search cancel

VIP CDK: Apple iOS Authentication

book

Article ID: 150714

calendar_today

Updated On:

Products

VIP Software Development Kit

Issue/Introduction

 

Resolution

Previous Back to Contents Next

Chapter 8: iOS Authentication (via Security Code)

 

Enabling a mobile iOS application to participate in multi-factor authentication is straightforward: Turn the mobile app into a credential and then use it to confirm authentication.  Below is an overview of how this works:

 

  1. When the mobile application is started for the first time, it detects whether it has an empty Vault or not.
  2. If the Symantec Vault is empty, a new credential will need to be created.  With iOS authentication, different types of VIP credential can be created.  Each of these is associated with a different style of authentication method.  For more info about authentication methods (and the user experience), see Chapter 2: Authentication Options.  See the table below for a mapping of authentication method to VIP credential data types.

 

Apple iOS Credential creation:

Method

CDK Data Type

Certificate-based

AuthSigning Credential

Shared-secret based (OCRA)

Signing Credential

iOS TouchID Approval

AuthSigning Credential

Intelligent Authentication

n/a

 

For this example, the AuthSigning Credential is selected and the Certificate-based method will be explored.

  1. There are several ways the next step can be initiated, but the end result is that the web server running your web application will need to send an *activation code*.
    1. A new user starts by using the app.  The app begins in "new user" mode (with a branch for existing users to login).  After account creation, the web server sends an activation code for the mobile device to complete the registration process.
    2. An existing desktop user would like to start using the mobile app.  They download the mobile app, then need to login.  After logging in, the web server sends an activation code for the mobile device to complete the registration process.
    3. An existing desktop user uses the website to generate a code that is used on the mobile app to “activate” it.  This is the activation code.

 

  1. The CredentialFactory api is used to create an AuthSigning credential.  The CredentialFactory call specifically takes as input the activation code (and other parameters) to make a call directly to Symantec in order to retrieve the material used to “start” as a credential.
  2. The mobile app will need to locally Save the new credential in the Symantec Vault (or other secure storage).  This is covered in detail in the VIP CDK: Apple iOS Authentication Code Snippets article.
  3. The mobile app needs to send this to the webserver so the provisioning process can complete.
  4. The web server may respond back with additional information.

 

Note: Any communication between mobile app and web server is a custom protocol that needs to be created outside of Symantec.

 

Apple iOS app authentication

 

Multiple styles of initiating authentication are possible.  Some of these are:

  1. An Existing user starts the mobile app.  The app has saved credentials locally and securely replays these to the web application.  getSecurityCode() is called to retrieve the current six digit Security Code that is then sent to the web application (the web application on the web server will utilize a different API to validate those six digits).
  2. An Existing user starts the mobile app.  A session key is retrieved and validated with the web application.  getSecurityCode() is called to retrieve the current six digit Security Code that is then sent to the web application (the web application on the web server will utilize a different API to validate those six digits).
  3. An Existing user starts the mobile app.  No state is ever stored locally.  The user supplies username and password/PIN.  These are securely validated with the web application.  getSecurityCode() is called to retrieve the current six digit Security Code that is then sent to the web application (the web application on the web server will utilize a different API to validate those six digits).

 

At the core of this is some critical processing:

  1. Restoring the saved credential
  2. Generating a Security Code

These are explained in detail in the Apple iOS Authentication Code Snippets article.

Additionally, Transaction Signing is also possible.  This will be explained in an upcoming article.  Please watch the Contents of this series for more information about that.