Approve Logons or Actions

The HID Approve application offers the convenience and security of:

  • Logon validation – push-based authentication using notifications

  • Action validation – push-based transaction signing using notifications

The logon or action parameters are passed to the application through a notification, allowing the user to sign this data with their private key.

Note:

  • The look and feel of the notifications can be customized to meet your branding/deployment requirements.

  • To use biometric authentication as the key protection method, the option must be enabled.

Approve a Logon Request

  1. The user logs on to your bank’s web portal using their credentials.

    1. The banking application calls ActivID Appliance to submit the Logon validation data and deliver a challenge to the user’s mobile device via push notification. This call contains the:
      • User ID
      • Device ID
      • Logon message to be displayed
      • Possible approval status
    2. ActivID Appliance generates an OOB message and sends it to the selected device via a push notification. The OOB message is encrypted with the device transport key and contains the:
      • Challenge (Logon request) Identifier
      • One-time password (OTP)
      • Security domain, channel and authentication details
      • Device ID

    The push notification is then sent to the mobile device.

  2. The HID Approve application receives the push notification:

    1. It decrypts the OOB message using its transport key and recovers the:

      • One-time password (OTP)
      • Security domain, channel
      • Device serial number

    2. It calls the HID Approve SDK to retrieve the Logon validation data.

    3. The HID Approve SDK generates the Logon validation data retrieval request encrypted using the transport key and submits it to ActivID Appliance. It contains the:

      • Challenge Identifier
      • One-time password (OTP)

    4. ActivID Appliance verifies the one-time password and retrieves the stored Logon validation data and the Status options.

      5. If the one-time password has expired, due to a delayed notification, then the authentication will fail.

    5. The Logon validation data (encrypted with the device transport key) and the Status options (plaintext) are sent back to HID Approve via ActivID Appliance and the HID Approve SDK.

  3. The user accesses the notification content:

    • If the application is already open:
      • The notification content is displayed immediately if the service is not protected by a password or biometric.
      • Otherwise, the user is prompted to enter his password or biometric.
    • If the application is closed:
      • The user selects the notification.
      • The application starts and the notification content is displayed immediately if the service is not protected by a password or biometric.
      • Otherwise, the user is prompted to enter his password or biometric after the application starts.

    Password prompt:

    iOS/Android

     

    macOS

     

    Windows 10

    Screenshot_20170420-194243

     

    Biometric prompt (Android, iOS and macOS only):

      

  4. The user enters the password and taps OK, or provides their biometric credential (fingerprint/face).

  5. The HID Approve application displays the Logon validation data to the user and asks the user to select one of the Status options (that is, Approve or Decline).

  6. The user reviews the notification content.

    iOS/Android

    macOS

    Windows 10

    Screenshot_20170420-195128

  7. The user swipes the Approve button from left to right.

    8. Note: If the user has waited longer than the password caching timeout, then he will be prompted to enter the password again.

    The success message is displayed.

    iOS/Android

    macOS

    Windows 10

    IMG_0108

    Optionally, the Password Caching option can be disabled to allow the user to view the notification content immediately. In this case, the password or biometrics are entered after the user has swiped Approve or Decline. For further information, see Key Protection Policy Parameters.

  8. If the application was open before the notification, the previous screen is displayed.

    9. If the application was closed/in background before the notification, the application fades back into the background.

    Note: The user authenticates using the Mobile push-based Action Validation authentication record, and signs their approval with their Mobile push-based Action Validation keys.
    1. The HID Approve application calls the HID Approve SDK to sign the Logon validation data and set the Status for the transaction (that is, Approve or Decline).
    2. The HID Approve SDK signs the Logon validation data and Status with the user’s private key.
    3. This data, encrypted with transport keys, is submitted to ActivID Appliance for validation.
    4. ActivID Appliance validates the signed Logon validation data.
    5. Upon completion of the signature validation, an ActivID Appliance audit entry is created and a notification is raised.

      The following data is audited in ActivID Appliance:

      • Logon validation data
      • Signature value
      • Public key component of the private key used to sign the Logon validation data
      • User ID and device ID
      • Correlation ID (that is, external transaction ID)
      6. Note: When the signature validation is complete, the authentication record statistics are updated (authentication counter is incremented once), and transaction data challenge is deleted from the challenge table.

      • The Logon validation data is deleted even if the authentication has failed for some reason.

      • Other Logon validation data pending for that user is not deleted.

    6. The result of the signature validation is sent back to HID Approve via ActivID Appliance and then to the HID Approve SDK.
    7. ActivID Appliance notifies the bank web portal application of the outcome of the push-enabled authorization process. (The portal will have been waiting for either this notification or a timeout.)
    8. The portal informs the user of the outcome of the push-enabled authorization (for example, by displaying the home page for the user).

  9. The user can then access the banking application.

    10. The user is automatically logged in to the web application.

  10. Log on to the ActivID Management Console to check the user’s statistics.

Approve an Action

  1. The user logs on to your bank’s web portal and requests an action (for example, to add a beneficiary).

    2. A notification is sent to the user’s device.

  2. The action approval workflow is the same as that for the logon request approval as described in Approve a Logon Request.

  3. When the action has been approved, the user returns to the banking application and verifies that the beneficiary has been added.

    4. Note: The exchanges between the bank web portal, ActivID Appliance and the HID Approve application are similar to the Logon Validation use case. However, in this case, the user authenticates using their Mobile push-based Action Validation authentication record and signs their approval with their Mobile push-based Action Validation keys.

  4. Log on to the ActivID Management Console to check the user’s statistics.