MobileID app

Table of contents

About the MobileID app

The MobileID app offers a simple way to implement and use two-factor authentication on mobile devices, which can be used for authentication (Connect). If combined with SignicatID, electronic signing (Sign) of documents is also supported. The MobileID app is available on Google Play as well as the Apple App Store.

Key features

  • Supports PIN and fingerprint on both Apple and Android devices, as well as Apple Face ID.
  • Can be used as an authenticator as part of SignicatID (SCID).
  • Signing of documents with MobileID is available through Signicat’s signing functionality, if combined with SignicatID.
  • Provides Strong Customer Authentication (SCA) satisfying PSD2 requirements.
  • Like the MobileID in-app solution, the MobileID app relies on Encap, an established and trusted provider of mobile security solutions, for app security. The MobileID app is not the same as the MobileID in-app solution, however. The MobileID app is a standalone app, whereas the MobileID in-app solution is integrated with existing business applications.

Integrating with the MobileID app through Signicat

Integration with the MobileID app is done via the same API as Signicat’s other ID methods. Through the single point of integration, one will get access to Signicat’s wide portfolio of integrated ID methods, not only MobileID, but also other services like identity paper verificationlookups, and video assurance.

Specific instructions for integrating using both OIDC and SAML can be found below. See “Get started with authentication“ for more guides and examples.

Integrating with OIDC

Signicat has implemented OAuth 2.0 with the Authorization Code Flow. In order to use this, the following information has to be exchanged.

Information exchanged between Signicat and the customer
Task
Parameter to expose to Signicat
Description
Create customer’s OIDC client
CUSTOMER_CLIENT_ID
Create client secret
CUSTOMER_CLIENT_SECRET
Used for communication with Signicat’s OIDC server
Create reg method
CUSTOMER_REG_METHOD_NAME
Method name should always reflect the initiating scenario (app-to-app/web-to-app)
Create auth method
CUSTOMER_AUTH_METHOD_NAME
Name should always match the initiating scenario (app-to-app/web-to-app)
SIGNICAT_BASE_URL
Signicat environment URL (e.g. https://preprod.signicat.com)
SIGNICAT_AUTHORIZATION_ENDPOINT
SIGNICAT_TOKEN_ENDPOINT
SIGNICAT_USERINFO_ENDPOINT
Refer to Send <SIGNICAT_BASE_URL>/oidc/.well-known/openid-configuration
Prepare basicAuthHeader
CUSTOMER_BASIC_AUTH_HEADER
Base64-encoded CUSTOMER_CLIENT_ID:CUSTOMER_CLIENT_SECRET, to be used for obtaining the access token
Information exchanged between the customer and Signicat
Parameter to expose to Signicat
Description
CUSTOMER_CALLBACK_URL Callback URL (a customer backend) that Signicat’s server will send the authorization code and final result to

Note that other parameters may be required, depending on the integration scenario (app-to-app or web-to-app). These scenarios are described in the section on Registration and authentication with the MobileID app below.

Integrating with SAML 1.1

Information exchanged between Signicat and the customer
Task
Parameter to expose to customer
Description
Create a service CUSTOMER_SERVICE
Create reg method CUSTOMER_REG_METHOD_NAME Method name should always reflect the initiating scenario (app-to-app/web-to-app)
Create auth method CUSTOMER_AUTH_METHOD_NAME Method name should always reflect the initiating scenario (app-to-app/web-to-app)
SIGNICAT_BASE_URL Environment URL, e.g. https://preprod.signicat.com
Information exchanged between the customer and Signicat
Parameter to expose to Signicat
Description
CUSTOMER_REDIRECT_URL Redirect URL (a customer backend) that Signicat’s server will send the SAML response to

 

Registration and authentication with the MobileID app

The main purpose of the MobileID app is to be an authenticator. In order to pair the app and an identity, however, the end-user must go through a registration process. To establish who the end-user is within the customer’s system, the person’s identity is established by the customer through the use of another ID method. The registration process can then be started either in a browser or from another app.

The process of registration results in a deviceId being returned, which can then be used for subsequent authentications. The deviceId is a unique identifier that is tied to the information of the end-user who registered the MobileID device (userId).

Note that it is the responsibility of the customer to tie the deviceId to the end-user’s information (obtained through a secondary ID method) in a persistent manner, such as in a database, so that it can later be used in the MobileID app authentication process.

 

App-to-app registration and authentication with the MobileID app

App-to-app registration and authentication allow the customer to offer registration and authentication capabilities for a mobile app through the MobileID app.

With app-to-app registration, the entire registration process is performed within the customer’s app, including identifying the end-user. An end-user who has completed the registration process can authenticate their identity. With app-to-app authentication, the whole authentication process is handled by the customer’s app, all the way from initializing the authentication to receiving a response with the result of the authentication.

The following table details the processes of app-to-app registration and authentication.

Registration Authentication
click to enlarge
Start operation
The first step in the overall registration process is to obtain a pairing code and a set of links needed for further communication with Signicat.

Once received, the pairing code needs to be passed to the MobileID App in order to initiate the registration process. More information on the handling of the pairing code can be found in the next section.

Generally,

  • the customer’s app will send an HTTP request to the customer’s backend and request MobileID registration
  • the customer’s backend will construct a URL and redirect the request to Signicat, with the resulting response as shown below. See how the registration URL is constructed, depending on the protocol used, in our MobileID App Integration Registration URL Construction Guide.
In order to start an authentication process from a customer’s app,

  • the customer’s app will send an HTTP request to the customer’s backend and request MobileID authentication
    • deviceId is a part of the request
    • the customer’s backend should verify that there is a record of the deviceId that is mapped to the end-user’s information (userId)
  • the customer’s backend will construct a URL and redirect the request to Signicat. See how the authentication URL is constructed, depending on the protocol used, in our MobileID App Integration Authentication URL Construction Guide.
MobileID app launching and executing operation
Once the pairing code has been received, the customer’s app will call the MobileID app via deep app linking, and pass the pairing code to it.

The MobileID app will then verify the pairing code with Signicat’s server. If the code is correct, the registration process is initiated. As part of the registration, the end-user will register a PIN and optionally a fingerprint or Face ID (on iOS).

When the registration process is complete, the customer’s app will be called back using the CUSTOMER_APP_LINK_REG_URL.

Launching a mobile app from another app is language/platform-specific. The example of launching the MobileID app from React Native is shown below.

Linking.openURL(MOBILEID_APP_UNIVERSAL_LINK_URL + "?code=" + );

Unlike in the registration process, the customer’s app does not have to explicitly invoke the MobileID app for authentication.

Authentication in the MobileID app is started via push notification from Signicat’s server as a result of the previous ‘Start authentication’ operation. This means that

  • The registered MobileID App will get receive a push notification which triggers user authentication
  • the authentication process is carried out in the MobileID app
  • when the user authentication is complete in the MobileID app, the customer’s app will be called back via the CUSTOMER_APP_LINK_AUTH_URL.
Check status
While registration with the MobileID app is ongoing, you can get the status of the registration process using the status URL retrieved in the previous step.

Request
GET <STATUS_URL>

Response
{"finished":true|false,"error":false}

If the customer’s app waits until a callback from the MobileID app (i.e. after the registration process is complete), it is recommended to first check the status via the STATUS_URL. If the status value is “finished”, you can start the verification process via COMPLETE_URL as mentioned in the next section.

While authentication with the MobileID app is ongoing, the customer’s app may get the status of the authentication process by executing a call to the STATUS_URL.

This call is optional if the customer’s app waits until a callback from the MobileID app (i.e. after the authentication process is complete).

Request
GET <STATUS_URL>

Response
{"finished":true|false,"error":false}

Send complete
After registration on the MobileID app is complete, control is passed back to the customer’s app. At this point, the customer’s app and backend do not yet have the information about the registered MobileID app identifier (deviceId). This is a crucial piece of information: as mentioned at the start of the Registration and authentication with the MobileID app section, the deviceId has to be tied to the end-user’s information (a unique identifier obtained by use of a secondary authentication method) in the customer’s backend. It will also have to be retrieved by the customer’s app by some means.

If the status value in the previous step is “finished”, the customer’s app will need to execute a request to the COMPLETE_URL retrieved in the previous step. Signicat’s server will then post/redirect an authorization code to the CUSTOMER_CALLBACK_URL. The customer’s backend will then start the verification process, get the deviceId and other registration-related information from Signicat’s server, and inform the customer’s app. The verification process is explained in more detail in the next step.

As described above, after authentication on the MobileID app is complete, control is passed back to the customer’s app via the CUSTOMER_APP_LINK_AUTH_URL.

The customer’s app should always verify against Signicat’s server that an authentication took place – it is important to not only trust the response from the app alone. To initiate the verification of the authenticated session, the customer’s app will have to send a request to the COMPLETE_URL retrieved in the previous step.

Verify operation and notify customer’s app
Upon execution of a request to the COMPLETE_URL, you will need to obtain the response containing the deviceId from Signicat’s server.

Depending on the protocol used, a different sequence of calls will need to be executed. See our Operation verification guide for the request and response structure for both OIDC and SAML.

Tie deviceId to userId (registration only) and inform the Customer App
It is the customer’s backend’s responsibility to tie the deviceId to the user information and inform the app.

The deviceId is tied to the user information (userId) and saved in a persistent manner in the backend (a lookup could then take place during the authentication process).

Finally, the customer’s backend will inform the customer’s app about the registered deviceId and any other applicable information. The customer’s backend is free to decide how to transfer the deviceId to the customer’s app.

When the deviceId is retrieved by the customer’s app and saved persistently in the customer’s backend, this can optionally be done through a separate call from the customer’s app to the customer’s backend, after receiving “success” in the Send Complete response.

When the deviceId has been obtained, the customer’s backend informs the customer’s app about whether the MobileID authentication process succeeded or failed.

If authentication is successful, it is the responsibility of the customer’s backend to make sure that the user information is available in the session (i.e. establish an authentication session with the customer’s app) and to inform the customer’s app. It is recommended that the customer’s backend provides the deviceId to the customer’s app so that that it can be persistently stored and used for future authentications.

Web-to-app registration and authentication with the MobileID app

Web-to-app registration and authentication allow the customer to offer registration and authentication capabilities for a web application through the MobileID app.

With web-to-app registration, the whole registration process is performed inside your browser, including identifying the user. Web-to-app authentication handles the whole authentication process from your browser, all the way from initializing the authentication to receiving a response with the result of the authentication.

The following table details the processes of web-to-app registration and authentication.

Registration Authentication
Start operation
The first step in the overall registration process is to obtain a pairing code which is needed for further communication with Signicat.

Once received, the pairing code needs to be passed to the MobileID App in order to initiate the registration process. More information on the handling of the pairing code can be found in the next section.

Generally,

  • the customer’s web app redirects the user’s browser to the Signicat method CUSTOMER_REG_METHOD_NAME
  • Signicat’s server generates a pairing code and displays a web page with information about how the process should continue

See how the registration URL is constructed, depending on the protocol used, in our MobileID App Integration Registration URL Construction Guide.

In order to start an authentication process from a customer app,

  • the customer’s app will send an HTTP request to the customer’s backend and request MobileID authentication
  • the customer’s backend will construct a URL and redirect the request to Signicat. See how the authentication URL is constructed, depending on the protocol used, in our MobileID App Integration Authentication URL Construction Guide.
MobileID app launching and executing operation
The end-user will be asked to install the MobileID app (if they haven’t already), launch it and enter the pairing code displayed on the web page (or scan the QR code).

Then the MobileID app will verify the pairing code with Signicat’s server and initiate the registration process. As part of the registration, the end-user will register a PIN and optionally a fingerprint or Face ID (on iOS).

Authentication in the MobileID app is started via push notification from Signicat’s server as a result of the previous ‘Start authentication’ operation. This means that

  • the registered MobileID App will get receive a push notification which triggers end-user authentication
  • when the user authentication is complete in the MobileID app, the authentication results will be posted (via redirect) to the customer’s backend (CUSTOMER_REDIRECT_URL)
Check status and complete the process
While registration with the MobileID app is ongoing, the end-user’s browser will keep polling Signicat’s server, awaiting confirmation that the process has been completed. The browser content is delivered by Signicat’s server, so the polling is done by Signicat. There is no need for the customer’s backend to poll or check the status of the process at this point.

When the registration is complete, the end-user’s browser will display a confirmation page with a “Confirm” button. When the end-user clicks this button, the verification process will start on Signicat’s server.

While authentication with the MobileID app is ongoing, Signicat’s server will poll the status of the ongoing authentication process by executing a call to the STATUS_URL.

When the authentication is complete in the MobileID app, Signicat’s server will detect it and start the verification process with the customer’s backend by redirecting a response (depending on the protocol, see below) to CUSTOMER_REDIRECT_URL.

Verify operation and notify customer’s app
When the end-user clicks the “Confirm” button, the response containing the deviceId of the MobileID App that has just been registered has to be obtained from Signicat’s server.

Depending on the protocol used, a different sequence of calls will need to be executed in order to verify the response and obtain the deviceId. See our Operation verification guide for the request and response structure for both OIDC and SAML.

Once the deviceId is obtained, the customer can tie it to the userId in a persistent manner.

Upon execution of a request to the COMPLETE_URL, a response containing the deviceId has to be obtained from Signicat’s server.

Depending on the protocol used, a different sequence of calls will need to be executed in order to verify the response and obtain the deviceId. See our Operation verification guide for the request and response structure for both OIDC and SAML.

Once the deviceId is obtained, the customer’s backend will then inform the user (via browser) that authentication has been carried out.

The videos below show the processes of web-to-app registration and authentication from the end-user perspective.

MobileID app: Web-to-app registration

 

MobileID app: Web-to-app authentication

 

Frequently asked questions (FAQ)

Question Answer
Can the MobileID app be used on a mobile device without a fingerprint reader? Yes, the user will then use a PIN code.
What is the difference between using the MobileID app and enabling native fingerprint support from the OS in your application? Signicat registers the phone as an authentication device and binds the user to the phone and fingerprint (or PIN). The connection between the phone and the server is encrypted and securely handled by Signicat using award-winning technology.
Can the MobileID app be used with Microsoft Surface? No. Only Android and iOS devices are supported.
Does the MobileID app support OIDC and SAML2? Yes
Does the customer need to have SignicatID (SCID)? No, the MobileID app will operate without SignicatID. But SignicatID can be configured to use the MobileID app as an authenticator.
How is this related to the MobileID in-app solution? The MobileID app is a standalone mobile app that can be used as an authenticator. The MobileID in-app solution provides an API which allows merchants to implement strong customer authentication in their existing mobile apps.
Who publishes the MobileID app? Signicat AS is the publisher. Going forward, Signicat is considering creating soft-branded apps, where a merchant can be the publisher.