Epic: SM-1814 - IAM: Use the app from new device Rework requested
JIRA: SM-1838 - Use the app on new device Rework requested
Priority:
Effort estimate:
Review status: in preparation/ready to review/approved
As a Customer I want to be able to have access from the new device so that I can continue using the app.
In order to successfully complete using the app on a new device, Customer will need to go through other measures provided by the alternative scenarios.
Role: Customer
Objective: Login in from the new device using registered credentials
Reason: fraud prevention and device anti-duplicity check
Functional requirements:
Customer cannot login with only credentials (password/passcode) on a different device.
To decide whether the used device is different, we utilize device fingerprinting (from AAI).
Customer cannot be logged in from two or more different devices at the same time
UI requirements:
Process flow:
Execution steps:
Internal dependencies: Device fingerprint using Advance AI
External dependencies: n/a
Alternative scenarios: If device fingerprinting does not match, the user is directed to the face matching (step-up).Login to app with face matching (Step-up)
Acceptance criteria:
Customer cannot login with credentials only
After installing app on the new device, Customer can access using registered credentials only if device fingerprinting matches
If device fingerprinting is not matching or not registered customer continues process with Face Matching (Step-up)
Links to wireframes/UI: n/a
Technical Assessment
We agreed on 15 Dec, 2022 that a single flow will be used for the case when the old phone (and old app) is available and when not. This could change later.
Registration of New Key with LEVEL3 Step-up
Similar to the Bypass login flow, the customer fetches the customerId
based on the phone number (for security reasons an OTP need to be verified). Then a new key is registered on the new device and specially associated to the customer. A modified version of the step-up procedure with face comparison is executed on the new device that allows the use of the newly registered keys. The last step is a LEVEL3 authenticated call to replace the credentials of the customer (refer to https://safibank.atlassian.net/wiki/spaces/ITArch/pages/211419176/Forgotten+password#Technical-Assessment).
Note that if the customer’s phone number is new, they should start with calling CC where the phone number is updated.
High Level Flow
Notes:
Both the ‘Provide credential ID to app' and the 'Generate and register keys’ flows can be found at https://safibank.atlassian.net/wiki/spaces/ITArch/pages/70484094/Register+passcode#Technical-Assessment
The 'Forgotten password' flow can be found at https://safibank.atlassian.net/wiki/spaces/ITArch/pages/211419176/Forgotten+password#Technical-Assessment
UX
Assignments
OTP & Customer ID
Add a new endpoint to
customer-manager
:POST /v1/customers/otp
to initiate SMS OTPPhone number should be in verified state.
Endpoint should not be protected.
Should not report error in case of an unknown phone number or any errors in sending the SMS - this is a security measure.
(optional / later) Should be rate limited - this is a security measure.
Add a new endpoint to
customer-manager
:POST /v1/customers/id/by-otp
to return thecustomer_id
if the OTP is valid.This should allow a single successful invocation (next calls even with a valid OTP should return error) - if there is network error / etc such that the
customer_id
is not received by FE, the OTP flow need to be repeated.
If needed, modify
customer-manager
'sPOST /v1/customers/resend-otp
to support this use case, too.
Credential Registration
Modify
iam-manager
's/credential
endpoint to allow creating a new credential when there is already a credential assigned to thecustomer_id
.Add the new state
NEW_DEVICE
to the credential states.Set the state of the newly added credential to
NEW_DEVICE
. Send an audit log message that a new device registration procedure has been started. (TODO: audit log details)It is allowed to have multiple credentials in state
NEW_DEVICE
for a single customer. If this is the case, send an audit log message that multiple new device registrations are in progress. (TODO: audit log details)
Assign New Credential
Update
iam-manager
's/credential/replace
,/face-comparison
and/face-comparison/check
endpoints to allow the use of a signed request with a key inNEW_DEVICE
state.Fetch the key from the DB even if it is in state
NEW_DEVICE
and try it for signature verification.Use
iam-auth-lib
's signature check functionality unmodified to verify the signature.
Update
iam-manager
's/credential/replace
endpointWhen called with LEVEL1 signature
Use the
credential_id
as thechallenge_data
when requesting step-up.
When called with LEVEL3 signature
Check that the
challenge_data
matches thecredential_id
used for this call.Revoke the old credential (in local DB) - this may already been revoked, see notes below
Update the new credential’s state from
NEW_DEVICE
toIN_PROGRESS
.Revoke the customer’s all other credentials in
NEW_DEVICE
state.If the above is successful, revoke the old credential in VIDA - this may already been revoked, see notes below
Notes
The solution does not care (from the viewpoint of this flow) whether the old key has already been revoked by slacker (e.g. due to some very risky situation) or by BOFE (e.g. when the customer called and CC agent revoked it) or anyone else. The flow does not depend on the validity or the old key.
All other endpoints (of all other domains) are unaffected since the key that they can use is the one in
IN_PROGRESS
state (and we only invalidate the old key in the last step of the flow).
Background Info
OTP
onboarding flow:
POST /v1/customers/sign-up
- LEVEL1 auth, customer must be PROSPECTPOST /v1/customers/resend-otp
- LEVEL1 auth, customer must be PROSPECT_AND_CUSTOMERPOST /v1/customers/verify-otp
- authorizeCustomerUpdate???, customer must be PROSPECT_AND_CUSTOMER
bypass login uses
/v1/customers/id/by-phone
which is unprotected
TODO
why did we need multiple active / non active credential returns (for the forgotten passwd)?
make it clear what to do / allow when used with the
IN_PROGRESS
andNEW_DEVICE
keys
Archives
Transfer ownership
If the application on the old device is fully functional, we can sign the request of the new key registration on the old device and this way properly authenticate the request (with step-up if required for this functionality). The way of transferring data from the old device to the new may be through a simple QR code or a more sophisticated one like the swarm code when transferring data from an old iOS device to a new one.
The key element in the process is the credentialId
(refer to https://safibank.atlassian.net/wiki/spaces/ITArch/pages/70484094/Register+passcode#Technical-Assessment for details). A request can be signed (in the old app) that allows resetting the credentialId
for a customer. Idea: reuse https://safibank.atlassian.net/wiki/spaces/ITArch/pages/211419176/Forgotten+password+WIP#Technical-Assessment with LEVEL2 auth (or higher if required).
Then the new credentialId
and the customerId
need to be transferred to the new phone (via the aforementioned QR code) and the new app can register the new key with the new credentialId
via VIDA SDK.
Notes:
The new app may need to fetch other info from BE to configure itself properly or (part of) this data can be also transmitted from the old device (via the aforementioned QR code).
The keys can not be extracted from the phone (if hw support is available and the keys are properly generated), so the simple OS level phone restore should not solve the task, that is why we need this procedure.
The key generation / store proof can be received via key attestation. One reference is PKI Consortium’s overview of support of this in different platforms: https://github.com/pkic/remote-key-attestation
After the key invalidation, the old app becomes unusable because the old
credentialId
has been revoked. This means that the old app can not execute any request that requires a valid signature.
Details
[BE] Modify https://safibank.atlassian.net/wiki/spaces/ITArch/pages/211419176/Forgotten+password+WIP#Technical-Assessment to
require
LEVEL3
only if it was called withLEVEL1
auth (the original use case for the forgotten password)execute the “Replace old Credentials“ subflow when
LEVEL2
auth is present.
[FE-OLD]
Create a screen / menu item etc. that starts the procedure with signing the request with
LEVEL2
auth (orLEVEL1
if step-up is required based on business decision).FE receives the
new_credential_id
from BE (see #9 in the sequence diagram) and together with thecustomerId
(and any other data) the FE generates and displays a QR code (or any agreed other code).
[FE-NEW]
Create a screen / menu item etc. that shows the camera and waits for a successful decode of the QR code (or any other agreed code).
Executes the key registration and password setup process with the received
credentialId
via the VIDA SDK (refer to #10-13 in the sequence diagram).
Forgerock solution
Attachments:
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040.png (image/png)
plantuml_1658175936040.svg (image/svg+xml)
plantuml_1658175936040 (text/plain)
plantuml_1658175936040.png (image/png)
plantuml_1671105474951 (text/plain)
plantuml_1671105474951.svg (image/svg+xml)
plantuml_1671105474951.png (image/png)
plantuml_1671105474951 (text/plain)
plantuml_1671105474951.svg (image/svg+xml)
plantuml_1671105474951.png (image/png)
plantuml_1671105474951 (text/plain)
plantuml_1671105474951.svg (image/svg+xml)
plantuml_1671105474951.png (image/png)
IAM credential state with NEW_DEVICE.drawio (application/vnd.jgraph.mxfile)
IAM credential state with NEW_DEVICE.drawio.png (image/png)
Screenshot 2022-12-21 at 7.34.36.png (image/png)
Screenshot 2022-12-21 at 7.34.48.png (image/png)
Screenshot 2022-12-21 at 7.34.59.png (image/png)
Screenshot 2022-12-21 at 7.35.44.png (image/png)
Screenshot 2022-12-21 at 7.35.44.png (image/png)
Screenshot 2022-12-21 at 7.36.30.png (image/png)
Screenshot 2022-12-21 at 7.36.40.png (image/png)
Screenshot 2022-12-21 at 7.38.10.png (image/png)
Screenshot 2022-12-21 at 7.38.28.png (image/png)
Screenshot 2022-12-21 at 7.38.42.png (image/png)
Screenshot 2022-12-21 at 7.51.30.png (image/png)