Hi there,
I’m currently integrating Auth0’s in-app authentication using the CIBA method for our payment product. Since we are not integrating other MFA methods at this stage, I’d like to clarify the Guardian SDK setup. The function we wanna deliver is: after user triggers an online transaction, we will use CIBA method to trigger an in-app push notification in our App for users to approve the transaction.
When I am reviewing the integration of guardian SDK, I saw there is a prerequisite to enroll user’s devices before I can trigger an in-app push notification. How should we handle device enrollment for users in this case? Can we enroll the user’s device at the moment they trigger an online payment that requires in-app authentication?
Thank you!
Hi @lillian.li
Thank you for reaching out!
You are correct with regards to the user’s device needing to be enrolled prior to triggering the CIBA flow. As a result, it might not be possible, or just difficult, to achieve your desired flow, but please allow us some time to do more research on the matter. I will be back with an update once new information are received.
Thank you for your patience,
Gerald
Hi @lillian.li
Thank you for your patience on this!
It appears that CIBA should allow the use-case that you described, as most of the " heavy lifting " will need to be processed via backend process which handles the online payment part. A workflow will need to be implemented that works something along the following lines :
- perform a check of the user’s authentication factors;
- if the target user does have Guardian with push enrolled, submit the CIBA request;
- otherwise, take the user to an inline process with Guardian (QR, manual code entry). Then submit the CIBA request.
Although arguably this flow can potentially defeat part of the safety that CIBA was implemented with in mind, it should still be supported after confirming internally.
Hope this helped!
Gerald