When FIDO is the first factor and Trusted device is selected, user is being asked for OTP every time.

When using password as first factor, no problem.

Custom SPI risk engine is in use.

The direct reason is that user failed first custom SPI risk call to 'https://example.com..../custom/UserRiskScoreEvaluator'

getCustomSPIResponse: Error response from custom spi provider 'customRiskProvider'. Details '{\"description\":\"ChannelId is missing\",\"status\":\"400\"}'

After reviewing log, error "ChannelId is missing" seems due to “key=clientTxnId, value=null” during FIDO flow.

For FIDO flow, where user is being asked for OTP every time:

“key=clientTxnId, value=null”

For password flow in a working scenario: 

“key=clientTxnId, value=CSS_MOBILE”

AKS 1.28

VIP Auth hub:  2.2.6 

VIP Auth hub does not use or send ChannelId in either flow, but custom Risk engine requires it.

clientTxnId value is null triggers error "ChannelId is missing", then causes subsequent Risk engine failure.

Risk engine issues advice=stepup, hence user is being asked for OTP every time.

Mobile app makes use of AuthHubBasicRequest extension to add headers to the request being sent from AuthHub FIDO SDK.

There is SampleAuthHubRequest in the Hedmoral sample app which demonstrates how to customize request object.

In order to pass clientTxnId in FIDO flow, Mobile app needs to add the "x-client-transaction-id" header for the FIDO Auth calls specifically.

Once added the header for the FIDO calls to newHeaders ["x-client-transaction-id"] = "CSS_MOBILE";

and now can see the "clientTxnId\",\"value\":\"CSS_MOBILE\" being properly passed to the SPI.