Link Search Menu Expand Document

ACS Integration guide

Table of contents
  1. ACS Integration guide
    1. Overview
    2. The SCA methods supported
    3. How does ACS tell the uSDK to perform a method
    4. DEVICE_COOKIE
      1. How ACS requests the method
      2. When and how does SDK execute and delivers the data to ACS
        1. Mobile uSDKs
        2. Browser uSDK
    5. USDK_PROMPT_TEXT
      1. How ACS requests the method
      2. When and how does SDK execute and delivers the data to ACS
    6. USDK_PROMPT_LOCAL_BIO_AUTH
      1. How ACS requests the method
      2. When and how does SDK execute and delivers the data to ACS
    7. BEHAVIORAL_METRICS
      1. How ACS requests the method
      2. When and how does SDK execute and delivers the data to ACS

Overview

This writeup documents how an ACS would integrate with the SCA gathering methods mSIGNIA uSDK 6.5 and later leverages. Starting from 6.5 release, the iOS and Android uSDKs allow the ACS servers to request additional properties from the mobile device and browsers to make SCA easier for ACSes. This document explains the features in details so an ACS vendor uses this document as an integration guide.

The SCA methods supported

As of 6.5 release the uSDKs support the following SCA methods:

Method Platform Description
DEVICE_COOKIE Android, iOS, Browser Saves a “cookie” on the device
USDK_PROMPT_TEXT Android, iOS Prompts the user to type some text before authentication
USDK_PROMPT_LOCAL_BIO_AUTH Android, iOS Autheticates the user to perform finger scan or Face ID
BEHAVIORAL_METRICS Android, iOS Captures typings, mouse and device tilt metrics

How does ACS tell the uSDK to perform a method

An ACS has to tell the uSDK to perform one of the SCA methods during the next transaction. For that, the ACS leverages a custom message extension with the ID of usdk.strong-customer-auth like shown below and includes it in the ARes or CRes:

{
  "id": "usdk.strong-customer-auth",
  "name": "usdk.strong-customer-auth"
  "data": {
      "v": 1,
      "methods": [ "DEVICE_COOKIE", /* other methods go here */ ]
      "acsReferenceNumber": "${acs-reference-number}",
      "issuerId": "123e4567-e89b-12d3-a456-426655440000",
  }
  "criticalityIndicator": false
}

A few points to note at here are:

  1. The ACS can request more than one SCA method for the SDK to perform on next transaction, thus the data.method data element is an array that holds a list of SCA methods.
  2. The data.v data element denotes the message extension version. It should be 1.
  3. The ACS tells a bit about itself - the data.acsRefenence is used to ACS Referene number assigned by EMVco, while data.issuerId is an ACS identifier issued by mSIGNIA when the ACS has been enrolled with it.

The following sections explain each specific SCA method in more detail.

The DEVICE_COOKIE method lets the ACS to store certain data on the device. The uSDK then send that exact data back to ACS on the next transaction the user performs. So it could be as simple as a cookie but also various advanced use-cases are possible - for instance the ACS may store a token, a public key etc.

Note, once a device cookie is received by the uSDK, it’ll send it back to ACS on each consequent transaction. The ACS can “clear” it if needed by sending an empty cookie value. In that case uSDK will clear the cookie and stop sending it to ACS.

How ACS requests the method

The message extension that ACS is supposed to issue requesting this specific SCA method would look this:

{
  "id": "usdk.strong-customer-auth",
  "name": "usdk.strong-customer-auth"
  "data": {
      "v": 1,
      "methods": [ "DEVICE_COOKIE" ]
      "acsReferenceNumber": "${acs-reference-number}",
      "issuerId": "123e4567-e89b-12d3-a456-426655440000",
      "deviceCookie": "${the-actual-cookie-value}"
  }
  "criticalityIndicator": false
}

When and how does SDK execute and delivers the data to ACS

Mobile uSDKs

Then, on the next transaction, the uSDK will run the method. Running it means it’ll take the data.deviceCookie received in the previously and include in AReq.sdkEncData data element that is normally encrypted with the DS public key. Once DS decrypts it and makes available for ACS as AReq.deviceInfo, the ACS then looks for it in the SCA data element:

let deviceInfo = {
    "SCA": {
        "deviceCookie": "c01d40c5-2157-46c7-95bd-c972f2fc6fb3"
    },
    "DD": {
        "A108": "422",
        "A051": "sdk_gphone_x86",
        // many other DDs omitted here
    },
    "DV": "1.4",
    "SW": [
        "SW03",
        "SW01"
    ],
    "DPNA": {
        "A106": "RE04",
    }
}

Using the of deviceInfo.SCA.deviceCookie as well as some other DDs would let the ACS to efficiently tag the user device.

Browser uSDK

The browser uSDK sends the SCA methods it performed as part of the request to the 3DS Method URL. This means that ACS receives it before the actual AReq/ARes flow begins so it lets the ACS to check the device cookie before it makes a frictionless transStatus decision.

An example request to the 3DS Method URL would looks like this:

Method: POST
URL: 3DS Method URL
Params:
    deviceCookie: c01d40c5-2157-46c7-95bd-c972f2fc6fb3
    threeDSMethodData: <a normal base64 datum sent to 3DS Method>

USDK_PROMPT_TEXT

This method is used to prompt the user to enter some text before the frictionless flow begins and include the user’s input in AReq. The method is flexible in the sence that it lets the ACS to control the details of the prompt such as prompt heading text, prompt message, the keyboard type to use etc.

How ACS requests the method

The method is requested via the message extension:

{
  "id": "usdk.strong-customer-auth",
  "name": "usdk.strong-customer-auth"
  "data": {
      "v": 1,
      "methods": [ "USDK_PROMPT_TEXT" ]
      "acsReferenceNumber": "${acs-reference-number}",
      "issuerId": "123e4567-e89b-12d3-a456-426655440000",
      "usdkPrompt": {
          "heading": "Postal code",
          "keyboard":"NUMERIC", 
          "message": "Please enter your postal code:"
      }
  }
  "criticalityIndicator": false
}

So, the method name is USDK_PROMPT_TEXT plus the usdkPrompt data element lets configure the prompt:

  • usdkPrompt.heading - sets the heading text in the prompt
  • usdkPrompt.message - the message
  • usdkPrompt.keyboard - keyboard type. Options are: NUMERIC, EMAIL or DEFAULT

When and how does SDK execute and delivers the data to ACS

The uSDK then presents the user with the following prompt,

captures user’s input and includes it in AReq.sdkEncData data element that is normally encrypted with the DS public key. Once DS decrypts it and makes available for ACS as AReq.deviceInfo, the ACS then looks for it in the SCA data element:

let deviceInfo = {
    "SCA": {
        "usdkPrompt": {
            "input": "18005",
            "typing": "behavioral metrics - touches, 
                typing captured while user answered in the prompt"
        }
    },
    "DD": {
        "A108": "422",
        "A051": "sdk_gphone_x86",
        // many other DDs omitted here
    },
    "DV": "1.4",
    "SW": [
        "SW03",
        "SW01"
    ],
    "DPNA": {
        "A106": "RE04",
    }
}

USDK_PROMPT_LOCAL_BIO_AUTH

This method presents the user with a screen/popup (whatever is the most convenient way on the particular mobile platform) to either scan a fingerprint or authenticate via FaceID. This popup is displayed before the frictionless flow begins.

Note, the SDKs won’t the user to fallback to a non biometrical authentication such as drawing pattern or password entry.

How ACS requests the method

The method is requested via the message extension:

{
  "id": "usdk.strong-customer-auth",
  "name": "usdk.strong-customer-auth"
  "data": {
      "v": 1,
      "methods": [ "USDK_PROMPT_LOCAL_BIO_AUTH" ]
      "acsReferenceNumber": "${acs-reference-number}",
      "issuerId": "123e4567-e89b-12d3-a456-426655440000",
  }
  "criticalityIndicator": false
}

When and how does SDK execute and delivers the data to ACS

The uSDK performs fingerprint or FaceID authentication right before it kicks off the frictionless flow. Depending on the outcome it may or may not begin a transaction. See the following table for more details. If transaction happens, then the authentication result if delivered to ACS in AReq.sdkEncData which DS decrypts into AReq.deviceInfo.

Authentication Outcome 3DS Transaction Begins? Result/Reason delivered to ACS
User successfully authenticated via fingerprint or FaceID YES result: SUCCEEDED
User failed to authenticate NO n/a
No fingerprint/FaceID hardware unavailable on device YES result: FAILED, reason: HARDWARE_UNAVAILABLE
Hardware OK but no fingerprint nor face enrolled YES result: FAILED, reason: NO_BIOMETRICS_ENROLLED
Mobile app not configured to leverage fingerprint or face authentication YES result: FAILED, reason: APP_MISCONFIGURED
User cancelled the prompt NO n/a

The corresponging result (and reason) can then be found in the SCA.localBioAuth data element of AReq.deviceInfo:

let deviceInfo = {
    "SCA": {
        "localBioAuth": {
            "result": "FAILED"
            "reason": "HARDWARE_UNAVAILABLE"
        }
    },
    "DD": {
        "A108": "422",
        "A051": "sdk_gphone_x86",
        // many other DDs omitted here
    },
    "DV": "1.4",
    "SW": [
        "SW03",
        "SW01"
    ],
    "DPNA": {
        "A106": "RE04",
    }
}

BEHAVIORAL_METRICS

This lets the ACS to request capturing of typings, touches and device tilt changes while the user interacts with the mobile challenge screen (CReq/CRes phase of a 3DS tranaction). The data captured is then gets sent to ACS in a custom message extension included in CReq.

How ACS requests the method

The method is requested via the message extension received in CRes:

{
  "id": "usdk.strong-customer-auth",
  "name": "usdk.strong-customer-auth"
  "data": {
      "v": 1,
      "methods": [ "BEHAVIORAL_METRICS" ]
      "acsReferenceNumber": "${acs-reference-number}",
      "issuerId": "123e4567-e89b-12d3-a456-426655440000",
  }
  "criticalityIndicator": false
}

When and how does SDK execute and delivers the data to ACS

Depending on the challenge type, the uSDK captures different kinds of metrics:

Challenge Type What is captured
Text / OTP typings & touch events
Single Select touch events
Multi Select touch events
HTML touch events

The uSDK includes the following message extension in CRes.messageExtension data element:

{
  "id": "usdk.behavioral-bio",
  "name": "usdk.behavioral-bio"
  "data": {
      "typingPattern": "${typings and touch data captured}",
  }
  "criticalityIndicator": false
}