Starting with XignSys SDK version 5.1.0 the AuthenticateRequest contains two new
properties serviceInformation: ServiceInformation and organizationInformation: OrganizationInformation. Those
objects contain information about the organisation and the service the user is authenticating against. They have been
added to increase the transparency towards the user and more importantly to mitigate so-called social engineering
attacks. How these two new object should be handled is described in the following subchapters. Note that some services
may legally require an explicit handling of these information, especially the Servicekonto.NRW.
The organization information is used to provide more detailed information regarding the owner of the service the user is
currently authenticating against. Since XignSys Sdk 5.1.0 theAuthenticateRequest, TransactionRequest,
ServiceLoginResult, UserLoginResult and TransactionResult contain a property named organizationInformation which
provides information the organization has configured in the XignIn-Manager. Currently, the
OrganizationInformation object consists of the following properties:
namewebsiteURL/websiteURIaddressorganizationDescriptionThe organization information is part of the authentication process and should be displayed to the user before the confirmation of the pending authentication to improve safety and transparency. For example, users should be able to see the name of the organization whose services they are trying to use. This is not only a good way to improve the usability for end users by showing all relevant information in one place instead of relying on the user to remember some information across a whole authentication process, but also reduces the risk of phishing attacks.
While previous versions of the XignSys SDK already provided some information about the service the end users were
authenticating against, version 5.1.0 adds several other data points that can be used in different usage scenarios.
During an authentication, theAuthenticateRequest, TransactionRequest, ServiceLoginResult,
UserLoginResult, TransactionResult, AuthenticationUserInformation and TransactionUserInformation objects contain
a property named serviceInformation which holds a corresponding ServiceInformation object with, amongst others, all
the data the service providing organization configured on the respective XignIn-Manager.
On the one hand this can improve the usability of the implementing app since end users may see all relevant information about the service they authenticate against in one place, providing not only a reminder about the services key data but also giving additional info the user may want to look into as well. Furthermore, the service information can be used to create a history recording the data of services the user started to authenticate against. This way users can for example see when they authenticated successfully or can look up a support mail address, if configured by the owning organization, to contact in case of any occurring issues during the authentication.
On the other hand, and more importantly, service information can significantly increase security. Especially
so-called social engineering attacks are hard to mitigate with software alone since these attacks aim at weaknesses of
the end user. First and foremost, users may not be aware that a link or a QR-Code may have been forged to lure people to
perform actions, like an authentication, on websites or at services the user did not intend to use. Therefore, users
MUST BE presented with at least the loginUrl (if provided) and name of the service before further proceeding
with the authentication. This way users can compare the actual service data the authentication is performed against with
the service or website the user wants to use.
Due to users tending to rush trough processes even if security relevant, and maybe not being aware of the risks involved with not reading the presented information, a prominent warning SHOULD BE displayed to the user explaining that a comparison of the website data, i.e., the domain the authentication is performed at, and the information sent by the server is required for security reasons. This disclaimer/warning SHOULD BE designed in a way it is not dismissible accidentally and, if implemented, MUST BE shown before any sensitive material, e.g., a PIN, is entered.
WARNING regarding the Servicekonto.NRW
In case the implementing app is intended to be used in conjunction with the Servicekonto.NRW, the aforementioned security precautions are NOT OPTIONAL with respect to the warning to compare the respective data. Users MUST actively confirm they checked the consistency of the data if the app should be usable for authentications on a substantial trust level, otherwise the app violates federal requirements and may be excluded from the Servicekonto.
Currently, ServiceInformation objects potentially provide information with the following properties:
nameloginMethodloginMethodDescriptionserviceDescriptionsupportEmailsupportPhoneloginURL/loginURIiconURL/iconURIsupportURL/supportURIcontactURL/contactURIimprintURL/imprintURIprivacyPolicyURL/privacyPolicyURIwebsiteURL/websiteURINotes regarding previous XignSys SDK versions:
Previous versions of the XignSys SDK provided some service information within properties with a 'relyingParty' prefix defined on the objects mentioned above directly. Usages of these properties should be replaced and access the respective data provided by the renamed properties defined on the
ServiceInformationobjects:
relyingPartyName→serviceInformation.namerelyingPartyIconUrl→serviceInformation.iconURL/serviceInformation.iconURIrelyingPartyUrl→serviceInformation.loginURL/serviceInformation.loginURIIn addition, the
serviceInformation.loginURL/serviceInformation.loginURIcan now benil/nullunlike before.
After the OrganizationInformation and ServiceInformation have been handled the authentication process can be
continued by confirming the attributes needed for the authentication as described in the chapter: