It is possible to use the RapID phone credential to sign data and send this to a session authorisation server.
For example, user navigates to website on their desktop browser, server generates a random session ID, which it displays as a QR code and records this session in a ‘Sessions’ database. User scans the QR with their app, authenticates to the phone with PIN or fingerprint, and the app then ‘signs’ the QR data with the private key and certificate.
This bundle is transmitted directly from the phone to the authorisation service, which can update the session database accordingly. Meanwhile, the web browser polls the page until the session is confirmed.
The same mechanism could of course deliver an OAuth token or similar to the web server for a federated solution.
Viewing 1 post (of 1 total)
The forum ‘RapID Knowledge base’ is closed to new topics and replies.