Retrieves second factor types available for the configured 2FA provider.

Returns key configurations by scope to aid a UI implementing manual input of the key.

Pre authenticates an account by username and password. Returns different information depending on the 2FA configuration of the contact. Possible reasons of rejection with HTTP 200: PasscodeInvalid, ContactLocked or AccessDenied. Possible scenarios of pair (Status, Factor):

• Auth - Passcode - The user is eligible for secondary authentication. Authenticate endpoint must be called as the secondary step with passcode as input (obtained through mtan or 2FA application).
• Auth - Approve - The user is eligible for secondary authentication. Authenticate endpoint must be called as the secondary step.
• Auth - QrCode - The user is eligible for secondary authentication. Authenticate endpoint must be called as the secondary step.
• Allow - The user is configured to bypass secondary authentication or is authenticating from a trusted device. The session details are returned, and the user will be authenticated without a secondary step.

Performs secondary authentication using one of the available factors. The response depends on the chosen factor. If the two-factor authentication is disabled then the session details will be returned and the contact will be automatically authenticated. Possible reasons of rejection with HTTP 200: PasscodeInvalid, ContactLocked or AccessDenied. Possible scenarios of pair (Status, Factor):

• Allow - Passcode - The session details are returned and the user will be authenticated.
• Allow - Approve - The session details are returned and the user will be authenticated.
• Auth / NULL - Approve - The end-user will approve or reject the authentication request via a 2FA mobile app.
• Auth / NULL - QrCode - The end-user will scan the code received (as URL). For Auth status a temporary session is returned in order to allow status requests on the current authentication process. A callback is pending to be called by a 2FA provider to complete the authentication.

Checks the authentication status of an account by username and temporary session when async 2FA is enabled. This endpoint can return a response in two different ways:

• It can wait until the authentication session has been completed and return when the result is available.
• It can wait just for the next status update during the authentication session and return the new status. It can then be called once again to either retrieve the next status update or wait for the result to become available (depending on how it’s called this time). If the response is successful session details will be returned and the contact will be able to authenticate.

Authenticates a contact in an SSO scenario using an id-token received from id-server or an external identity provider. An access token will be generated for the contact associated with the external-id detailed in the id-token.

A contact calling this endpoint will log themselves off from the specific session they are in context of the call. An app calling this endpoint will log the contact off from all open sessions.

Retrieves information on the ability of the contact to sign-in. This includes if the sign-in is enabled by the business, if the contact has locked themselves, their password and 2FA state, as well as their last login information. 2FA device information will be returned if 2FA provider supports device enrollment.

Updates contact second-factor settings for authentication. The contact needs to have sign-in enabled and password set.

Enables contact sign-in ability to DFS.

Enables contact sign-in ability through key validation which was sent to the contact. If DFS is the identity provider, response will be populated with information relevant for the next steps following activation.

Disables contact sign-in ability to DFS. The contact will also be logged out of all open sessions and all their devices will be un-enrolled.

Sends a key (EnableSignIn and FirstTimePassword scopes) to the selected contact’s channel. This key may be used to enable contact’s sign-in ability to DFS, as well as help set the first password. Caller may override default enable-sign-in redirect URL.

Unlocks a contact that was locked due to multiple failed authentication attempts (passcode or mTan). If the contact is not locked an HTTP 200 with Result = ContactAlreadyUnlocked will be returned.

Provides an API a Futurae server can call in order to deliver status updates as well as the result of a particular authentication attempt (also called authentication session). The URL will be called as a POST request with "Content-Type" header being "application/json". The body of the request will be a JSON object containing the following keys and corresponding values: user_id, username, session_id, result, status, status_msg and trusted_device_token. The session ID identifies the particular authentication session and is conditionally returned by /v1.1/authentication/authenticate endpoint.

Provides an API a Futurae server can call in order to inform the application when the enrollment was successfully completed. The body of the request will be a JSON object containing the following keys and corresponding values: user_id, username, activation_code and result. The value of the latter will always be "success", since the callback will only be called when the enrollment is completed successfully.

Returns the list of password policies with the details (including settings)

Updates contact password given the old password. The new password is validated against the contact password policies.

Triggers a forgotten password flow based on username/email (username takes priority if both provided). In this first step, a key (ForgotPassword scope) is sent to the mobile of the contact, and a session is generated and returned (to be validated together in the next step). The endpoint will return success even if it cannot find a contact, or the contact found is deactivated.

Sends a key (ResetPassword scope) to the email of the contact as a second step of the forgotten password flow, after preliminary-key and session are validated successfully. If a reset-password key is successfully sent to the contact, the current password can no longer be used. Caller may override default reset-password redirect URL.

Resets contact password through key validation which was sent to the contact. Key may be a reset-password key generated by the forgotten password flow or sent directly by the member, or it may be a first-time-password key generated when indirectly enabling contact sign-in ability. The new password is validated against the contact password policies, aside from password-history policy.

Sends a key (ResetPassword scope) to the selected contact’s channel. If a key is successfully sent to the contact, the current password can no longer be used. Caller may override default reset-password redirect URL.

Retrieves contact’s enrolled devices used for second factor authentication.

This API is used only in the context of an authenticated account (it requires a JWT token), when the account activates 2FA. If the enrollment is not required for the set factor, then the 2FA is enabled for that contact and it returns a Success response. If the enrollment is required for the set factor, then starts the enrollment of a user device using the specific two-factor which is set in the database. This is the first step of the enrollment process. If it is successful, then an ActivationQrCodeUrl is returned in the response. The end-user will scan the qr code using the mobile app (e.g. Futurae). If the enrollment is successful, then the 2FA provider will post the final result, the user identification and the activation code using the callback set in the database. The callback will post the request using api enrollment/complete.

Starts the enrollment process of an unauthenticated contact for the contact's device using the specific two-factor provider defined in the system settings. If this first step is successful (provided credentials are valid), and device enrollment is required (depending on the 2FA provider), then an ActivationQrCodeUrl is returned in the response. Then end-user is required to scan the verification QR code using the mobile app (e.g. Futurae). If the scan step is successful, then the 2FA provider will post the final result, the user identification and the activation code using a callback method configured for the provider. You may use this endpoint both if 2FA is disabled for the contact (successful process will enable it) or if 2FA is already enabled for the contact but no device is enrolled.

Checks whether a user has a completed enrollment. The endpoint returns immediately with the current enrollment status, thus you would need to use this endpoint on a poll-based fashion, in order to get informed about a status update. If polling is necessary, we strongly recommend polling no faster than every 1-3 seconds.

Unenrolls (deactivate) the latest enrolled device of a user. If this was the only device enrolled for the contact, 2FA is enabled for that contact, and the 2FA provider requires a device, the contact would need to enroll a new device before being able to log in. In context of this call, 2FA may also be disabled for the contact

Gets a JWT token for a given sessionId.

Validates a provided JWT access token (expiration, contactId, memberId, subject, auditContextId). Returns the result type of the validation (Success or one of the invalid result types).

Renews an expired or existing session/JWT token. Returns the renewed JWT token along with session id.