Select release
Deployment Tutorials

System Requirements

Deploy PowerAuth Server

Migration Instructions

Configuration Properties

Integration Tutorials

Introduction

Configuring REST Client (Spring)

Implementation Tutorials

Mobile-First Authentication in Banking (SCA)

Verifying PowerAuth Signatures On The Server

Reference Manual

Web Services - Methods

FIDO2 API

Telemetry API

Database Structure

Error Codes

PowerAuth Admin

Deploying PowerAuth Admin

Deploying PowerAuth Admin on JBoss/Wildfly

Setting Up LDAP Authentication

Setting Up AD Authentication

Configuration of Activation Recovery

Configuration Properties

Advanced Topics

Encrypting DB Records

Offline Signatures

Integrating with HashiCorp Vault

Database Sizing

Offline Signatures

Edit on Github Send Feedback v1.9.0

Offline signatures are used in case when the mobile device is not connected to the internet. An intermediate web application with connection to the PowerAuth server can generate a QR code which is scanned by the mobile device and an offline signature is generated based on scanned QR code data. The offline signature consists of digits which can be rewritten into the web application which performs online code verification against PowerAuth server.

The following endpoints are available for offline signatures:

  1. Generating personalized offline signature payload
  2. Generating non-personalized offline signature payload
  3. Verifying offline signatures

Generating personalized offline signature payload

Personalized offline signatures are used when activation ID is known (e.g. an activated mobile token). A typical use case is offline verification of signature for payments.

REST method: createPersonalizedOfflineSignaturePayload

For Web Flow the format of request data is documented in the Offline Signatures QR Code documentation chapter.

The offlineData in response already contains all data required to display a QR code. The validity of the QR code should be verified by computing the ECDSA signature of offlineData content before the computed signature and comparing it with the ECDSA_SIGNATURE in offlineData. The nonce in response will be required during offline signature verification step.

Proximity anti-fraud check

If you want to use the proximity anti-fraud feature in offline mode, you have to specify nonce, proximityCheck.seed, and proximityCheck.stepLength in CreatePersonalizedOfflineSignaturePayloadRequest. In that case, CreatePersonalizedOfflineSignaturePayloadResponse#offlineData contains CreatePersonalizedOfflineSignaturePayloadRequest#data plus a generated TOTP. The structure is following {DATA})\n{TOTP}\n{NONCE}\n{KEY_SERVER_PRIVATE_INDICATOR}{ECDSA_SIGNATURE}. This value is transparent for you and is handled by Mobile SDK.

Generating non-personalized offline signature payload

Non-personalized offline signatures are used when activation ID is not known. A typical use case is offline verification for login operation.

REST method: createNonPersonalizedOfflineSignaturePayload

For Web Flow the format of request data is documented in the Offline Signatures QR Code documentation chapter.

The offlineData in response already contains all data required to display a QR code. The validity of the QR code should be verified by computing the ECDSA signature of offlineData content before the computed signature and comparing it with the ECDSA_SIGNATURE in offlineData. The nonce in response will be required during offline signature verification step.

Verifying offline signatures

Once the mobile device successfully scans the QR code and verifies the QR code data signature, the signature of the data related to the operation can be computed as described in Computing and Validating Signatures. The generated signature can be verified against PowerAuth server.

REST method: verifyOfflineSignature

The normalized data for verifyOfflineSignature requests should be constructed as described in Normalized data for HTTP requests. The nonce generated in the generate offline signature payload step should be used.

The validity of the offline signature can be checked by verifying the signatureValid value in VerifyOfflineSignatureResponse.

Last updated on Jan 23, 2024 (08:50) Edit on Github Send Feedback
On this page:
Search

1.9.x

PowerAuth Server