Stepup Authentication for Actions
🔐Action Authentication Levels
Each action defined in the actions array of the generateRVN API can have an associated authlevel to specify the type of user authentication required before the action is accepted.
This enables enterprises to enforce step-up authentication for sensitive actions.
🔢 Supported authlevel Values
authlevel Values| Value | Authentication Type | Description |
|---|---|---|
0 | None | No additional authentication required. User can respond directly. |
1 | Password | User is prompted to enter their REL-ID password. |
2 | Custom (App-handled) | Reserved for custom logic. SDK treats this like level 0 (no step-up). App may choose to handle this separately. |
3 | Device LDA | User is prompted for local device authentication (LDA) like Face ID, fingerprint, or device pattern. |
4 | Server Biometric | REL-ID prompts user for server-side biometric validation (requires proper backend support). |
authlevelvalues 3 and 4 require theauthenticatorfield to be provided.
🔐 authenticator – Mandatory with authlevel 3 or 4
authenticator – Mandatory with authlevel 3 or 4| Value | Requires authlevel | Description |
|---|---|---|
DeviceLDA | 3 | Triggers device's built-in biometric or screen lock authentication. |
ServerBiometric | 4 | Uses server-side registered biometric (network call). |
Password | 1 (implicit) | Used internally for password-based authentication. Not needed explicitly. |
🛑 Validation Rules
- If
authlevel = 3or4, thenauthenticatormust be provided. - If omitted, API returns error code
3628.
🧠 How It Works
- Each button in the
actionsarray includes anauthlevel. - When the user taps an action button:
- REL-ID SDK checks the
authlevel. - Prompts for the required authentication based on user and device capabilities.
- Upon success, submits the response to the REL-ID server.
- REL-ID SDK checks the
🔒 Fallback Behavior
authlevel | Fallbacks Allowed? | Behavior |
|---|---|---|
1 | ✅ Password retry if failed | |
3 | 🚫 No fallback allowed. If LDA fails, action is blocked. | |
4 | 🚫 No fallback. Action fails if server biometric fails or is not supported. |
📝 Sample Action with Authlevel
"actions": [
{
"label": "Approve",
"action": "YES",
"authlevel": "3",
"authenticator": "DeviceLDA"
},
{
"label": "Reject",
"action": "NO",
"authlevel": "0"
}
]
Useauthlevelto balance user experience and security based on the nature of the transaction.
Stepup Auth workflow with auth level 4 (ServerBiometric)
flowchart TD
getNotifications[App calls getNotifications]
onGetNotifications[SDK triggers onGetNotifications]
updateNotification[App calls updateNotification]
getIDVSelfieProcessStartConfirmation[SDK triggers getIDVSelfieProcessStartConfirmation]
setIDVSelfieProcessStartConfirmation[App calls setIDVSelfieProcessStartConfirmation]
initiateSelfie[SDK initiates selfie capture]
userProvidesSelfie[User provides selfie]
getNotifications --> onGetNotifications
onGetNotifications -- user takes action on notification --> updateNotification
selfieValidation[SDK performs Liveness test and selfie validation]
updateNotification --> getIDVSelfieProcessStartConfirmation
getIDVSelfieProcessStartConfirmation --> setIDVSelfieProcessStartConfirmation
setIDVSelfieProcessStartConfirmation -- true --> initiateSelfie
initiateSelfie --> userProvidesSelfie
userProvidesSelfie --> selfieValidation
onUpdateNotification[SDK triggers onUpdateNotification]
selfieValidation -- success/failure --> onUpdateNotification
setIDVSelfieProcessStartConfirmation -- false --> onUpdateNotification
style onGetNotifications fill:#d4fdd4,stroke:#228b22,stroke-width:2px
style getIDVSelfieProcessStartConfirmation fill:#d4fdd4,stroke:#228b22,stroke-width:2px
style onUpdateNotification fill:#d4fdd4,stroke:#228b22,stroke-width:2px
style updateNotification fill:#ffe4b3,stroke:#ff8c00,stroke-width:2px
style setIDVSelfieProcessStartConfirmation fill:#ffe4b3,stroke:#ff8c00,stroke-width:2px
🟩 Green - Callbacks issued by REL-ID SDK
🟧 Orange - APIs invoked by the Client App
Updated about 2 months ago