Activate the HID Approve Application

Users can activate HID Approve (registering the banking service) in either online or offline mode, and using the following methods:

Activation Method Activation Mode
Scanning a QR code with the application
  • Online
  • Offline
Entering an Invite Code manually

Online only

Using an activation URL (for HID Approve Microsoft Windows 10 only)
  • Online
  • Offline
Entering a Key Secret manually Offline only

For further information, see Customize the HID Approve Activation Mode.

Note: The following operations are transparent to the user during application installation and Service registration:
  • The HID Approve application obtains its Push ID from the mobile OS Push Service.

  • User's HID Approve application is registered into the ActivID AS database as well as in the Azure hub portal.

  • All of the keys needed for future logon or actions (that is, banking operations) are provisioned on the mobile during service registration.

  • The workflow is illustrated using JMS notifications to web application. Alternatively, you can deploy a CIBA-based workflow as described in Configure Feedback for External Applications.

Important:  
  • By default, the Mobile provisioning URL used during registration is computed with local information (server name and port in the HTTP request).

  • If you are using a proxy in front the ActivID AS, or the registration portal is installed on a front-end server, you must define the required URL (proxy server or back-end server). For example, in the banking demo, configure the application.config.mobile.activation.provisioningurl property.

  • Using the manual Invite Code registration method implies that some of the registration information is predefined (for further information, see Add a Service by Entering an Invite Code.

Install HID Approve

Prerequisites:  
  • ActivID AS and the banking web portal are deployed and configured for push-based validation.

  • The HID Approve application is configured according to deployment needs.

  • To use biometric authentication:

    • The device must be biometric-capable (that is has a fingerprint sensor and supports biometric authentication).
    • The user must enroll a fingerprint/face on the device.
    • The Root CA of the ActivID AS server SSL certificate is imported into your browser’s Trusted Root Certification Authorities Store.

    • If you are installing on a mobile device and the Root CA is not a part of your device system Trusted Root CAs, make sure that you install your authentication server SSL Root CA certificate in your mobile device (and restart the HID Approve application if necessary) before registering the service.

 

  1. The user downloads and installs the HID Approve application:

    • For Android, download the app from Google Play®
    • For iOS and macOS, download the app from the Apple Store
    • For Windows, download the app from the Microsoft Store
    Note: Alternatively, you can provide the user with a deep link that checks if the application is already installed on the device. If it is not, the user is directed to the application on the relevant store, prompting them to install it.
  2. The user taps Open to launch the app on the device.

  3. Depending on the device’s operating system, the user then allows HID Approve to send notifications and/or access to the device’s camera.

  4. The user must make sure that the device has internet access (via WiFi or a mobile network).

Note: This step is important as the push-based solution relies on network exchanges.

Add a Service by Scanning a QR Code

Note: This method is supported for both online and offline activation.
  1. The user launches the HID Approve application and the Welcome page is displayed, explaining how to register a new service.

    iOS/Android

    macOS

    Windows 10

    IMG_0091

    The user taps the screen.

    The user clicks Scan your invite code.

  2. The user accesses your bank’s web portal to register as a new banking customer (or connects to the ActivID Self-Service Portal) and clicks Register New User.

  1. The user enters their details and clicks Create User.

  2. A QR code is generated by the portal.

    The portal:

    • Creates the user in ActivID AS.
    • Creates a Mobile push-based Validation device for the user.
    • Submits a device request to ActivID AS for the user.

    In ActivID AS, the user is registered with the following information:

    • A Mobile push-based validation device, with the PENDING status (a device issuance request exists for this device).
    • A Mobile Registration Authentication record.
    • A Mobile Registration Virtual Device assigned with a Mobile registration credential.
    • A Customer Static Password (created in previous step).

    Note:  
    • The Mobile push-based validation authentication record is not created yet.

    • The keys are not generated yet.

    • User and device issuance request creation are audited within ActivID AS.

  3. The user scans the QR code using the device’s camera.

    iOS/Android Windows 10

  4. This initiates the registration process on the device.

    The QR code contains:

    • Registration protocol version
    • Service Provider server URL (online mode only)
    • Customer ID for the user
    • Device ID
    • Device Type code (mobile push-based Validation)
    • Channel code for Mobile Registration channel
    • Authentication policy code for Mobile Registration Authentication
    • Secret to initiate mobile registration (by default this is empty, the secret is computed using a hash of shared secret below)
    • Shared secret for mobile registration protocol
    Copy
    {
        "ver":"v7",
        "url": "<hostname>:<port>/<DOMAIN>",
        "uid": "CustomerID",
        "did": "11532",
        "dty": "DT_TDSV4",
        "pch": "CH_TDSPROV",
        "pth": "AT_TDSOOB",
        "sec": "",
        "pss": "NTBJQ0ROTDgwWQ=="
    }

    Transparently to the user:

    1. HID Approve calls the HID Approve SDK to authenticate to ActivID AS, passing on the provisioning server URL and one-time password.

    2. The one-time password is validated by ActivID AS.

      A valid one-time password establishes a session between the HID Approve SDK instance and ActivID AS.

    3. ActivID AS retrieves the device issuance request that was created during registration for the user.

    4. The HID Approve SDK calls ActivID AS to retrieve pending operations, to define the session transport keys used to establish a secure channel.

      These session keys are established via an Elliptic Curve Cryptography Diffie-Hellman (ECC-DH) key agreement protocol.

    5. The HID Approve SDK calls ActivID AS to retrieve pending operations to generate the user private/public key pair for logon validation credential.

      The Public key is sent to ActivID AS and a Logon validation credential is created and linked to the Mobile push-based Validation device on ActivID AS. Corresponding Mobile push-based Logon Validation authenticator record is created.

    6. The HID Approve SDK calls ActivID AS to retrieve pending operations to generate the user private/public key pair for Action validation credential.

      The Public key is sent to ActivID AS and the Action validation credential is created and linked to the Mobile push-based Validation device on ActivID AS. The corresponding Mobile push-based Action Validation authenticator record is created.

    7. The HID Approve SDK calls ActivID AS to retrieve pending operations to generate the user Mobile OATH event-based Credential.

      ActivID AS generates a key for the OATH credential and sends the value to the HID Approve SDK. The corresponding authenticator record is created (for example, Customer One Time Password authentication record).

    8. The HID Approve SDK calls ActivID AS to retrieve the customization for the registered service (label, color, and bitmap).

    9. The HID Approve SDK closes the session with ActivID AS when there are no more pending operations.

    10. To complete the service registration, the user might be required to set a new key protection password (see Customize the Key Protection Methods).

    Note:
    • QR code has a JSON format.

    • If the QR code scan is rejected, an error message will be displayed “This invite code is invalid. Please scan a correct QR code” and the user can start again.

    • If the Network is not accessible, the service registration will fail with the "The internet connection appears to be offline” error.

    • In offline mode, the process differs as there is no communication with the server.

    If the security policy requires that the service be protected by a password or biometric, the user is prompted to set a password (online) or PIN (offline).

    The password protection conditions depend on the key protection policy configured for the Device type (or individual Credential Type). For further information, see Customize the Key Protection Methods.

    Note: The biometric protection is enabled by the user in a separate workflow. For further information, see Enable Biometric Protection.

    iOS/Android

    macOS

    Windows 10

  5. The user enters and confirms a Password (or PIN in offline mode) and then taps OK.

  6. As the user types, the app displays the password rules (such as the number of upper or lower case characters).

    The success message is displayed.

    iOS/Android

    macOS

    Windows 10

    Screenshot_20170420-192436

At the end of the registration process:

  • On the device (when using the default configuration), there is:

    • One session transport key (made up of 2 AES keys - ENC/MAC) used for application updates and to secure validation operations.
    • One RSA private key for Logon Validation.
    • One RSA private key for Action Validation.
    • One OATH key for Secure Code generation.
    • One OATH OCRA key for Secure Code generation using Challenge/Response
    • One OATH OCRA key for Secure Code generation using Signature
  • If the key password is protected, the password protecting the signing keys has been updated by the device’s user.

  • In ActivID AS, the user is now fully registered and has:

    • A Mobile push-based Logon Validation authentication record (to validate Logon).
    • A Mobile push-based Action Validation authentication record (to validate Actions).
    • A Customer One-Time Password authentication record (to authenticate with Secure Code).
    • A Mobile application update authentication record (used for mobile Service communications).
    • A Mobile push-based Validation device, with the ACTIVE status, and four associated Credentials for Logon, Action, OTP (OATH), and Session Transport.

Add a Service by Entering an Invite Code

Note: This method is only supported for online activation.

When a camera is not available on the device, the user can manually register a Service using the Invite Code.

The Invite Code is displayed below the QR code generated by the web portal.

The transparent exchanges between the application, HID Approve SDK and ActivID AS are the same as those during the QR code registration.

However, when using manual Invite Code method, only a subset of the registration information is sent to the mobile. This includes the following mandatory values:

  • User ID "uid"

  • Service URL "url"

  • Pre-shared-secret "pss"

For the optional parameters, the application uses its own default values as follows (they are not configurable):

  • Device Type "dty" =DT_TDSV4

  • Channel "pch" =CH_TDSPROV

  • Mobile registration Authentication Policy "pth"=AT_TDSOOB

  1. The user taps enter invite manually.
    iOS/Android

    macOS

    Windows 10

  2. In the Add Service fields, the user enters the corresponding information as displayed by the portal.

    • Service URL
    • User ID
    • Invite code
  3. The user taps Validate to initiate the Service registration.

  4. If the security policy requires that the service be protected by a password or biometric, the user is prompted to set a password.

    The password protection conditions depend on the key protection policy configured for the Device type (or individual Credential Type). For further information, see Customize the Key Protection Methods.

    Note: The biometric protection is set by the user in a separate workflow. For further information, see Enable Biometric Protection.

    iOS/Android

    macOS

    Windows 10

  5. The user enters and confirms a Password and then taps OK.

  6. As the user types, the app displays the password rules (such as the number of upper or lower case characters).

    The success message is displayed.

iOS/Android

macOS

Windows 10

Screenshot_20170420-192436

Add a Service using a Activation URL

Note: This activation option is only available for the HID Approve Microsoft Windows 10 application.

If the user needs to register a service on the Microsoft Windows 10 PC or tablet that they are using for activation, an easy activation process is available, requiring minimal user input:

  1. The user clicks the activation link on the web page.

  2. The link automatically triggers the service registration on the HID Approve Microsoft Windows 10 Universal App.

  1. The user clicks OK to add the new service.

  2. If the security policy requires that the service be protected by a password or biometric, the user is prompted to set a password.

    The password protection conditions depend on the key protection policy configured for the Device type (or individual Credential Type). For further information, see Customize the Key Protection Methods.

  1. The user enters and confirms a Password and then taps OK.

  2. As the user types, the app displays the password rules (such as the number of upper or lower case characters).

    The success message is displayed.

Add an Service by Entering a Key Secret

When a camera is not available on the device, the user can manually register an offline Service using the Key Secret.

The Key Secret is displayed below the QR code generated by the web portal.

  1. The user selects to activate HID Approve in offline mode on their phone or tablet.
    iOSmacOSWindows 10
  2. The user clicks Skip as the Service URL is not required in offline mode.
    iOSmacOSWindows 10
  3. The user enters their User ID provided by your organization and the Key Secret displayed in the portal, and then clicks Validate.

    If the security policy requires that the service be protected, the user is prompted to set a PIN.

    The protection conditions depend on the key protection policy configured for the Device type. For further information, see Configure HID Approve Offline Soft Tokens.

    iOSmacOSWindows 10
  4. The user enters and confirms a PIN.

    Once the details are entered, the new HID Approve service is successfully registered.

  5. The user should then perform a test authentication to verify the registration.

See Also:

Managing HID Approve Services