The diagram below shows the key components of the solution
The authentication flow is executed on the same device through a user agent redirect. The OAuth adapter service within the Trust Platform connects with the Identity provider's existing OAuth service.
A challenge-response-based authentication scheme is performed via scanning a QR, provided that no previous session information about the user exists.
On subsequent authentications (when a session exists) the identity holder receives a credential-sharing request via a push notification. A proof or token is sent back to the Identity OIDC provider upon consent by using the biometric identification functions of the smartphone. Then the IdP can forward the received attributes in the form of a JSON Web Token to the relying party.
Push Authentication handles both the:
- Client SDKS for mobile operating systems (iOS and Android)
- API layer for generating and checking authentication challenges
Together these turn the end user's mobile device into a secure key.
The Trust Platform Push Verify was built to comply with NIST's recommendations for out-of-band verifiers, including managing secrets, expiration, and rate limiting.