# Application configuration

An application configuration is a specific set of application attributes for a mobile application. These attributes determine how the application should work.

# How it works

MobileID comes with a standard application configuration. It is possible to change the default values in this configuration to suit your needs. To do this, you can either:

You can find an overview of all application configuration properties and their default values in the tables below.

# Configurations

# Account recovery configurations

The properties below are used to configure MobileID's account recovery feature for your application.

Property name Description Allowed values Default value
recoveryEnabled Enable users to set up cloud based recovery credentials. true,
false
false
recoveryCodeMinLength The minimum length (in characters) of the recovery code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
From 0 to MAXINT 6
recoveryCodeMaxLength The maximum length (in characters) of the recovery code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
From 0 to MAXINT 50
recoveryCodeFormat The types of characters that can be used for the recovery code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
ALPHA,
ALPHANUMERIC,
ANY,
NUMERIC
NUMERIC
recoveryCodeAmountFailuresAllowed The amount of failed recovery code attempts allowed for any client, before the recovery for the client is locked. From 0 to MAXINT 3

# App attestation configurations

The properties below are used to configure MobileID's app attestation feature (App Attest for iOS, and Play Integrity for Android) for your application.

Property name Description Allowed values Default value
attestationAndroidPlayIntegrityMode Determines whether Play Integrity attestation is performed, and how the request is handled. This is reflected in three different modes:
  • REQUIRED means that Play Integrity attestation is performed. If attestation fails, then the device operation will fail.
  • OPTIONAL means that Play Integrity attestation is performed. If attestation fails, then the device operation will not fail, and a new attestation is performed on the next request. It is up to you what action is taken on the result.
  • OFF means that Play Integrity attestation is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
attestationAndroidPlayIntegrityTimeout The timeout (given in milliseconds) for a request made to Play Integrity. From 1 to MAXINT
attestationAndroidPlayIntegrityDecryptionKey Play Integrity attestation decryption key, used to decrypt the integrity token. Base64 encoded value
attestationAndroidPlayIntegrityVerificationKey Play Integrity attestation verification key, used to validate the integrity token. Base64 encoded value
attestationAndroidPackageName The APK package name. This is required if attestationAndroidPlayIntegrityMode is set to REQUIRED or OPTIONAL. String
attestationIosAppAttestMode Determines whether Apple App Attest Service (used to validate whether an application runs on a real iOS device) is performed, and how the request is handled.

This is reflected in three different modes:
  • REQUIRED means that App attestation is performed. If attestation fails, then the device operation will fail.
    Note: Devices running versions of iOS older than iOS 14 will always fail if the mode is REQUIRED, due to requirements by Apple.
  • OPTIONAL means that App attestation is performed. If attestation fails, then the device operation will not fail, and a new attestation is performed on the next request. It is up to you what action is taken on the result.
  • OFF means that App attestation is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
attestationIosAppAttestEnvironment Determines the environment where an iOS app that uses App attestation validates itself. PRODUCTION,
DEVELOPMENT
PRODUCTION
attestationIosAppAttestTimeout The timeout (given in milliseconds) for an iOS app attestation request. From 1 to MAXINT 20000
attestationIosAppAttestAppId An iOS app ID, which is a concatenation of:
  • A 10-digit team identifier
  • A period
  • The app's CFBundleIdentifier value
String

# Application behaviour

The properties below represent base configurations, which determine your application's behaviour.

Property name Description Allowed values Default value
activationCodeLength The length (in characters) that the generated activation code will be. From 6 to MAXINT 10
activationCodeType The types of characters that can be used for the generated activation code. ANY,
NUMERIC,
ALPHA,
ALPHANUMERIC
NUMERIC
allowedAuthMethods Allowed authentication methods, given as a comma separated list.

It's mandatory to have DEVICE as an allowed authentication method. If you have a use case for a one-factor authentication you need to explicitly specify it in the start authentication request.
For allowed values, see the Authentication methods section in our MobileID API reference documentation. DEVICE,
DEVICE:PIN,
DEVICE:STRONG_TOUCH_ID,
DEVICE:IOS_FACE_ID,
DEVICE:ANDROID_BIOMETRIC_PROMPT
allowedAuthMethodsForAuthAndActivate Allowed authentication methods when adding a new authentication method, given as a comma separated list.

All authentication methods specified here must be present in the allowedAuthMethods parameter.
For allowed values, see the Authentication methods section in our MobileID API reference documentation. DEVICE:PIN
amountFailuresAllowed The amount of failed authentications allowed for any client, before they are locked out. From 0 to MAXINT 3
encapApiBlacklistAndroid Which Android client SDK versions to blocklist (sometimes referred to as blacklist).

Devices running blocklisted versions will be rejected/denied.
Comma separated semantic version.

Example:
"3.5.3, 3.6.8"
encapApiBlacklistIos Which iOS client SDK versions to blocklist (sometimes referred to as blacklist).

Devices running blocklisted versions will be rejected/denied.
Comma separated semantic version.

Example:
"3.5.3, 3.6.8"
maxPinCodeLength The maximum length (in characters) of the PIN code. From 1 to MAXINT 4
minimumRequiredEncapApiVersionAndroid The minimum Android client SDK version allowed. This can only be used to narrow down the allowed Android SDK versions (not extend).

Example: If the minimum supported client version on the server is "3.5.0", and someone wants to only allow "3.6.0", this can be achieved. However, specifying "3.3.0" would have no effect, as it is below the minimum supported client version on the server.
Semantic version.

Example: "3.7.0"
minimumRequiredEncapApiVersionIos The minimum iOS client SDK version allowed. This can only be used to narrow down the allowed iOS SDK versions (not extend).

Example: If the minimum supported client version on the server is "3.5.0", and someone wants to only allow "3.6.0", this can be achieved. However, specifying "3.3.0" would have no effect, as it is below the minimum supported client version on the server.
Semantic version.

Example: "3.7.0"
pinCodeLength The minimum length (in characters) of the PIN code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
From 1 to MAXINT 4
pinCodeType The types of characters that can be used for the PIN code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
ANY,
NUMERIC,
ALPHA,
ALPHANUMERIC
NUMERIC
sessionExpiry The amount of time (in milliseconds) that a new device operation session remains valid for.

After this time has elapsed, the session can no longer be used for any operations.

Note: This value cannot exceed the maximum configured value of 187200000.
From 1 to 187200000 187200000
maximumSessionExpiry The maximum amount of time (in milliseconds) that the sessionExpiry can be set to.

Note: This property cannot be configured using our MobileID Admin API. To update this value, please contact us at support@signicat.com.
From 1 to MAXINT 187200000
clientDebugDataEnabledOsTypes A comma-separated list of operating system types to enable client debug data for.

It can be set for neither, one, or both platforms.

Note: This property cannot be configured using our MobileID Admin API. To update this value, please contact us at support@signicat.com.
IOS,
ANDROID

# Clean-up of inactive devices

The properties below are used to configure MobileID's clean-up of inactive devices.

Property name Description Allowed values Default value
inactiveDeviceDeleteRetentionTime The number of days that a device can be inactive before it is deleted.

The inactive period starts from the time when the device was last used.
From 365 to MAXINT 365

# Geofencing configurations

The properties below are used to configure MobileID's geofencing feature for your application.

Property name Description Allowed values Default value
geofencingActivationMode Determines if or how geofencing is used for registration. This is reflected in three different modes:
  • REQUIRED means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the registration request will fail.
  • OPTIONAL means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the registration request will be performed. It is up to you what action is taken on the result.
  • OFF means that a device location check is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
geofencingActivationAllowedContinents Comma-separated list of continents where registration is allowed, in a two-letter continent code format. AF (Africa),
AN (Antarctica),
AS (Asia),
EU (Europe),
NA (North America),
OC (Oceania),
SA (South America)
geofencingActivationAllowedCountries Comma-separated list of countries where registration is allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries are in addition to those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingActivationDeniedCountries Comma-separated list of countries where registration is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries will be excluded from those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingAuthenticationMode Determines if or how geofencing is used for authentication. This is reflected in three different modes:
  • REQUIRED means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the authentication request will fail.
  • OPTIONAL means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the authentication request will be performed. It is up to you what action is taken on the result.
  • OFF means that a device location check is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
geofencingAuthenticationAllowedContinents Comma-separated list of continents where authentication is allowed, in a two-letter continent code format. AF (Africa),
AN (Antarctica),
AS (Asia),
EU (Europe),
NA (North America),
OC (Oceania),
SA (South America)
geofencingAuthenticationAllowedCountries Comma-separated list of countries where authentication is allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries are in addition to those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingAuthenticationDeniedCountries Comma-separated list of countries where authentication is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries will be excluded from those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingTimeout The maximum time (given in milliseconds) to wait for the location lookup and reverse geocoding to complete on the SDK.

The timing starts when the SDK calls the finish operation.

If the timeout is exceeded, then the SDK will continue without a country.
From 0 to MAXINT 10000

# Hardware-protected keys

The parameter below is used to configure MobileID's hardware protected keys feature for your application.

Property name Description Allowed values
hwKeyValidationStrategy Determines what to do with devices if the validation hardware-protected keys signature fails.

The value SUPPORTED indicates that if the validation hardware-protected keys signature fails, then the device operation will fail.

The result of the hardware signature validation is always returned as a part of the following risk attributes:
SUPPORTED

# Push configurations

For MobileID to send a push notification to your application, it needs to be specified in the application configuration. The process for this depends on if you are setting up for Android or for iOS:

  • For iOS, push notifications are set up with the Apple Push Notification Service (APNs). MobileID supports APNs tokens. These can be created within the Apple Developer Program Portal. You will need to share the following:

    • APNs token
    • Team ID
    • Key ID
  • For Android, push notifications are set up with Firebase Cloud Messaging (FCM). This can be configured with your mobile application in the Firebase project console.

The properties below represent push configurations, which determine push notification functionality for your application. This table describes properties for both Android and iOS, so they may not all apply.

Property name Description Allowed values Default value
apnConfig The APN server configuration that defines where to reach the APNs. PRODUCTION, SANDBOX PRODUCTION
apnExpiry The amount of time (in milliseconds) that APNs will try to deliver the message for. If not delivered within this time, then the message is discarded.

Note: APNS will attempt to deliver the message at least once, regardless of the set expiration time.
From 1 to MAXINT 1
apnsBundleId Apple's bundle ID for the application. This is used as a topic on the push message sent to APNs, and is required when using APNs tokens. String
apnsNotificationSoundEnabled Determines whether a notification sound is played on iOS devices when the device receives a push message.
  • If the option is set to true , the 'default' sound on the device is played when a push is received.
  • If the option is omitted or set to false , no sound is played.
Note: This parameter only applies to iOS devices. On Android, the app itself determines whether a notification sound is played.
true,
false
true
apnsTimeSensitiveInterruptionLevelEnabled Sets the interruption level for push messages to iOS devices to 'time-sensitive'.
  • If set to true, push notifications are given a higher priority and can notify users even when the device is in 'Focus' mode.
  • If set to false, the default interruption level 'Active' is assumed by the device.
true, false false
nativePushEnabled Enables the server to send push messages with Firebase Cloud Messaging (FCM) or Apple Push Notification service (APNs). true,
false
false
firebaseServiceAccount The contents of the serviceAccount.json file (credentials file), for your Firebase Cloud Messaging (FCM) project.

Note: This has to be supplied to us Base64-encoded.
String
firebaseTimeToLive The maximum lifespan of the message (in milliseconds), for Firebase Cloud Messaging (FCM).

The default value is 0 , which means to deliver the message "now or never". FCM guarantees best effort for messages with this lifespan.
From 0 to MAXINT 0

# Risk data configuration

A set of risk attributes can be collected for each operation.

The enabledRiskData property is used to configure MobileID's risk data feature for your application. This determines which attributes are collected and returned in the operation response. See table below for possible values.

# How to configure risk data

You can update this parameter using the Update properties of application configuration endpoint in our MobileID Admin API.

# Always collected risk data

Some risk data is always collected, for debugging purposes. This means that for enabledRiskData:

  • If you leave this field empty (null), the always collected risk data will still be returned.
  • If you specify risk attributes, the always collected risk data will be returned in addition to those you have specified.

You can find a list of what risk data is always enabled in the MobileID API reference documentation. See risk attributes in the Common concepts section.

# Location risk data

Location (location) is a risk data attribute that describes the location of the device used in the operation.

It is returned as its own object in the operation response instead of in the risk attributes (riskAttributes) object.

You can enable location risk data by adding value location to the enabled risk data (enabledRiskData) in the application configuration, or by using value ALL.

# Configurations

Property name Description Allowed values Default value
enabledRiskData Determines which risk data to collect. You can either:
  • Collect all risk data available.
  • Collect only selected risk data (including always collected risk data).
  • Collect only always collected risk data.
ALL

or

Select specific attributes, given as a JSON array.

In addition to location, see the risk attributes in the Common concepts of the MobileID API reference documentation for allowed values.

or

Leave this field empty ( null).
Last updated: 14/03/2024 10:03 UTC