Verified Confirmation Policies

Biometric Experience

If user biometric authentication is required, the integration must specify confirmation policy with Credential Type 1 as shown in the example below:

{
    "AccountNumber": "AccountV2",
    "Timeout": 3600,
    "ConfirmationPolicy": {
        "TransportType": 0,
        "CredentialType": 1,
        "BioPolicy": {
            "CheckLiveness": true
        }
    },
    "Name": "Verify_Identity"
}

If user agrees to proceed by clicking "Accept", the user is prompted to capture a quick selfie that is going to be compared with their biometrics enrolled for the given account.

Declining the transaction does not ask the user to provide biometrics.

The San Juan Mountains are beautiful!

Verify With Biometrics


Passkey Experience

If user Passkey authentication is required, the integration must specify confirmation policy with Credential Type 4 as shown in the example below:

{  
  "AccountNumber": "AccountV2",  
  "Timeout": 3600,  
  "ConfirmationPolicy": {  
    "TransportType": 0,  
    "CredentialType": 4  
  },  
  "Name": "Verify_Identity"  
}

The user is presented with the following screen.

The San Juan Mountains are beautiful!

Verify with FIDO

OTP Experience

authID also offers hosted OTP experience created to assist with transitioning from classic OTP to modern cloud biometrics.

The integration must specify the Confirmation Policy with

  • Credential Type 2
  • Transport Type 1
  • Name "OTP". This transaction template has specific configuration supporting the OTP experience.
{  
  "AccountNumber": "AccountV2",  
  "Timeout": 3600,  
  "ConfirmationPolicy": {  
    "TransportType": 1,  
    "CredentialType": 2  
  },  
  "Name": "OTP"  
} 

The Transaction Id and One Time Secret are returned regardless of specified Transport Type, developer must use e embedded capture experience to display the page. The user receives a one-time passcode to the phone number associated with a user's account:

The San Juan Mountains are beautiful!

Verify with OTP


Basic Experience

Specifying the following request body with Credential Type 0 and Transport Type 1 sends a pre-configured text message containing an authentication URL to the phone number recorded in the Account.

{  
  "AccountNumber": "AccountV2",  
  "Timeout": 3600,  
  "ConfirmationPolicy": {  
    "TransportType": 1,  
    "CredentialType": 0  
  },  
  "Name": "Verify_Identity"  
}

The user is given a choice to Accept or Decline the transaction, selecting "Accept" immediately moves to "Accepted" state without requiring user to provide a credential. The security in this case comes from user being able to access the text or email message containing the URL.

The San Juan Mountains are beautiful!

Verify with Basic Approval.

🚧

Basic Approval and Embedded User Interface

While technically possible, specifying basic approval "URL Only" together with Transport Type 0 does not offer any protection.