Skip to main content

Application configuration

An application configuration is a specific set of application attributes for a mobile application. These attributes determine how the application should work.

How it works

MobileID comes with a standard application configuration. It is possible to change the default values in this configuration to suit your needs. To do this, you can either:

You can find an overview of all application configuration properties and their default values in the tables below.

Configurations

Account recovery

You can use the properties below to configure MobileID's Account recovery feature for your application.

Want to learn more?

To learn more, see our Account recovery feature documentation.

Property nameDescriptionAllowed valuesDefault value
recoveryEnabledEnable users to set up cloud-based recovery credentials.true,
false
false
recoveryCodeMinLengthThe minimum length (in characters) of the recovery code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
From 0 to MAXINT6
recoveryCodeMaxLengthThe maximum length (in characters) of the recovery code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
From 0 to MAXINT50
recoveryCodeFormatThe types of characters that can be used for the recovery code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
ALPHA,
ALPHANUMERIC,
ANY,
NUMERIC
NUMERIC
recoveryCodeAmountFailuresAllowedThe amount of failed recovery code attempts allowed for any client, before the recovery for the client is locked.From 0 to MAXINT3

App attestation configurations

You can use the properties below to configure MobileID's App attestation feature for your application.

Properties for both platforms

This table describes properties for both Android and iOS, so they may not all apply:

  • For iOS devices, we use App Attest.
  • For Android devices, we use Play Integrity.
Want to learn more?

To learn more, see our App attestation feature documentation.

Property nameDescriptionAllowed valuesDefault value
attestationAndroidPlayIntegrityModeDetermines whether Play Integrity attestation is performed, and how the request is handled. This is reflected in three different modes:
  • REQUIRED means that Play Integrity attestation is performed. If attestation fails, then the device operation will fail.
  • OPTIONAL means that Play Integrity attestation is performed. If attestation fails, then the device operation will not fail, and a new attestation is performed on the next request. It is up to you what action is taken on the result.
  • OFF means that Play Integrity attestation is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
attestationAndroidPlayIntegrityTimeoutThe timeout (given in milliseconds) for a request made to Play Integrity.1 to MAXINT
attestationAndroidPlayIntegrityDecryptionKeyPlay Integrity attestation decryption key, used to decrypt the integrity token.Base64 encoded value
attestationAndroidPlayIntegrityVerificationKeyPlay Integrity attestation verification key, used to validate the integrity token.Base64 encoded value
attestationAndroidPackageNameThe APK package name. This is required if attestationAndroidPlayIntegrityMode is set to REQUIRED or OPTIONAL.String
attestationIosAppAttestModeDetermines whether Apple App Attest Service (used to validate whether an application runs on a real iOS device) is performed, and how the request is handled.

This is reflected in three different modes:
  • REQUIRED means that App attestation is performed. If attestation fails, then the device operation will fail.
    Note: Devices running versions of iOS older than iOS 14 will always fail if the mode is REQUIRED, due to requirements by Apple.
  • OPTIONAL means that App attestation is performed. If attestation fails, then the device operation will not fail, and a new attestation is performed on the next request. It is up to you what action is taken on the result.
  • OFF means that App attestation is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
attestationIosAppAttestEnvironmentDetermines the environment where an iOS app that uses App attestation validates itself.PRODUCTION,
DEVELOPMENT
PRODUCTION
attestationIosAppAttestTimeoutThe timeout (given in milliseconds) for an iOS app attestation request.From 1 to MAXINT20000
attestationIosAppAttestAppIdAn iOS app ID, which is a concatenation of:
  • A 10-digit team identifier
  • A period
  • The app's CFBundleIdentifier value
String

Application behaviour

You can use the properties below to configure your application's behaviour.

Property nameDescriptionAllowed valuesDefault value
activationCodeLengthThe length (in characters) that the generated activation code will be.From 6 to MAXINT10
activationCodeTypeThe types of characters that can be used for the generated activation code.ANY,
NUMERIC,
ALPHA,
ALPHANUMERIC
NUMERIC
allowedAuthMethodsAllowed authentication methods, given as a comma separated list.

It's mandatory to have DEVICE as an allowed authentication method. If you have a use case for a one-factor authentication you need to explicitly specify it in the start authentication request.
For allowed values, see the Authentication methods section in our MobileID API reference documentation.DEVICE,
DEVICE:PIN,
DEVICE:STRONG_TOUCH_ID,
DEVICE:IOS_FACE_ID,
DEVICE:ANDROID_BIOMETRIC_PROMPT,
DEVICE:SERVER_SIDE_FACE
allowedAuthMethodsForAuthAndActivateAllowed authentication methods when adding a new authentication method, given as a comma separated list.

All authentication methods specified here must be present in the allowedAuthMethods parameter.
For allowed values, see the Authentication methods section in our MobileID API reference documentation.DEVICE:PIN,
DEVICE:SERVER_SIDE_FACE
amountFailuresAllowedThe amount of failed authentications allowed for any client, before they are locked out.From 0 to MAXINT3
encapApiBlacklistAndroidWhich Android client SDK versions to blocklist (sometimes referred to as blacklist).

Devices running blocklisted versions will be rejected/denied.
Comma separated semantic version.

Example: "3.5.3, 3.6.8"
encapApiBlacklistIosWhich iOS client SDK versions to blocklist (sometimes referred to as blacklist).

Devices running blocklisted versions will be rejected/denied.
Comma separated semantic version.

Example: "3.5.3, 3.6.8"
maxPinCodeLengthThe maximum length (in characters) of the PIN code.From 1 to MAXINT6
minimumRequiredEncapApiVersionAndroidThe minimum Android client SDK version allowed. This can only be used to narrow down the allowed Android SDK versions (not extend).

Example: If the minimum supported client version on the server is "3.5.0", and someone wants to only allow "3.6.0", this can be achieved. However, specifying "3.3.0" would have no effect, as it is below the minimum supported client version on the server.
Semantic version.

Example: "3.7.0"
minimumRequiredEncapApiVersionIosThe minimum iOS client SDK version allowed. This can only be used to narrow down the allowed iOS SDK versions (not extend).

Example: If the minimum supported client version on the server is "3.5.0", and someone wants to only allow "3.6.0", this can be achieved. However, specifying "3.3.0" would have no effect, as it is below the minimum supported client version on the server.
Semantic version.

Example: "3.7.0"
pinCodeLengthThe minimum length (in characters) of the PIN code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
From 1 to MAXINT6
pinCodeTypeThe types of characters that can be used for the PIN code.

Note: This parameter is a hint to the client, and is not enforced by the server. However, it is enforced in the client SDK.
ANY,
NUMERIC,
ALPHA,
ALPHANUMERIC
NUMERIC
sessionExpiryThe amount of time (in milliseconds) that a new device operation session remains valid for.

After this time has elapsed, the session can no longer be used for any operations.

Note: This value cannot exceed the maximum configured value of 187200000.
From 1 to 187200000187200000
maximumSessionExpiryThe maximum amount of time (in milliseconds) that the sessionExpiry can be set to.

Note: This property cannot be configured using our MobileID Admin API. To update this value, you need to contact us by creating a support ticket in the Signicat Dashboard.
From 1 to MAXINT187200000
clientDebugDataEnabledOsTypesA comma-separated list of operating system types to enable client debug data for.

It can be set for neither, one, or both platforms.

Note: This property cannot be configured using our MobileID Admin API. To update this value, you need to contact us by creating a support ticket in the Signicat Dashboard.
IOS,
ANDROID

Clean-up of inactive devices

You can use the property below to configure MobileID's clean-up of inactive devices.

Property nameDescriptionAllowed valuesDefault value
inactiveDeviceDeleteRetentionTimeThe number of days that a device can be inactive before it is deleted.

Note: The inactive period starts from the time when the device was last used.
From 365 to MAXINT365

Face authentication

You can use the property below to configure MobileID's Face authentication feature for your application.

Want to learn more?

To learn more, see our Face authentication feature documentation.

Property nameDescriptionAllowed valuesDefault value
serverSideFaceEnabledDetermines whether the server can use the Face authentication feature.true,
false
true

Geofencing configurations

You can use the properties below to configure MobileID's Geofencing feature for your application.

Want to learn more?

To learn more, see our Geofencing feature documentation.

Property nameDescriptionAllowed valuesDefault value
geofencingActivationModeDetermines if or how geofencing is used for registration. This is reflected in three different modes:
  • REQUIRED means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the registration request will fail.
  • OPTIONAL means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the registration request will be performed. It is up to you what action is taken on the result.
  • OFF means that a device location check is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
geofencingActivationAllowedContinentsComma-separated list of continents where registration is allowed, in a two-letter continent code format.AF (Africa),
AN (Antarctica),
AS (Asia),
EU (Europe),
NA (North America),
OC (Oceania),
SA (South America)
geofencingActivationAllowedCountriesComma-separated list of countries where registration is allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries are in addition to those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingActivationDeniedCountriesComma-separated list of countries where registration is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries will be excluded from those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingAuthenticationModeDetermines if or how geofencing is used for authentication. This is reflected in three different modes:
  • REQUIRED means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the authentication request will fail.
  • OPTIONAL means that a device location check is performed. If the location is not a part of the allowed regions, or if the location check fails, then the authentication request will be performed. It is up to you what action is taken on the result.
  • OFF means that a device location check is not performed.
REQUIRED,
OPTIONAL,
OFF
OFF
geofencingAuthenticationAllowedContinentsComma-separated list of continents where authentication is allowed, in a two-letter continent code format.AF (Africa),
AN (Antarctica),
AS (Asia),
EU (Europe),
NA (North America),
OC (Oceania),
SA (South America)
geofencingAuthenticationAllowedCountriesComma-separated list of countries where authentication is allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries are in addition to those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingAuthenticationDeniedCountriesComma-separated list of countries where authentication is not allowed, in an ISO 3166-1 alpha-2 two-letter country code format.

These countries will be excluded from those covered by the allowed continents parameter.
You can find a list of countries and corresponding codes at GeoNames.
geofencingTimeoutThe maximum time (given in milliseconds) to wait for the location lookup and reverse geocoding to complete on the SDK.

The timing starts when the SDK calls the finish operation.

If the timeout is exceeded, then the SDK will continue without a country.
From 0 to MAXINT10000

Hardware-protected keys

You can use the property below to configure MobileID's Hardware-protected keys feature for your application.

Want to learn more?

To learn more, see our Hardware-protected keys feature documentation.

Property nameDescriptionAllowed values
hwKeyValidationStrategyDetermines what to do with devices if the validation hardware-protected keys signature fails.

The value SUPPORTED indicates that if the validation hardware-protected keys signature fails, then the device operation will fail.

The result of the hardware signature validation is always returned as a part of the following risk attributes:
SUPPORTED

Push configurations

You can use the properties below to configure push notifications for your application.

Properties for both platforms

This table describes properties for both Android and iOS, so they may not all apply:

  • For iOS devices, we use Apple Push Notification service (APNs).
  • For Android devices, we use Firebase Cloud Messaging (FCM).

How to set up for iOS

MobileID supports APNs tokens which can be created within the Apple Developer Program Portal. You will need to share the following:

  • APNs token
  • Team ID
  • Key ID

How to set up for Android

You can configure FCM with your mobile application in the Firebase project console.

Property nameDescriptionAllowed valuesDefault value
apnConfigThe APN server configuration that defines where to reach the APNs.PRODUCTION,
SANDBOX
PRODUCTION
apnExpiryThe amount of time (in milliseconds) that APNs will try to deliver the message for. If not delivered within this time, then the message is discarded.

Note: APNS will attempt to deliver the message at least once, regardless of the set expiration time.
From 1 to MAXINT1
apnsBundleIdApple's bundle ID for the application. This is used as a topic on the push message sent to APNs, and is required when using APNs tokens.String
apnsNotificationSoundEnabledDetermines whether a notification sound is played on iOS devices when the device receives a push message.
  • If the option is set to true, the 'default' sound on the device is played when a push is received.
  • If the option is omitted or set to false, no sound is played.
Note: This parameter only applies to iOS devices. On Android, the app itself determines whether a notification sound is played.
true,
false
true
apnsTimeSensitiveInterruptionLevelEnabledSets the interruption level for push messages to iOS devices to 'time-sensitive'.
  • If set to true, push notifications are given a higher priority and can notify users even when the device is in 'Focus' mode.
  • If set to false, the default interruption level 'Active' is assumed by the device.
true,
false
false
nativePushEnabledEnables the server to send push messages with Firebase Cloud Messaging (FCM) or Apple Push Notification service (APNs).true,
false
false
firebaseServiceAccountThe contents of the serviceAccount.json file (credentials file), for your Firebase Cloud Messaging (FCM) project.

Note: This has to be supplied to us Base64-encoded.
String
firebaseTimeToLiveThe maximum lifespan of the message (in milliseconds), for Firebase Cloud Messaging (FCM).

The default value is 0 , which means to deliver the message 'now or never'. FCM guarantees best effort for messages with this lifespan.
From 0 to MAXINT0

Risk data configuration

A set of risk attributes can be collected for each operation.

The enabledRiskData property is used to configure MobileID's risk data feature for your application. This determines which attributes are collected and returned in the operation response. See table below for possible values.

How to configure risk data

You can update this parameter using the Update properties of application configuration endpoint in our MobileID Admin API.

Always collected risk data

Some risk data is always collected, for debugging purposes. This means that for enabledRiskData:

  • If you leave this field empty (null), the always collected risk data will still be returned.
  • If you specify risk attributes, the always collected risk data will be returned in addition to those you have specified.

You can find a list of what risk data is always enabled in the MobileID API reference documentation. See Risk attributes in the Common concepts section.

Location risk data

Location (location) is a risk data attribute that describes the location of the device used in the operation.

It is returned as its own object in the operation response instead of in the risk attributes (riskAttributes) object.

You can enable location risk data by adding value location to the enabled risk data (enabledRiskData) in the application configuration.

Configurations

Property nameDescriptionAllowed valuesDefault value
enabledRiskDataDetermines which risk data to collect. You can either:
  • Collect only selected risk data (including always collected risk data).
  • Collect only always collected risk data.
Select specific attributes, given as a JSON array.

In addition to location, see the Risk attributes in the Common concepts section of the MobileID API reference documentation for allowed values.

or

Leave this field empty (null).