All notable changes to the Futurae Auth API will be documented in this file. [1.7.0] - 2021-09-01 Added: - New passcode_type and device_id response fields in /user/auth with factor "passcode". [1.6.1] - 2021-07-23 Changed: - Return 400 Bad Request in /user/auth and /user/auth/transaction for offline QR Code with hardware token device, if extra_info payload cannot be converted to ISO 8859-15. [1.6.0] - 2021-05-28 Added: - Add callback authentication using JWS signatures. [1.5.0] - 2021-01-18 Added: - Add support for authentication using FIDO2/WebAuthn. [1.4.0] - 2020-11-23 Added: - All activation and authentication QR codes are now returned inline in data URI format as well, avoiding the need to use the public URL to retrieve the QR code. [1.3.2] - 2020-08-21 Added: - Perform One-Touch with all available devices at once, by supplying "all" in the device_id param (sends a push notification to all enrolled compatible devices of the user) - Return the device_id, if known, in /user/auth_status and in the status callback. [1.3.1] - 2020-07-17 Changed: - Introduce specific response code (40011) when calling /user/auth for a factor for which the user's available (or specified via device_id) devices don't have the respective capability to support the specified factor. [1.3.0] - 2020-07-03 Added: - Add support for TOTP and QR code hardware tokens supplied by Futurae. Introduce new endpoints and make necessary, non-breaking adjustments to existing ones. [1.2.0] - 2019-12-18 Added: - One-Touch and offline QR code can now be invoked in a combined mode, with One-Touch being the primary and offline QR code serving as the fallback. See offline_fallback input param in "Authenticate with One-Touch" and "Authenticate Transaction with One-Touch". - New endpoint "Abort Authentication" (/user/auth/abort) allows the explicit cancelation of an ongoing authentication session. [1.1.6] - 2019-12-16 Added: - The "Query Authentication Options" (/user/preauth) response now also includes an optional user_status field, which will be present if the user status is locked_out, disabled, or bypass. [1.1.5] - 2019-11-08 Changed: - Increase maximum validity of one-time codes generated via /user/one_time_code to 7 days ("valid_secs" param). [1.1.4] - 2019-08-21 Added: - Introduce Offline QR code authentication and transaction authentication; Adjust relevant endpoints (mainly /user/auth and /user/auth/transaction). [1.1.3] - 2019-08-19 Changed: - Adjust various enrollment related endpoints with the addition of the short activation code feature. [1.1.2] - 2019-07-26 Added: - mobile_auth_redirect_uri parameter in /user/auth and /user/auth/transaction, used for mobile only authentication. [1.1.1] - 2019-01-30 Added: - Include the device_id of the newly enrolled device in enroll success callback. - Enable to programmatically set the user status to locked_out. [1.1.0] - 2018-07-01 Added: - Authentication using "soundproof_jingle" factor. [1.0.12] - 2018-03-23 Added: - "extra_info parameter for "qr_code" factor in /user/auth. - Transaction signing (/user/auth/transaction) can now also be performed using the "qr_code" factor. [1.0.11] - 2018-03-02 Changed: - "extra_info parameter format in /user/auth and /user/auth/transaction. - "activation_code_uri" format as returned by the /user/enroll response. [1.0.10] - 2018-02-22 Changed: - "device_unreachable" status code in /user/auth_status is now a final state. SoundProof times outs and another authentication attempt has to be tried (e.g., TOTP fallback). [1.0.9] - 2018-02-16 Added: - Added mobile_auth_uri attribute in "approve" and "qr_code" factors of /user/auth, used for performing single device (mobile only) authentication. Removed: - Removed "mobile_auth" factor in /user/auth. Mobile only logins can now be performed via the mobile_auth_uri attribute (see above). [1.0.8] - 2018-01-04 Added: - Relaxed restrictions for user username and display_name (no strict email format validation is performed). [1.0.7] - 2017-10-30 Added: - New /user/auth/transaction dedicated endpoint for performing transaction authentication/signing. Currently, it supports the "approve" factor. [1.0.6] - 2017-09-13 Added: - New /service/logo endpoints for uploading and retrieving a service-defined logo that will be displayed in the Futurae mobile app. - Ability to specify a custom display name for the user (during new user enrollment and user modification), which is displayed in the Futurae mobile app. Changed: - In combination with the addition of a custom user display name, the user's username is no longer used as a display name. [1.0.5] - 2017-07-13 Added: - Introduced the "mobile_auth" factor and related endpoints and documentation. Changed: - Return the device ID of the newly enrolled device when /user/enroll_status reports that enrollment was successful for a given activation_code. [1.0.4] - 2017-06-15 Added: - /service/pending_enrollments endpoint that gives the ability to retrieve pending enrollments in batch mode. [1.0.3] - 2017-06-08 Added: - Ability to change a user's username via the /users/{id} endpoint. Changed: - Only one user attribute at a time can be modified when invoking the /users/{id} endpoint. [1.0.2] - 2017-05-21 Added: - Implemented the "trusted_device_token" functionality. Also, new param "trusted_days" in /user/auth defines for how many days the trusted device token will be valid. - Implemented "new_device_must_approve" feature when using SoundProof. See /user/auth endpoint doc for details. Also see the newly introduced "onNewDeviceMustApprove" callback in the SoundProof JavaScript library. - Added the ability for the customer web application to get notified about successful enrollments and status updates of authentication attempts via callback URLs. - Added "already_enrolled" result in /user/sms_activation if the endpoint is called on an already enrolled device. - Added /user/devices/{id} endpoint that can be used to modify a user device (currently can be used to set a display name). [1.0.1] - 2017-05-15 Added: - Introduced /server/api_version endpoint which retrieves the Auth API version that the Futurae server runs. Changed: - Changed the semantics of "disabled" user 2FA status. When the user has no enrolled devices, 2FA is disabled and the authentication result (e.g., in the preauth or auth endpoint) will be "deny" (previously it would have been "allow"). - Changed the "enabled_bypass" user 2FA status to "bypass". When the user status is "bypass", he is eligible to completely bypass secondary authentication regardless of whether he has enrolled devices (2FA enabled) or not (2FA disabled). In other words, when the status is "bypass", the authentication result ((e.g., in the preauth or auth endpoint) will always be "allow" for this user. [1.0.0] - Initial Futurae Auth API release