here is a small example on how you could listen to these events:

var broadCastController = Onegini.instance.userClient.owEventStreamController;

StreamSubscription<OWEvent> openAuthOtpSub = broadCastController.stream.where((event) => event is OpenAuthOtpEvent).cast<OpenAuthOtpEvent>().listen((event) {
    print("received otp message: ${event.message}");
});

StreamSubscription<OWEvent> closeAuthOtpSub = broadCastController.stream.where((event) => event is CloseAuthOtpEvent).listen((event) {
  // Logic to handle event
});

Responding to the authentication request

To finish the authentication, you need to either accept or deny the authentication request. This can be done with acceptMobileAuthConfirmation() and denyMobileAuthConfirmation().

After calling one of these functions, the original promise that you received from calling handleMobileAuthWithOtp will resolve.

await OneginiOtpAcceptDenyCallback().acceptAuthenticationRequest(context);

await OneginiOtpAcceptDenyCallback().denyAuthenticationRequest(context);