Temenos Digital Mobile Banking with HID Approve SDK

1.1 Registration (Mobile Channel Only)

  1. Customer receives the customer ID and Activation Code using the Temenos components.

  2. Customer installs and launches the banking mobile application.

  3. Customer is prompted to enter the customer ID and Activation Code.


  4. Customer enters the customer ID and Activation Code.

  5. Activation Code is successfully validated on the HID Authentication Service.

  6. Customer's device is provisioned, then the registration process begins.

  7. Customer is prompted to add the PIN.

  8. Customer is prompted to enable Biometrics.

  9. Customer device registration is completed.

1.2 Login Web Channel (Secure Code)

  1. Customer logs in to the online banking application and chooses the option to log in with Secure Code.

  2. Customer is prompted to enter the customer ID and Secure Code.

  3. Customer launches the mobile application and selects the option to generate Secure Code.

  4. If Biometrics is enabled, the customer is prompted to provide biometrics. Otherwise, proceed to the next step.

    1. Mobile application calls HID Approve SDK to generate Secure Code.

    2. Customer is prompted to provide biometrics.

    3. Customer provides biometrics (e.g., TouchID or FaceID).

    4. HID Approve SDK returns Secure Code.

    5. Mobile application displays the Secure Code to the customer.

    6. Mobile application checks the key validity and initiates Approve SDK key renewal if the keys are about to expire.

  5. Mobile application prompts the customer to enter the PIN.

    1. Mobile application then requests HID Approve SDK to generate a Secure Code.

    2. HID Approve SDK returns the Secure Code.

    3. Mobile application displays the Secure Code to the customer.

    4. Mobile application checks the key validity and initiates Approve SDK key renewal if the keys are about to expire.

  6. Customer enters the Secure Code in the online banking application.

  7. Secure Code is verified using the HID Authentication service.

  8. If the verification is successful, the customer is logged in.

1.3 Login Web Channel (Scan 2 Approve - Explicit)

  1. Customer accesses the online banking application and chooses to log in.

  2. Customer is prompted to scan the QR code (Scan 2 Approve).

  3. Customer launches the mobile application.

  4. Mobile application checks the key validity and initiates Approve SDK key renewal if the keys are about to expire else go to the next step.

  5. Customer selects the option to scan the QR Code (Scan 2 Approve) to log in.

  6. If Biometrics is enabled, the customer is prompted to provide biometrics. Otherwise, proceed to the next step.

    1. Customer provides biometrics (e.g., TouchID or FaceID).

    2. Mobile application displays login information to the customer.

    3. Customer approves or declines the login attempt.

  7. Mobile application prompts the customer to enter their PIN.

    1. Customer enters PIN.

    2. Mobile application displays login information to the customer.

    3. Customer approves or declines the login attempt.

  8. HID Approve SDK signs and sends the signed login transaction to the HID Authentication Service for validation.

  9. HID Authentication Service sends the customer transaction feedback to the online banking application.

  10. Online banking completes or denies the login based on the customer's action (Approve or Decline).

1.4 Login Mobile Channel (Secure Code)

  1. Customer launches the mobile application.

  2. Mobile application displays the username based on the service or container already registered using the Approve SDK.

  3. Customer clicks on Next to log in to the mobile application - Only required if multiple containers found.

  4. Mobile application checks if biometrics is enabled for the service.

  5. If Biometrics is enabled, the customer is prompted to provide biometrics. Otherwise, proceed to the next step.

    1. Mobile application calls the HID Approve SDK to generate Secure Code.

    2. Customer is prompted to provide biometrics.

    3. Customer provides biometrics (e.g., TouchID or FaceID).

    4. HID Approve SDK returns Secure Code.

  6. Mobile application prompts the customer to enter the PIN.

    1. Mobile application requests the HID Approve SDK to generate Secure Code.

    2. HID Approve SDK returns Secure Code.

  7. Mobile application sends the Secure Code to the HID Authentication Service for validation.

  8. Mobile application checks the key validity and initiates Approve SDK key renewal if the keys are about to expire.

  9. Customer is logged in successfully if the authentication is successful.

    Note: In the mobile channel, Secure Code authentication can also be used by customers to authorize any non-financial transactions such as updating a mobile number or email address, etc.

1.5 Transaction Web Channel (Push-based)

  1. Customer initiates transaction in the online banking application.

  2. Customer is sent a push notification to the mobile application.

  3. Customer actions the push notification and approves the transaction.

  4. If Biometrics is enabled, the customer is prompted to provide biometrics. Otherwise, proceed to the next step.

    1. Mobile application calls the HID Approve SDK to sign the transaction.

    2. Customer is prompted to provide biometrics.

    3. Customer provides biometrics (e.g., TouchID or FaceID).

    4. HID Approve SDK signs and sends the signed transaction to HID Authentication Service for validation.

  5. Mobile application prompts the customer to enter the PIN.

    1. Mobile application calls the HID Approve SDK to sign a transaction.

    2. HID Approve SDK signs and sends the signed transaction to HID Authentication Service for validation.

  6. HID Authentication Service sends the customer transaction feedback to the online banking application.

  7. Online banking completes or denies the transaction based on the customer's action (Approve or Decline).

    Note: This workflow can also be used for any non-financial transactions such as updating a mobile number or email address, etc.

1.6 Web Channel (Offline Secure Code)

  1. Customer initiates transaction in the online banking application.

  2. Customer is prompted to enter Secure Code and displayed a QR code or data parameters (e.g., Account Number and Amount).

  3. Customer launches the mobile application and chooses the option Signature or QR scan.

  4. Customer selects one of the options and depending on the option chosen they enter the data values or scan the QR code.

    1. If Biometrics is enabled, the customer is prompted to provide biometrics. Otherwise, proceed to the next step.

      1. Mobile application calls the HID Approve SDK to sign the transaction.

      2. Customer is prompted to provide biometrics.

      3. Customer provides biometrics (e.g., TouchID or FaceID).

      4. HID Approve SDK returns signing Secure Code.

    2. Mobile application prompts the customer to enter the PIN.

      1. Mobile application calls the HID Approve SDK to sign the transaction.

      2. HID Approve SDK returns signing Secure Code.

  5. Customer enters the Secure Code in the online banking application.

  6. Online banking application sends the data values and signing Secure Code to the HID Authentication Service for validation.

  7. Customer can complete the transaction if authentication is successful.

1.7 Transaction Mobile Channel (Secure Code or Signature)

  1. Customer initiates transaction in the mobile banking application.

  2. If Biometrics is enabled else go to the next step.

    1. Mobile application calls the HID Approve SDK to sign the transaction.

    2. Customer is prompted to provide biometrics.

    3. Customer provides biometrics (e.g., TouchID or FaceID).

    4. HID Approve SDK returns signing Secure Code.

  3. Mobile application prompts the customer to enter the PIN.

    1. Mobile application calls the HID Approve SDK to sign the transaction.

    2. HID Approve SDK returns signing Secure Code.

  4. Mobile application sends the data values and signing Secure Code to the HID Authentication Service for validation.

  5. Customer can complete the transaction if authentication is successful.

1.8 Forgotten HID Approve PIN or Locked PIN or Device Lost or Stolen

  1. If a customer has forgotten the PIN for HID Approve SDK or has locked the HID Approve SDK service by entering an incorrect PIN value, it is not possible to recover the PIN and the customer must re-register the HID Approve SDK service on this device. Similarly, if a customer has lost their device or the device is stolen, they must re-register the new device. In both cases above customer needs a new Activation Code so they can re-register. Refer to Registration (Mobile Channel Only) section to re-register the new device.

  2. If the customer has a second device registered, they can log in to web or mobile banking using the secondary device, authorize the action using the same device, and request a new Activation Code. Please note that this requires Temenos Digital to integrate with Spotlight so a new Activation Code request can be made. If the customer has only a single device registered, then they must contact the bank help desk to reset their account and request a new Activation Code.

    Note: The Spotlight integration is out of scope for HID Global.

1.9 Additional Device Registration

  1. Registering an additional device requires a new Activation Code. Customers can log in to web or mobile banking using the secondary device, authorize the action using the same device, and request a new Activation Code.

    Note: This requires Temenos Digital to integrate with Spotlight so a new Activation Code request can be made. The Spotlight integration is out of scope for HID Global.

1.10 Device Management Web

  1. Login to the web or mobile banking applications.

  2. Go to the device management menu and initiate the action of suspending or deleting a device.

    Note: If a customer only has one registered device, sufficient warning must be provided to say that they will be unable to log in to banking channels after continuing this action. They will need to contact the bank for assistance.

  3. Customer is sent a push notification to the mobile application.

  4. Customer actions the push notification and approves the transaction.

  5. If Biometrics is enabled, else go to the next step.

    1. Mobile application calls the HID Approve SDK to sign a transaction.

    2. Customer is prompted to provide biometrics.

    3. Customer provides biometrics (e.g., TouchID or FaceID).

    4. HID Approve SDK signs and sends the signed transaction to HID Authentication Service for validation.

  6. Mobile application prompts the customer to enter the PIN.

    1. Mobile application calls the HID Approve SDK to sign a transaction.

    2. HID Approve SDK signs and sends the signed transaction to HID Authentication Service for validation.

    3. HID Authentication Service sends the customer transaction feedback to the online banking application.

  7. Online banking completes or denies the device management action based on the customer feedback (Approve or Decline).

    Note: If a customer does not have internet access on their mobile device, the bank can offer an alternative authorization method using a Secure Code.

1.11 Secure Code Authentication Policy Reset Failure Counter

  1. A Secure Code authentication policy on the HID Authentication Service can be blocked due to customers entering incorrect Secure Codes for authentication to web or mobile banking channels. Even if a customer has multiple devices registered login from all devices will be impacted if the authentication policy on the backend is blocked. The customer must contact the bank help desk so the bank can reset the failure counter of the authentication policy from Spotlight. It is recommended that the bank staff perform Identity and Verification before resetting the failure counter. Please note that Spotlight integration is out of scope for HID Global.

    Note: If Spotlight does not have the functionality, it is recommended that the system integrator updates the component to support it.

1.12 Push Authentication Policy Reset Challenge Counter

  1. It is possible to configure the number of times a customer can request push notifications on the HID Authentication Service without actioning the push request. This configuration prevents the bank customers from being exposed to DDOS attacks. If this is configured to a limited number of requests and the customer has exceeded the threshold then they will not be able to request for push notifications anymore. The customer must contact the bank help desk so the bank can reset the failure counter of the push authentication policies from Spotlight. It is recommended that the bank staff perform Identity and Verification before resetting the challenge counter.

    Note: If Spotlight does not have the functionality, it is recommended that the system integrator updates the component to support it.

1.13 Change HID Approve SDK Service PIN

Note: Please note that this workflow can also be made applicable or implemented if the PIN policy for the HID Approve SDK Service is set to expire after N number of days. If the PIN expires then the mobile application should handle the exception and take the customer through the same process so they can set the new PIN.

  1. Customer logs in to the Mobile Application.

  2. Customer requests to change the PIN in the mobile application.

  3. Mobile application prompts the customer to enter their old PIN and create a new PIN.

  4. Customer enters old and new PIN.

  5. Mobile application requests HID Approve SDK to change the PIN.

  6. HID Approve SDK updates the PIN.

  7. PIN change is completed successfully.