PATTERN (Verification)
This is a technical introduction how you can implement the Enrollment for PATTERN by simply following the below steps.
What is PATTERN
Pattern authentication typically refers to a method of user authentication that involves recognizing and verifying a specific pattern drawn or traced by the user. This method is commonly used in touchscreen devices, especially smartphones and tablets. A user can authenticate to any application on any device using PATTERN on your Authenticator App.
You can integrate it in any app, even your own apps, the user is already using and equip it to an Authenticator.
When is a user able to configure PATTERN
| Criteria | Example | Configuration |
|---|---|---|
| Authentication | A user is able to configure any verification method, only if he is authenticated. So you need a valid token. | |
| Allowed Verification Methods | The verification method, the user wants to setup, must be activated for your instance. It is a global setup. |  |
Understanding the Flow and APIs
| API | Description | Link |
|---|---|---|
| Get available verification methods | To display and allow the user to configure the available verification methods. | Link to API |
| Enrollment Initiation | The Enrollment of a user via authenticator app, will provide the URL that is shown e.g as a QR Code in the default user profile. | Link to API |
| Enrollment Status | This will allow to verify the enrollment status in the User Profile, to determine when to continue the enrollment completion. | Link to API |
| Add friendly Device Name | In case of using device authentication methods like FIDO2, you can add a user-friendly name. | Link to API |
Step 1: Allow PATTERN in your Instance
In your Verification Setup you need to allow that PATTERN is enabled. Thereby you can change your existing setup, navigate to Multifactor Settings > Enable PATTERN.
Step 2: Present Verification Methods
The first page for enrollment should present all verification methods available.
Thereby you can use the below query to retrieve the available methods.
curl 'https://domain/verification-srv/config/list' \
-H 'Authorization: Bearer eyJhbGciOiJxxx2Og' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
--compressed
The API returns all available methods as array:
[
{
"verificationType": "PATTERN",
"active":true
},
{
"verificationType": "TOUCHID",
"active": true,
},
]
It returns a
verificationTypewhich can be used as input variable (path parameter) for the API in Step 3.
Step 3: Initiation of Enrollment
To start the enrollment, a QR Code will be displayed to the user. The QR code
The CURL command to initiate the enrollment will accept pattern as path parameter. Thereby you are defining the method to configure. Based on the token the user will be identified.
curl 'https://domain/verification-actions-srv/setup/{method}/initiation' \
-H 'accept: application/json, text/plain, */*' \
-H 'accept-language: en-US,en;q=0.9' \
-H 'authorization: Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6ImRiMDxxxH3CCQAZ246TjbEZvqQkNy_CM9YARxW7geGevv2Og' \
-H 'content-type: application/json' \
--data-raw '{"deviceInfo":{"deviceId":"","location":{"lat":"","lon":""}}}' \
--compressed
Using the response you can construct the QR-Code based on the below template.
`otpauth://totp/tenant_name:given_name family_name?t=type&d=given_name family_name&issuer=tenant_name&tk=tenant_key&l=logoURL&sub=sub&cid=client_id&burl=baseURL&eid=exchange_id`;
The response from the api contains exchange_id, sub and authenticator_client_id which is required as input.
{
"exchange_id": {
"exchange_id": "d5edcec1-d306-4cb8-8650-a3eb0330084d",
"expires_at": "2024-01-12T21:12:30.108Z",
},
"authenticator_client_id": "532542d2-c6b8-4921-86b6-bb1da13f941b",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"status_id": "04dca6fd-2cd7-4a9d-9d94-851be71d6344"
}
The final QR Code Link based on the above input, looks like this:
`otpauth://totp/demo:Poca Hontas?t=totp&d=Poca Hontas&issuer=domain&tk=cidaas-demo-prod&sub=da65eb32-d460-4355-8b94-ee061896712f&cid=532542d2-c6b8-4921-86b6-bb1da13f941b&burl=https://domain&eid=d5edcec1-d306-4cb8-8650-a3eb0330084d`;
It returns an
exchange_idwhich can be used as input variable (path parameter) for the API in Step 4.
Step 4: Check of Enrollment Status
Now, we are waiting for the user's action, and the user performing a PATTERN on his phone. This waiting states requires a polling. The recommended time interval is 4 seconds.
| API | Description | Link |
|---|---|---|
| Check the authentication status | Check the current status of the authentication request and it has to be polled continuously. | Link to API |
curl --location '{{base_url}}/verification-srv/verificationstatus/{status_id}' \
--header 'content-type: application/json'
The API returns a status which can be
| State | Description |
|---|---|
INITIATED | The initiated status will show up as long as you are showing the QR Code. When the QR Code was scanned you should change the UI, so that it is clear there is no further action required |
SCANNED | After the user scanned the code, the state will change to SCANNED |
ENROLLED | The ENROLLED state will show as soon as the user successfully completed the enrollment on the authenticator app. |
{
"status": "INITIATED",
"id": "da552e03-cfc2-4461-92d3-f05b5e488a6c",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"type": "PATTERN",
}
{
"status": "SCANNED",
"id": "da552e03-cfc2-4461-92d3-f05b5e488a6c",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"type": "PATTERN"
}
```json
{
"status": "ENROLLED",
"id": "da552e03-cfc2-4461-92d3-f05b5e488a6c",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"type": "PATTERN",
"ph_id": "79e52278-80f4-488f-8adc-5ef3d4c4869d",
"device_id": "dd7e81392ff7bbd3"
}
It returns a
device_idandph_idwhen status is ENROLLED. This is required for the user-friendly name Step 5.
Step 5: Complete Enrollment
The final step is to allow the user to set a user-friendly name.
curl 'https://domain/verification-srv/v2/setup/users/configured/update/devicename' \
-X 'PUT' \
-H 'accept: application/json, text/plain, */*' \
-H 'authorization: Bearer eyJhbGciOiJSUxxfdKh5Za4y-b2nU65v4egHW6RQ' \
-H 'content-type: application/json' \
--data-raw '{"device_id":"dd7e81392ff7bbd3","friendly_name":"My Loved Phone","id":"da552e03-cfc2-4461-92d3-f05b5e488a6c","ph_id":"79e52278-80f4-488f-8adc-5ef3d4c4869d","sub":"da65eb32-d460-4355-8b94-ee061896712f"}' \
--compressed
Developer Perspective
This Implementation Guide is based on the default demo pages which is using a angular framework based on Typescript. It can be implemented in any other programming language as well.
As a first step you will be redirected to the login&security page. This Section starts to show the verification methods:
Step 1: Present Verification Methods
The first page for enrollment should present all verification methods available.
Thereby you can use the below query to retrieve the available methods.
getMFAList(): Observable<IEnabledMFAResponse> {
return this.http.get<IEnabledMFAResponse>(this.baseUrl+ '/verification-srv/config/list', ({headers: URLHelper.getHeaders()}));
}
The API returns all available methods as array:
[
{
"verificationType": "PATTERN",
"active":true
},
{
"verificationType": "TOUCHID",
"active": true,
},
]
It returns a
verificationTypewhich can be used as input variable (path parameter) for the API in Step 3.
Step 3: Initiation of Enrollment
To start the enrollment, a QR Code will be displayed to the user. The QR code
The CURL command to initiate the enrollment will accept pattern as path parameter. Thereby you are defining the method to configure. Based on the token the user will be identified.
let mfaData:IMFAData = setupVerification(type: string, payload: ICommonPayload): Observable<ICommonMFAResponse> {
return this.http.post<ICommonMFAResponse>(this.baseUrl + '/verification-srv/v2/setup/initiate/pattern', payload, ({headers: URLHelper.getHeaders()}));
}
Using the response you can construct the QR-Code based on the below template.
`otpauth://totp/tenant_name:given_name family_name?t=type&d=given_name family_name&issuer=tenant_name&tk=tenant_key&l=logoURL&sub=sub&cid=client_id&burl=baseURL&eid=exchange_id`;
The response from the api contains exchange_id, sub and authenticator_client_id which is required as input.
{
"exchange_id": {
"exchange_id": "d5edcec1-d306-4cb8-8650-a3eb0330084d",
"expires_at": "2024-01-12T21:12:30.108Z",
},
"authenticator_client_id": "532542d2-c6b8-4921-86b6-bb1da13f941b",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"status_id": "04dca6fd-2cd7-4a9d-9d94-851be71d6344"
}
The final QR Code Link can be created e.g. using this code snippet:
_constructQRData = (status: IMFAData, tenantInfo: ITenantInfo, type: string): string => {
let url = `otpauth://totp/${tenantInfo.tenant_name ? tenantInfo.tenant_name : '-'}:-?t=${type}&d=-&issuer=${
tenantInfo.tenant_name ? tenantInfo.tenant_name : '-'
}&tk=${tenantInfo.tenant_key ? tenantInfo.tenant_key : '-'}&l=${tenantInfo.logo_uri ? tenantInfo.logo_uri : '-'}&cid=${
status.authenticator_client_id ? status.authenticator_client_id : '-'
}&burl=${tenantInfo.base_url ? tenantInfo.base_url : '-'}&eid=${
status.exchange_id?.exchange_id ? status.exchange_id?.exchange_id : '-'
}`;
return url;
};
It returns an
exchange_idwhich can be used as input variable (path parameter) for the API in Step 4.
Step 4: Check of Enrollment Status
Now, we are waiting for the user's action, and the user performing the PATTERN on his phone. This waiting state requires a polling. The recommended time interval is 4 seconds.
checkSocketStatus(statusId: string): Observable<ISocketResponse> {
return this.http.get<ISocketResponse>(this.baseUrl + 'verification-srv/verificationstatus/' + statusId, {}, ({headers: URLHelper.getHeaders()}));
}
| API | Description | Link |
|---|---|---|
| Check the authentication status | Check the current status of the authentication request and it has to be polled continuously. | Link to API |
The API returns a status which can be
| State | Description |
|---|---|
INITIATED | The initiated status will show up as long as you are showing the QR Code. When the QR Code was scanned you should change the UI, so that it is clear there is no further action required |
SCANNED | After the user scanned the code, the state will change to SCANNED |
ENROLLED | The ENROLLED state will show as soon as the user successfully completed the enrollment on the authenticator app. |
{
"status": "INITIATED",
"id": "da552e03-cfc2-4461-92d3-f05b5e488a6c",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"type": "PATTERN",
}
{
"status": "SCANNED",
"id": "da552e03-cfc2-4461-92d3-f05b5e488a6c",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"type": "PATTERN"
}
```json
{
"status": "ENROLLED",
"id": "da552e03-cfc2-4461-92d3-f05b5e488a6c",
"sub": "da65eb32-d460-4355-8b94-ee061896712f",
"type": "PATTERN",
"ph_id": "79e52278-80f4-488f-8adc-5ef3d4c4869d",
"device_id": "dd7e81392ff7bbd3"
}
It returns a
device_idandph_idwhen status is ENROLLED. This is required for the user-friendly name Step 5.
Step 5: Complete Enrollment & Add user-friendly Name
The final step is to allow the user to set a user-friendly name.
let payload:IDeviceNamePayload = {
"device_id" : data.device_id,
"friendly_name" : data.friendly_name,
"id": data.id,
"ph_id": data.ph_id,
"sub" : data.sub
}
...
updateDeviceName(payload: IDeviceNamePayload): Observable<any> {
return this.http.put(this.baseUrl + '/verification-srv/v2/setup/users/configured/update/devicename', payload, ({ headers: URLHelper.getHeaders()}));
}
curl 'https://domain/verification-srv/v2/setup/users/configured/update/devicename' \
-X 'PUT' \
-H 'accept: application/json, text/plain, */*' \
-H 'authorization: Bearer eyJhbGciOiJSUxxfdKh5Za4y-b2nU65v4egHW6RQ' \
-H 'content-type: application/json' \
--data-raw '{"device_id":"dd7e81392ff7bbd3","friendly_name":"My Loved Phone","id":"da552e03-cfc2-4461-92d3-f05b5e488a6c","ph_id":"79e52278-80f4-488f-8adc-5ef3d4c4869d","sub":"da65eb32-d460-4355-8b94-ee061896712f"}' \
--compressed
Need Support?
Please contact us directly on our support page