Futurae offers the ability to protect sensitive actions, which an authenticated user performs in your application, such as performing a financial transaction, or updating sensitive information in his profile. This is called transaction authentication (or transaction signing).
The following flowchart illustrates the basic steps for performing transaction authentication:
The high-level procedure is the following:
Call /user/preauth to check if the user is eligible for Futurae authentication, as well as retrieve his enrolled devices and the capabilities of each device (the capabilities of a device determine which factors can be used with that device).
Call /user/auth/transaction to start the transaction authentication process with a selected factor. Use the
extra_infoparameter in order to supply information about the action which the user has to approve. This will appear on the user's screen, along with the option to confirm or reject the transaction.
For some factors /user/auth/transaction will return immediately, providing a
session_id. Your application can use the
session_idin order to query the status and eventually retrieve the result of this particular authentication attempt, via the /user/auth_status endpoint. Finally for some other factors, there is an option to supply the
asyncparameter, which when set to false, will cause the endpoint to run synchronously and return a response when the authentication process has completed. Alternatively, you can supply a callback URL when invoking /user/auth/transaction. Futurae will call this URL with status updates and the result of the authentication attempt.
We stress again that there are some slight variations on this generic flow, depending on the particular authentication factor. Please refer to the documentation of the /user/auth/transaction and /user/auth_status endpoints for more details.