TOTP in Offline Mode
š“ Offline Considerations for TOTP ā REL-ID SDK
š§ What "Offline" Means
In REL-ID SDK, offline mode refers to scenarios where:
- Server communication is not possible or deliberately restricted
- Device must perform local authentication and OTP generation
- Common in secure environments, travel, rural use cases, etc.
š Offline TOTP Support
REL-ID SDK can generate TOTP without a server connection if the following conditions are met:
ā
Prerequisites
| Requirement | Description |
|---|---|
| ā Pre-authenticated session | User must have previously authenticated online |
| ā Provisioned TOTP secret | Server must have issued TOTP seed/token during setup |
| ā LDA configured (Fingerprint, Pattern) | Used for local identity verification before TOTP generation |
š Offline Behavior of onTOTPGenerated
| Condition | Will onTOTPGenerated be triggered? |
|---|---|
| Device has LDA or cached password auth | ā Yes |
| TOTP secret/token was provisioned earlier | ā Yes |
| SDK policy allows offline OTP generation | ā Yes |
| Device lacks LDA + password not cached | ā No ā SDK cannot generate OTP |
| Device TOTP setup was never completed online | ā No ā missing cryptographic seed |
š TOTP Flow in Offline Mode
flowchart TD
A[š App Detects Offline Environment] --> A1[App calls fetchRegisteredTOTPUsers]
A1 -->|User registered for TOTP| A2[App shows Generate TOTP option]
A2 --> B[š§ User Selects 'Generate TOTP']
B --> C[š SDK Checks for LDA or Cached Credentials]
C -->|ā
LDA Available| D1[š Perform Local Biometric/Pattern Auth]
C -->|ā LDA Not Available| D2[š Fallback to Password Validation SDK triggers getTOTPPassword]
D2 --> D3[App calls setTOTPPassword]
D3 --> E[š§® SDK Generate TOTP via Local Algorithm]
D1 --> E
E --> F[SDK emits onTOTPGenerated]
F --> G[š² App Displays TOTP and Expiry Timer]
%% Success Callback Styling
style C fill:#d4fdd4,stroke:#228b22,stroke-width:2px
style F fill:#d4fdd4,stroke:#228b22,stroke-width:2px
style onIDVAdditionalDocumentScan fill:#d4fdd4,stroke:#228b22,stroke-width:2px
%% App-Initiated Call Styling
style A1 fill:#ffe4b3,stroke:#ff8c00,stroke-width:2px
style D3 fill:#ffe4b3,stroke:#ff8c00,stroke-width:2px
š© Green - Callbacks issued by REL-ID SDK
š§ Orange - APIs invoked by the Client App
š Comparison: Online vs Offline TOTP
| Feature | Online TOTP | Offline TOTP |
|---|---|---|
| Server Required | ā Yes | ā No |
| LDA Required | Optional (based on policy) | ā Yes (mandatory for local challenge) |
| Password Prompt | May be required | Only if LDA unavailable |
| Secret Provisioning | Live via server | Cached from earlier session |
| Verification Method | Server-side OTP match | Consuming app/server must validate |
š§ Developer Best Practices
- ā Prompt user to enable LDA during initial login.
- ā
Use
fetchRegisteredTOTPUsers()to check eligibility in advance. - ā Cache fallback flags or TOTP readiness when connected.
- ā Do not attempt
generateTOTP()offline unless prerequisites are met. - ā Always show retry/fallback options when offline auth fails.
š Notes for Developers
- This flow is entirely local and does not require network connectivity.
- Ensure biometric/pattern authentication is properly configured during activation.
- Fallback to cached password depends on prior successful login and policy settings.
- TOTP is time-based and will auto-expire as per the configured validity duration.
Updated 8 months ago