REL-ID for MobileREL-ID APIsREL-ID for Web
Guides
Start typing to search…

What are Challenges

πŸ” What Are Challenges?

A challenge is a security step a user must complete for authentication or verification. Common types include:

  • πŸ”’ OTP (SMS, Email)
  • πŸ“· Selfie or Document Scan (IDV)
  • 🧬 Biometric (Fingerprint, Face ID)
  • πŸ” Device-based (Confirmation of a known device)

Challenges are triggered during flows like:

  • Activation (first-time setup)
  • Login (same/new device)
  • Password recovery
  • Transaction approvals

βš™οΈ How They Work

  1. Configured in Gateway Manager
    Admins define which challenges are active, their order, and which are mandatory or optional.

  2. Triggered via SDK
    The mobile SDK initiates and handles each challenge step-by-step based on server response.

  3. Controlled via Events
    Each challenge emits specific SDK events that the application must listen for and respond to.

πŸ”„ Challenge Attempt Cooling Period in REL-ID SDK

This document explains how the cooling period (retry delay or lockout duration) is managed when users fail authentication challenges such as password, PIN, OTP, or custom challenges in the REL-ID SDK.

πŸ“˜ SDK Behavior

  • The REL-ID SDK does not enforce a hardcoded cooling period.
  • Instead, cooling period and retry behavior are governed by server-side policies configured via the REL-ID Gateway Manager.

βš™οΈ Admin-Configurable Settings

Configuration for retry and lockout behavior is done under:

REL-ID Gateway Manager β†’ Group Management β†’ Challenge Category Configuration

Or:

Challenge Handling Configurations β†’ Challenge Attempt Policy

Key Parameters:

SettingDescription
MAX_ATTEMPTSMaximum allowed failed attempts before locking the user
LOCK_DURATIONOptional cooldown (e.g., 15 mins, 1 hour) after which the user is unlocked
AUTO_UNLOCKIf enabled, user is auto-unlocked after the lock duration

🚫 What Happens on Final Failure

  • SDK receives statusCode = 166 indicating user account is locked
  • SDK calls getUser() to fetch latest status
  • App must handle this by showing a lockout message or triggering unblocking flow

🧠 Developer Guidelines

  • Always monitor onGetUserResult() or equivalent callbacks for statusCode = 166
  • Use getUser() to poll or validate if the lock period has passed
  • Optionally invoke getUnblockUser() if supported

πŸ“ Example User Message

β€œYou have exceeded the maximum number of allowed attempts. Please try again after 15 minutes or contact your administrator to unlock your account.”



πŸ’‘

Tip: Your app should be designed to dynamically respond to challenges as they are returned by the server β€” avoid hardcoding workflows.


🧩 Developer Responsibilities

βœ… Implement all challenge handlers from the SDK (e.g., getPassword, getSMSOTP)
βœ… Respond to callbacks promptly with user inputs βœ… Customize UI/UX for each challenge type βœ… Report challenge results back using APIs like setSMSOTP(), setSecretQuestionAnswer(), etc. βœ… Ensure error handling and retries where applicable

Updated 3 days ago

What’s Next