Product Documentation
  • A successful FIDO2_0 response (accompanied by a 200 OK) will look similar to the following:
    {
        "Response": "Successfully processed authorization response",
        "responseCode": "FIDO-MSG-0016",
        "txdetail": {
            "txid": "254900MS6G5FQCUJMZ97-TELLARO-1631149799",
            "txpayload": "ewogICAgIm1lcmNoYW50TmFtZSI6ICJTdHJvbmdLZXkiLAogICAgImN1cnJlbmN5IjogIlVTRCIsCiAgICAidG90YWxQcmljZSI6ICIxNDk5NSIsCiAgICAiY2FyZEJyYW5kIjogIkFtZXgiLAogICAgImNhcmRMYXN0NCI6ICJ4LTEyMzQiLAogICAgInR4aWQiOiAiMjU0OTAwTVM2RzVGUUNVSk1aOTctVEVMTEFSTy0xNjMxMTQ5Nzk5IiwKICAgICJ0eGRhdGUiOiAiVGh1IFNlcCA4IDE3OjAyOjU2IFBEVCAyMDIxIgp9",
            "nonce": "Qs3hf3cI9kuy4f0ET2C9rg",
            "txtime": 1717799117844,
            "challenge": "rhPV7BZnaZBuSNd9bE7bOYGEVcKLSxrXZ0NZsb44Pqw"
        },
        "FIDOAuthenticatorReferences": [
            {
                "protocol": "FIDO2_0",
                "id": "qHbQtHwom-FE8y4RXXGY-iS4hQ4EiIeKEQN0fceqls-CG_hlACjZc76MkUbicEJx3lmEFh2wRD164J8vv7MqBsOK7Sv-hwwRM9CNeZaiNPh_FApc0xtD_TEn8gcNfmSg4uLNUNPQWirapmygkcrvNLoYasAau5A3PNssRg1Iuuop_CyLiFXKVoLkwaRex7UALPEJXp39PKotbLJgoru3_46DSJh37nqa1cQAuhnaqdOpHAhahVKctDtmL_A-Mnmf",
                "rawId": "qHbQtHwom-FE8y4RXXGY-iS4hQ4EiIeKEQN0fceqls-CG_hlACjZc76MkUbicEJx3lmEFh2wRD164J8vv7MqBsOK7Sv-hwwRM9CNeZaiNPh_FApc0xtD_TEn8gcNfmSg4uLNUNPQWirapmygkcrvNLoYasAau5A3PNssRg1Iuuop_CyLiFXKVoLkwaRex7UALPEJXp39PKotbLJgoru3_46DSJh37nqa1cQAuhnaqdOpHAhahVKctDtmL_A-Mnmf",
                "userHandle": "",
                "rpId": "strongkey.com",
                "authenticatorData": "WnTBrV2dI2nYtpWAzOrzVHMkwfEC46dxHD4U1RP9KKMEAAAAFA",
                "clientDataJSON": "eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoicmhQVjdCWm5hWkJ1U05kOWJFN2JPWUdFVmNLTFN4clhaME5ac2I0NFBxdyIsIm9yaWdpbiI6Imh0dHBzOi8vZXhhbXBsZS5zdHJvbmdrZXkuY29tIiwiY3Jvc3NPcmlnaW4iOnRydWV9",
                "aaguid": "3b1adb99-0dfe-46fd-90b8-7f7614a4de2a",
                "authorizationTime": 1717799117947,
                "uv": true,
                "up": false,
                "signerPublicKey": "MIIBMzCB7AYHKoZIzj0CATCB4AIBATAsBgcqhkjOPQEBAiEA_____wAAAAEAAAAAAAAAAAAAAAD_______________8wRAQg_____wAAAAEAAAAAAAAAAAAAAAD_______________wEIFrGNdiqOpPns-u9VXaYhrxlHQawzFOw9jvOPD4n0mBLBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg9KE5RdiYwpZP40Li_hp_m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP____8AAAAA__________-85vqtpxeehPO5ysL8YyVRAgEBA0IABLGC4EvjjnGDPOXv9xWDUjjdWiRRvZkb4u5b87MyQifUZ_-DE0Odwq309c71koYixY-lQvgrTf49Dd2IHjSqpCw",
                "signature": "MEUCIDHSHctNNzqSGJcj8OrpImmK9jrAT1aTVU6ZOA--IVRhAiEAjvYW8414KQO854g9w0EBrO6eHjnct0R-NxhHaL8EMUo",
                "usedForThisTransaction": true,
                "signingKeyType": "ECDSA",
                "signingKeyAlgorithm": "SHA256withECDSA"
            }
        ],
        "skfsVersion": "4.14.0",
        "registrationVersion": "4.14.0",
        "skfsFQDN": "example.strongkey.com",
        "TXID": "1-1-76-1717799117885"
    }

 

Response Description

Value

Explanation

Response

A human readable message indicating the response status.

 

txdetail Description

Value

Explanation

nonce

This attribute displays the “number used once” that was randomly generated by the SKFS to mix-in with the base64url-encoded transaction payload (txpayload) to generate the message digest (“hash”) that represents the challenge (which is eventually signed by the user).

txid

A string with a maximum length of 256 characters that represents a business application-defined unique transaction identifier. It can be anything that is appropriate to the business application.

Some examples are shown below:

  • “123456789”
  • “SFAECO-12345”
  • “254900MS6G5FQCUJMZ97-TELLARO-1631149799”

txpayload

This is the base64url-encoded object containing the transaction signed by the user, that resembles the following:

ewogICAgIm1lcmNoYW50TmFtZSI6ICJTdHJvbmdLZXkiLAogICAgImN1cnJlbmN5IjogIlVTRCIsCiAgICAidG90YWxQcmljZSI6ICIxNDk5NSIsCiAgICAiY2FyZEJyYW5kIjogIkFtZXgiLAogICAgImNhcmRMYXN0NCI6ICJ4LTEyMzQiLAogICAgInR4aWQiOiAiMjU0OTAwTVM2RzVGUUNVSk1aOTctVEVMTEFSTy0xNjMxMTQ5Nzk5IiwKICAgICJ0eGRhdGUiOiAiVGh1IFNlcCA4IDE3OjAyOjU2IFBEVCAyMDIxIgp9

txtime

This attribute shows the time the transaction was signed, in seconds from the UNIX “epoch”—January 01, 1970, at midnight.

challenge

This is the message digest (hash) generated by the the SKFS to represent the unique transaction signed by the user.

The digital signature on this challenge is the unique “authentication code” required by the European Banking Authority’s Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA).

 

FIDOAuthenticatorReferences Description

NOTE: This is an array that may have zero or more objects, providing data that was defined by the FIDO Alliance and EMVCo, to transmit confirmed transactions to Payment Service Providers (PSP) or Account Servicing Payment Service Providers (ASPSP) a.k.a. Issuing Banks.

The transmission of this digitally signed transaction to PSPs/ASPSPs is not within the scope of FIDO/WebAuthn protocols (at this time), and must be handled by the business application through other channels.

Value

Explanation

protocol

The protocol that is being used to convey this data structure to ASPSPs. In the case of FIDO, it is currently FIDO2_0.

id

The identifier of the FIDO credential that digitally signed this transaction. Also known as credentialId within the JavaScript API—Web Authentication (WebAuthn).

rawId

An implementation of an ArrayBuffer containing the raw byte sequence of the credentialId.

userHandle

This attribute contains the user handle returned from the Authenticator, or null if the authenticator did not return a user handle. See §6.3.3 The authenticatorGetAssertion Operation.

rpid

This attribute contains the RFC-6525 origin that represents the RP’s DNS domain. Only credentials registered to this rpid will qualify for providing a transaction confirmation—the digital signature of the challenge, thus providing proof of authorization.

authenticatorData

A complex data structure with information an RP should use to determine if they will accept the transaction confirmation and use the digital signature to confirm the transaction by the user.

NOTE: The SKFS relies heavily on this object to determine if the generated signature—and the Authenticator that generated it—conform to the security policy defined within SKFS.

clientDataJSON

A serialized representation of a JSON structure whose message digest (a.k.a. hash) is digitally signed by the FIDO authenticator in response to a request for transaction authorization.

NOTE: This object represents the most important result of a FIDO signing operation;it is what provides cryptographic evidence that the right challenge was signed with the right credential registered at this RP.

aaguid

This attribute describes a unique Authenticator Attestation Globally Unique Identifier;a unique string chosen by the FIDO Authenticator manufacturer to identify a class of authenticators.

authorizationTime

This attribute shows the time the transaction was signed, in seconds from the UNIX “epoch";January 01, 1970, at midnight.

uv

A boolean flag indicating whether the FIDO authenticator verified the user’s identity through either a biometric measurement, a PIN, or a pattern before applying the digital signature on the transaction with the FIDO credential’s private key.

up

A Boolean flag indicating whether the FIDO authenticator determined the presence of the user at the device that confirmed the transaction by applying the digital signature.

signerPublicKey

The base64-encoded public key of the user’s FIDO credential corresponding to the private key that applied the digital signature on the transaction.

signature

The base64-encoded digital signature that confirms the transaction.

usedForThisTransaction

A Boolean flag indicating whether this FIDO credential was used to confirm this transaction.

signingKeyType

The cryptographic algorithm used by this FIDO credential for this transaction.

signingKeyAlgorithm

The signing algorithm used by this FIDO credential to confirm this transaction.