7. Temenos Digital Web Banking with HID Approve Mobile App & RMS

7.1 Registration (Web Channel Only)

Customer has received the customer ID and Activation Code using the Temenos components.
Customer accesses the online banking application and chooses the option to register or enroll an account.
Customer is prompted to enter the customer ID and Activation Code.
Customer enters the customer ID and Activation Code.
Activation code is successfully validated on the HID Authentication Service.
Customer is displayed a QR code and provided instructions to download and install the HID Approve mobile application.
Customer downloads and installs the HID Approve mobile application.
Customer scans the QR code using HID Approve mobile application.
Customer is prompted to enter the PIN.
Customer can optionally enable biometrics in the HID Approve mobile application.
Customer device registration is completed.
Customer has successfully registered in the online banking application.

7.2 Login Web Channel (Secure Code)

Customer accesses the online banking application.
Online banking application requests JS probe and session data from RMS.
1. RMS generates session data and returns it to Online banking application.
2. Online banking application caches session data and sends data gathered by probe to RMS.
Customer chooses the option to log in with Secure Code.
Customer launches the HID Approve mobile application.
HID Approve Mobile application checks the key validity and displays a warning if the keys are about to expire.
1. If the customer chooses to renew the keys, they are prompted for PIN or Biometrics based on whether it is enabled by the user.
2. Key renewal is completed.
Customer selects the option to generate Secure Code.
If Biometrics is enabled else go to the next step.
1. Customer is prompted to provide biometrics.
2. Customer provides biometrics (e.g., TouchID or FaceID).
3. HID Approve mobile application displays Secure Code to customer.
HID Approve mobile application prompts the customer to enter the PIN.
1. HID Approve Mobile application displays Secure Code to customer.
Customer enters the Secure Code in the online banking application.
Secure Code is validated against the HID Authentication Service.
Online banking application calls RMS to create session and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject login.
2. Online banking application denies access to account.
If STEP-UP
1. Online banking application requests for Push authentication.
2. HID Authentication Service sends Push to Customer.
3. Mobile displays Push notification.
4. Customer actions notification.
5. HID Approve mobile application requests transaction data from HID Authentication Service.
6. HID Approve mobile application prompts customer to approve transaction.
7. Customer approves transaction.
8. If Biometrics is enabled else go to the next step.
  1. Customer is prompted to provide biometrics.
  2. Customer provides biometrics (e.g., TouchID or FaceID).
9. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
10. HID Approve mobile application signs and sends the signed transaction to HID Authentication Service for validation.
11. Push feedback received by Online banking application.
12. Online banking application calls RMS to create session and login.
13. Customer is logged in successfully.
If ALLOW
1. Online banking application calls RMS to login.
2. Customer is logged in successfully.

7.3 Transaction Web Channel (Push-based)

Customer initiates transaction in the online banking application.
Online banking application calls RMS to create payment and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject payment.
2. Online banking application denies transaction.
If STEP-UP
1. Online banking application requests for Push authentication.
2. HID Authentication Service sends Push to Customer.
3. Mobile displays Push notification.
4. Customer actions notification.
5. HID Approve mobile application requests transaction data from HID Authentication Service.
6. HID Approve mobile application prompts customer to approve transaction.
7. Customer approves transaction.
8. If Biometrics is enabled else go to the next step.
  1. Customer is prompted to provide biometrics.
  2. Customer provides biometrics (e.g., TouchID or FaceID).
9. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
10. HID Approve mobile application signs and sends the signed transaction to HID Authentication Service for validation.
11. Push feedback received by Online banking application.
12. Online banking application calls RMS to sign and accept the transaction.
13. Transaction completed successfully.
If ALLOW
1. Online banking application calls RMS to sign and accept the transaction.
2. Transaction completed successfully.
Note: This workflow can also be used for any non-financial transactions such as updating a mobile number or email address, etc

7.4 Transaction Web Channel (Offline Secure Code)

Customer initiates transaction in the online banking application.
Online banking application calls RMS to create payment and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject payment.
2. Online banking application denies transaction.
If STEP-UP
1. Customer is prompted to enter Secure Code and displayed a QR code or data parameters (e.g., Account Number and Amount).
2. Customer launches the HID Approve mobile application and chooses the option Signature or QR scan.
3. Customer selects one of the options and depending on the option chosen they enter the data values or scan the QR code.
  1. If Biometrics is enabled else go to the next step.
  2. Customer is prompted to provide biometrics.
  3. Customer provides biometrics (e.g., TouchID or FaceID).
  4. Mobile application prompts the customer to enter the PIN.
  5. Customer enters PIN.
4. HID Approve mobile application displays signing Secure Code.
5. Customer enters the Secure Code in the online banking application.
6. Online banking application sends the data values and signing Secure Code to the HID Authentication Service for validation.
7. Online banking application calls RMS to sign and accept the transaction.
8. Transaction completed successfully.
If ALLOW
1. Online banking application calls RMS to sign and accept the transaction.
2. Transaction completed successfully.

7.5 Forgotten HID Approve PIN or Locked PIN or Device Lost or Stolen

If a customer has forgotten the PIN for the HID Approve mobile application or has locked the HID Approve mobile application service by entering an incorrect PIN value, it is not possible to recover the PIN and the customer must re-register the HID Approve mobile application service on this device. Similarly, if a customer has lost their device or the device is stolen, they must re-register the new device. In both cases above customer needs a new Activation Code so they can re-register from the web online banking application.

Note: We should try to update this integration, which will very likely require assistance from Temenos, so Infinity can integrate with Spotlight to request a new activation code and deliver it to the user. Additionally, we should implement the functionality from the web and mobile out of the box but leave it to the end customer on which channel they want to expose this functionality to their end customer.
If the customer has a second device registered, they can log in to web banking using the secondary device, authorize the action using the same device, and request a new QR code. Customers can scan the QR code in the HID Approve mobile application to re-register the device.

7.6 Additional Device Registration

Customer logs in to the online banking application.
Customer requests for QR code to register a new device with HID Approve mobile application.
Online banking application calls RMS to create action and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject action.
2. Online banking application denies additional device registration.
If STEP-UP
1. Online banking application requests for Push authentication.
2. HID Authentication Service sends Push to Customer.
3. Mobile displays Push notification.
4. Customer actions notification.
5. HID Approve mobile application requests transaction data from HID Authentication Service.
6. HID Approve mobile application prompts customer to approve transaction.
7. Customer approves transaction.
8. If Biometrics is enabled else go to the next step.
  1. Customer is prompted to provide biometrics.
  2. Customer provides biometrics (e.g., TouchID or FaceID).
9. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
10. HID Approve mobile application signs transaction and sends to HID Authentication Service.
11. Transaction validated against the HID Authentication Service.
12. Push feedback received by Online banking application.
13. Online banking application calls RMS to sign and accept the action.
14. Online banking application displays a QR code.
15. Customer installs the HID Approve mobile application on another device and scans the QR code.
16. Customer is prompted to enter the PIN.
17. Customer can optionally enable biometrics in the HID Approve mobile application.
18. Additional device registration completed successfully.
If ALLOW
1. Online banking application calls RMS to sign and accept the action.
2. Online banking application displays a QR code.
3. Customer installs the HID Approve mobile application on another device and scans the QR code.
4. Customer is prompted to enter the PIN.
5. Customer can optionally enable biometrics in the HID Approve mobile application.
6. Additional device registration completed successfully.

7.7 Device Management Web

Note: Due to security reasons, we cannot provide screenshots of the HID Approve mobile application. Instead, we are showcasing screenshots of an application built using the HID Approve SDK. This application accurately replicates all functionalities of the HID Approve mobile app.

Login to the web online banking application.
Go to the device management menu and initiate the action of suspending or deleting a device.

Note: If a customer only has one registered device, sufficient warning must be provided to say that they will be unable to log in to banking channels after continuing this action. They will need to contact the bank for assistance.
Online banking application calls RMS to create action and get risk data (allow, step-up, block).
If BLOCK
1. Online banking application calls RMS to reject action.
2. Online banking application denies device management.
If STEP-UP
1. Online banking application requests for Push authentication.
2. HID Authentication Service sends Push to Customer.
3. Mobile displays Push notification.
4. Customer actions notification.
5. HID Approve mobile application requests transaction data from HID Authentication Service.
6. HID Approve mobile application prompts customer to approve transaction.
7. Customer approves transaction.
8. If Biometrics is enabled else go to the next step.
  1. Customer is prompted to provide biometrics.
  2. Customer provides biometrics (e.g., TouchID or FaceID).
9. Mobile application prompts the customer to enter the PIN.
  1. Customer enters PIN.
10. HID Approve mobile application signs transaction and sends to HID Authentication Service.
11. Transaction validated against the HID Authentication Service.
12. Push feedback received by Online banking application.
13. Online banking application calls RMS to sign and accept the action.
14. Device management completed successfully.
If ALLOW
1. Online banking application calls RMS to sign and accept the action.
2. Device management completed successfully.
Note: If the customer does not have internet access on the mobile device the bank can provide an option to customers so they can authorize the action by authenticating using an offline Secure Code.

7.8 Secure Code Authentication Policy Reset Failure Counter

A Secure Code authentication policy on the HID Authentication Service can be blocked due to the customer entering incorrect Secure Codes for authentication to the web online banking channel. Even if a customer has multiple devices registered login from all devices will be impacted if the authentication policy on the backend is blocked. The customer must contact the bank help desk so the bank can reset the failure counter of the authentication policy from Spotlight. It is recommended that the bank staff perform Identity and Verification before resetting the failure counter. Please note that Spotlight integration is out of scope for HID Global.

Note: If Spotlight does not have the functionality, it is recommended that the system integrator updates the component to support it.

7.9 Push Authentication Policy Reset Challenge Counter

It is possible to configure the number of times a customer can request push notifications on the HID Authentication Service without actioning the push request. This configuration prevents the bank customers from being exposed to DDOS attacks. If this is configured to a limited number of requests and customers have exceeded the threshold then they will not be able to request push notifications anymore. Customers must contact the bank help desk so the bank can reset the challenge counter of the push authentication policies from Spotlight. It is recommended that the bank staff perform Identity and Verification before resetting the challenge counter.

Note: If Spotlight does not have the functionality, it is recommended that the system integrator updates the component to support it.

7.10 Change HID Approve Mobile Application Service PIN

Customer logs in to the HID Approve Mobile Application.
Customer requests to change the PIN in the HID Approve mobile application.
HID Approve Mobile application prompts customers to enter old and new PIN.
Customer enters old and new PIN.
HID Approve mobile application updates the PIN.
PIN change is completed successfully.