5. Temenos Digital Mobile Banking with HID Approve SDK & RMS

5.1 Registration (Mobile Channel Only)

Customer has received the customer ID and Activation Code using the Temenos components.
Customer installs the banking mobile application and launches it.
Customer is prompted to enter the customer ID and Activation Code.
Customer enters the customer ID and Activation Code.
Activation code is successfully validated on the HID Authentication Service.
Customer’s device is provisioned, and the registration process begins.
Customer is prompted to add the PIN.
Customer is prompted to enable Biometrics.
Customer device registration is completed.

5.2 Login Web Channel (Secure Code)

Customer accesses the online banking application.
Online banking application requests JS probe and session data from RMS.
1. RMS generates session data and returns it to Online banking application.
2. Online banking application caches session data and sends data gathered by probe to RMS.
Customer chooses the option to log in with Secure Code.
Customer is prompted to enter the customer ID and Secure Code.
Customer launches the mobile application.
Mobile application checks the key validity and initiates Approve SDK key renewal if the keys are about to expire (prompt the user for PIN or Biometrics).
Key renewal successful message is displayed to the customer.
Customer selects the option to generate Secure Code.
If Biometrics is enabled else go to the next step.
1. Mobile application calls the HID Approve SDK to generate Secure Code.
2. Customer is prompted to provide biometrics.
3. Customer provides biometrics (e.g., TouchID or FaceID).
4. HID Approve SDK returns Secure Code.
5. Mobile application displays Secure Code to customer.
Mobile application prompts the customer to enter the PIN.
1. Customer enters PIN.
2. Mobile application requests the HID Approve SDK to generate Secure Code.
3. HID Approve SDK returns Secure Code.
4. Mobile application displays Secure Code to customer.
Customer enters the Secure Code in the online banking application.
Secure Code is validated against the HID Authentication Service.
Online banking application calls RMS to create session and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject login.
2. Online banking application denies access to account.
If STEP-UP
1. Online banking application requests for Push authentication.
2. HID Authentication Service sends Push to Customer.
3. Mobile application displays Push notification.
4. Customer actions notification.
5. HID Approve SDK requests transaction data from HID Authentication Service.
6. Mobile application prompts customer to approve transaction.
7. Customer approves transaction.
8. If Biometrics is enabled else go to the next step.
  1. Mobile application calls the HID Approve SDK to sign transaction.
  2. Customer is prompted to provide biometrics.
  3. Customer provides biometrics (e.g., TouchID or FaceID).
9. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
  2. Mobile application calls the HID Approve SDK to sign transaction.
10. HID Approve SDK returns signs transaction and sends to HID Authentication Service.
11. Transaction validated against the HID Authentication Service.
12. Push feedback received by Online banking application.
13. Online banking application calls RMS to create session and login.
14. Customer is logged in successfully.
If ALLOW
1. Online banking application calls RMS to create session and login.
2. Customer is logged in successfully.

5.3 Login Web Channel (Scan 2 Approve - Explicit)

Customer accesses the online banking application.
Online banking application requests JS probe and session data from RMS.
1. RMS generates session data and returns it to Online banking application.
2. Online banking application caches session data and sends data gathered by probe to RMS.
Customer chooses the option to log in.
Customer is prompted to scan the QR code (Scan 2 Approve).
Customer launches the mobile application.
Mobile application checks the key validity and initiates Approve SDK key renewal if the keys are about to expire else go to the next step.
Customer selects the option to scan the QR Code (Scan 2 Approve) to log in.
If Biometrics is enabled else go to the next step.
1. Customer is prompted to provide biometrics.
2. Customer provides biometrics (e.g., TouchID or FaceID).
3. Mobile application displays login information to the customer.
4. Customer Approves or Declines the login attempt.
Mobile application prompts the customer to enter the PIN.
1. Customer enters PIN.
2. Mobile application displays login information to the customer.
3. Customer Approves or Declines the login attempt.
HID Approve SDK signs and sends the signed login transaction to HID Authentication Service for validation.
HID Authentication Service sends the customer transaction feedback to the online banking application.
Online banking application calls RMS to create session and get risk data (allow, block).
If BLOCK
1. Online banking application calls RMS to reject login.
2. Online banking application denies access to account.
If ALLOW
1. Online banking application calls RMS to login.
Customer is logged in successfully.

5.4 Login Mobile Channel (Secure Code)

Customer launches the mobile application.
Mobile application checks the key validity and initiates Approve SDK key renewal if the keys are about to expire (prompt the user for PIN or Biometrics).
Key renewal successful message is displayed to the customer.
HID RMS SDK requests session data from RMS.
1. RMS generates session data and returns it to HID RMS SDK.
2. HID RMS SDK caches session data.
Mobile application displays the username based on the service or container already registered using the Approve SDK.
Customer clicks on Next to log in to the mobile application (only required if multiple containers are found).
Mobile application checks if biometrics is enabled for the service.
If Biometrics is enabled else go to the next step.
1. Mobile application calls the HID Approve SDK to generate Secure Code.
2. Customer is prompted to provide biometrics.
3. Customer provides biometrics (e.g., TouchID or FaceID).
4. HID Approve SDK sends the Secure Code and validated against the HID Authentication Service.
Mobile application prompts the customer to enter the PIN.
1. Customer enters PIN.
2. Mobile application requests the HID Approve SDK to generate Secure Code.
3. HID Approve SDK sends the Secure Code to validate against the HID Authentication Service.
Secure Code is validated against the HID Authentication Service.
Mobile application sends session and user data to Temenos Digital.
Temenos Digital calls RMS to create session and get risk data (allow, block).
If BLOCK
1. Temenos Digital calls RMS to reject login.
2. Temenos Digital sends decision to mobile application.
3. Mobile application denies access to account.
If ALLOW
1. Temenos Digital calls RMS to login.
2. Temenos Digital sends decision to mobile application.
3. Customer is logged in successfully.
Note: In the mobile channel, Secure Code authentication can also be used by customers to authorize any non-financial transactions such as updating a mobile number or email address, etc.

5.5 Transaction Web Channel (Push-based)

Customer initiates transaction in the online banking application.
Online banking application calls RMS to create payment and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject payment.
2. Online banking application denies transaction.
If STEP-UP
1. Online banking application requests for Push authentication.
2. HID Authentication Service sends Push to Customer.
3. Mobile application displays Push notification.
4. Customer actions notification.
5. HID Approve SDK requests transaction data from HID Authentication Service.
6. Mobile application prompts customer to approve transaction.
7. Customer approves transaction.
8. If Biometrics is enabled else go to the next step.
  1. Mobile application calls the HID Approve SDK to sign transaction.
  2. Customer is prompted to provide biometrics.
  3. Customer provides biometrics (e.g., TouchID or FaceID).
9. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
  2. Mobile application calls the HID Approve SDK to sign transaction.
10. HID Approve SDK returns signs transaction and sends to HID Authentication Service.
11. Transaction validated against the HID Authentication Service.
12. Push feedback received by Online banking application.
13. Online banking application calls RMS to sign and accept the transaction.
14. Transaction completed successfully.
If ALLOW
1. Online banking application calls RMS to sign and accept the transaction.
2. Transaction completed successfully.
Note: This workflow can also be used for any non-financial transactions such as updating a mobile number or email address, etc.

5.6 Transaction Web Channel (Offline Secure Code)

Customer initiates transaction in the online banking application.
Online banking application calls RMS to create payment and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject payment.
2. Online banking application denies transaction.
If STEP-UP
1. Customer is prompted to enter Secure Code and displayed a QR code or data parameters (e.g., Account Number and Amount).
2. Customer launches the mobile application.
3. Customer chooses the option Signature or QR scan.
4. Customer selects one of the options and depending on the option chosen they enter the data values or scan the QR code.
  1. If Biometrics is enabled else go to the next step.
    
    Mobile application calls the HID Approve SDK to sign the transaction.
    
    Customer is prompted to provide biometrics.
    
    Customer provides biometrics (e.g., TouchID or FaceID).
  2. Mobile application prompts the customer to enter the PIN.
    
    Customer enters PIN.
    
    Mobile application calls the HID Approve SDK to sign the transaction.
5. HID Approve SDK returns signing Secure Code.
6. Customer enters the Secure Code in the online banking application.
7. Online banking application sends the data values and signing Secure Code to the HID Authentication Service for validation.
8. Online banking application calls RMS to sign and accept the transaction.
9. Transaction completed successfully.
If ALLOW
1. Online banking application calls RMS to sign and accept the transaction.
Transaction completed successfully.

5.7 Transaction Mobile Channel (Secure Code or Signature)

Customer initiates transaction in the mobile banking application.
Mobile application sends session and transaction request to Temenos Digital.
Temenos Digital calls RMS to create payment and get risk data (allow, step-up, block).
If BLOCK
1. Temenos Digital calls RMS to reject payment.
2. Temenos Digital sends decision to mobile application.
3. Mobile application denies transaction.
If STEP-UP
1. Temenos Digital sends decision to mobile application.
2. If Biometrics is enabled else go to the next step.
  1. Mobile application calls the HID Approve SDK with the transaction data to generate Signature Secure Code.
  2. Customer is prompted to provide biometrics.
  3. Customer provides biometrics (e.g., TouchID or FaceID).
3. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
  2. Mobile application requests the HID Approve SDK to generate Secure Code.
4. HID Approve SDK returns signing Secure Code.
5. Mobile application sends the Secure Code and transaction data to the HID Authentication Service for validation.
6. Secure Code is validated against the HID Authentication Service.
7. Temenos Digital calls RMS to sign and accept the transaction.
8. Transaction completed successfully.
If ALLOW
1. Temenos Digital calls RMS to sign and accept the transaction.
2. Temenos Digital sends decision to mobile application.
Transaction completed successfully.

5.8 Forgotten HID Approve PIN or Locked PIN or Device Lost or Stolen

If a customer has forgotten the PIN for HID Approve SDK or has locked the HID Approve SDK service by entering an incorrect PIN value, it is not possible to recover the PIN and the customer must re-register the HID Approve SDK service on this device. Similarly, if a customer has lost their device or the device is stolen, they must re-register the new device. In both cases above customer needs a new Activation Code so they can re-register.
If the customer has a second device registered, they can log in to web or mobile banking using the secondary device, authorize the action using the same device, and request a new Activation Code. Please note that this requires Temenos Digital to integrate with Spotlight so a new Activation Code request can be made. If the customer has only a single device registered, then they must contact the bank help desk to reset their account and request a new Activation Code. Please note that Spotlight integration is out of scope for HID Global.

5.9 Additional Device Registration

Registering an additional device requires a new Activation Code. Customers can log in to web or mobile banking using the secondary device, authorize the action using the same device, and request a new Activation Code. Please note that this requires Temenos Digital to integrate with Spotlight so a new Activation Code request can be made. Please note that Spotlight integration is out of scope for HID Global.

5.10 Device Management Web

Login to the web or mobile banking applications.
Go to the device management menu and initiate the action of suspending or deleting a device.

Note: If a customer only has one registered device, sufficient warning must be provided to say that they will be unable to log in to banking channels after continuing this action. They will need to contact the bank for assistance.
Online banking application calls RMS to create action and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject action.
2. Online banking application denies device management.
If STEP-UP
1. Online banking application requests for Push authentication.
2. HID Authentication Service sends Push to Customer.
3. Mobile application displays Push notification.
4. Customer actions notification.
5. HID Approve SDK requests transaction data from HID Authentication Service.
6. Mobile application prompts customer to approve transaction.
7. Customer approves transaction.
8. If Biometrics is enabled else go to the next step.
  1. Mobile application calls the HID Approve SDK to sign transaction.
  2. Customer is prompted to provide biometrics.
  3. Customer provides biometrics (e.g., TouchID or FaceID).
9. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
  2. Mobile application calls the HID Approve SDK to sign transaction.
10. HID Approve SDK returns signs transaction and sends to HID Authentication Service.
11. Transaction validated against the HID Authentication Service.
12. Push feedback received by Online banking application.
13. Online banking application calls RMS to sign and accept the action.
14. Device management completed successfully.
If ALLOW
1. Online banking application calls RMS to sign and accept the action.
2. Device management completed successfully.
Note: If the customer does not have internet access on the mobile device the bank can provide an option to customers so they can authorize the action by authenticating using Secure Code.

5.11 Secure Code Authentication Policy Reset Failure Counter

A Secure Code authentication policy on the HID Authentication Service can be blocked due to customers entering incorrect Secure Codes for authentication to web or mobile banking channels. Even if a customer has multiple devices registered login from all devices will be impacted if the authentication policy on the backend is blocked. The customer must contact the bank help desk so the bank can reset the failure counter of the authentication policy from Spotlight. It is recommended that the bank staff perform Identity and Verification before resetting the failure counter. Please note that Spotlight integration is out of scope for HID Global.

Note: If Spotlight does not have the functionality, it is recommended that the system integrator updates the component to support it.

5.12 Push Authentication Policy Reset Challenge Counter

It is possible to configure the number of times a customer can request push notifications on the HID Authentication Service without actioning the push request. This configuration prevents the bank customers from being exposed to DDOS attacks. If this is configured to a limited number of requests and the customer has exceeded the threshold then they will not be able to request for push notifications anymore. The customer must contact the bank help desk so the bank can reset the failure counter of the push authentication policies from Spotlight. It is recommended that the bank staff perform Identity and Verification before resetting the challenge counter.

Note: If Spotlight does not have the functionality, it is recommended that the system integrator updates the component to support it.

5.13 Change HID Approve SDK Service PIN

Customer logs in to the Mobile Application.
Customer requests to change the PIN in the mobile application.
Mobile application prompts the customer to enter their old PIN and create a new PIN.
Customer enters old and new PIN.
Mobile application requests HID Approve SDK to change the PIN.
HID Approve SDK updates the PIN.
PIN change is completed successfully.

Note: Please note that this workflow can also be made applicable or implemented if the PIN policy for the HID Approve SDK Service is set to expire after N number of days. If the PIN expires then the mobile application should handle the exception and take the customer through the same process so they can set the new PIN.