Skip to content
/
Device binding
Last updated

Device binding

This guide explains the device binding feature, including the key concepts and endpoints required to implement it. Device binding is mandatory for all secure flows, such as those requiring a Qualified Electronic Signature (QES) or two-factor authentication (e.g., BankIdentPlus).

Overview

The device binding API allows customers to register their devices and create public/private key pairs for authenticating Multi-Factor Authentication (MFA) challenges.

Device binding is a prerequisite for Strong Customer Authentication (SCA). It ensures that a request originates from a trusted, registered device.

Once a customer binds their device, they receive authentication challenges that they must confirm using that device (e.g., logging in, changing data, authorizing transactions).

Restricted vs. Unrestricted keys

Customers authorize actions using one of two key types:

  • Unrestricted keys: Do not require specific user authentication to sign a request. These are typically used for background processes or low-risk actions.
  • Restricted keys: Require user authentication via biometrics (e.g., Touch ID, Face ID) to access the private key.
    • iOS: Combine privateKeyUsageflag with userPresence or touchIDAny.
    • Android: Use setUserAuthenticationParameters().

See the Strong customer authentication guide for the full list of use cases requiring restricted vs. unrestricted keys.

Security requirements

Your implementation must meet the following security standards:

  • Limit: Maximum of five registered devices per customer.
  • OS: Android 8.0+ or iOS 12+.
  • Hardware: Must support hardware-backed security via separate execution environments (e.g., Secure Enclave in iOS, TEE in Android).
  • Access Control: Your app must enforce a device passcode or biometric lock.
  • Storage: You must store personalized security credentials and cryptographic keys in the secure environment.

Integration flow

Solaris supports two methods for device binding. You must choose the method that fits your use case and platform requirements:

  • SMS OTP (Default): Solaris sends a one-time password to the customer's verified mobile number.
  • Activation Code (QR): You generate an activation code, convert it to a QR code, and deliver it to the customer (e.g., via snail mail or a secure web interface).

Flow 1: SMS Binding

CustomerYour FrontendSolaris APIPhase 1: Initial Device Bindingalt[Signature Valid][Signature Invalid]Phase 2: Add New Keys (Optional)Use existing bound devicealt[Signature Valid][Signature Invalid]Enter device details1Generate Unrestricted Key Pair (ECDSA-P256)2POST /mfa/devices (Public Key & Device Info)3Create Unverified Device ID4Send SMS OTP5Return Challenge ID6Enter OTP7Sign OTP with Private Key8PUT /mfa/challenges/signatures (Signature)9204 Success (Device Registered)10400 Error (Binding Failed)11Generate new Restricted/Unrestricted Key Pair12Sign new Public Key with EXISTING Private Key13POST /mfa/devices/{id}/keys (New Key + Signature)14Verify Signature with stored Public Key15201 Created (New Key Registered)16400 Error (Process Failed)17CustomerYour FrontendSolaris API

Flow 2: Activation Code (QR) Binding

In this flow, you must manage the lifecycle of the activation code before the customer can bind their device. This method allows customers to bind a new device even if they have lost access to their previously bound device.

CustomerMobile AppPartner BackendSolaris APIPhase 1: Activation Code ManagementPhase 2: Device Bindingalt[Signature Valid][Signature Invalid]POST /mfa/challenges/activation?invalidate_existing_code=true1Return "code" (Activation Code)2Convert "code" to QR Image3Deliver QR Code (e.g., Snail Mail)4POST /delivery_events (Status: DISPATCHED)5Scan QR Code6Extract "code"7Generate Unrestricted Key Pair (ECDSA-P256)8POST /mfa/devices (challenge_type: activation_code)9Return Challenge ID10Sign "code" with Private Key11PUT /mfa/challenges/signatures/{id} (Signature)12204 Success (Device Registered)13400 Error (Binding Failed)14CustomerMobile AppPartner BackendSolaris API

Implementation

Select the binding method you wish to implement to see the specific steps.

Integration steps

  1. Initiation: The customer enters device information in your app.
  2. Key Generation: Your app generates a private/public key pair in ecdsa-p256 format.
  3. Submission: Send the public key (hex-encoded) and device info to Solaris via POST Create device.
  4. Challenge: Solaris triggers a verification flow based on your challenge_type:
    • SMS: Solaris sends a 6-digit OTP via SMS to the customer.
    • QR: Solaris validates the Activation Code logic (no SMS is sent).
  5. Input: The customer provides the verification data:
    • SMS: Customer enters the 6-digit OTP.
    • QR: Customer scans the QR code to extract the Activation Code string.
  6. Signing: Your app creates a signature using the Private Key and the input data (OTP or Activation Code).
  7. Verification: Send the signature to Solaris via PUT Verify the signature.
  8. Completion: If valid, Solaris registers the device.

Step 1: Create a device

Collect the device information and generate a private/public key pair (ecdsa-p256) on the device.

POST Create device

Call this endpoint to initiate the binding. By default (challenge_type: "sms"), this triggers an SMS OTP to the customer's verified number.

Request URL

POST /v1/mfa/devices

Payload:

{
  "person_id": "ec3d16cbc106f481b72d881d90c89cc5cper",
  "key_type": "ecdsa-p256",
  "key": "04a346c447...",
  "key_purpose": "unrestricted",
  "name": "iPhone 13",
  "challenge_type": "sms"
}

Response: Solaris creates a temporary, unverified device and returns a challenge object. The challenge expires in 5 minutes.

Step 2: Verify the signature

The customer enters the 6-digit SMS OTP into your app. You must use this OTP and the stored Private Key to create a cryptographic signature.

How to create the signature:

  1. Hash: Create a SHA256 hash of the 6-digit OTP.
  2. Sign: Sign the hash using the Private Key.
  3. Encode: Convert the signature to a Hex string (ASN.1 format).
  4. Send: Submit the hex string to the PUT /signatures/{id} endpoint.

PUT Verify the signature

PUT /v1/mfa/challenges/signatures/{id}

Response: Returns 204 No Content on success.

Post-binding: Manage keys

After successful binding (via either method), you can add more keys to the device. This is useful if you want to separate keys for different permission levels (e.g., Restricted vs. Unrestricted).

POST Add new key to device

To add a new key, you must sign the request using the existing verified private key.

Request URL

POST /mfa/devices/{id}/keys

Manage device keys

Testing in Sandbox

In the Sandbox environment, you cannot generate real QR codes or send physical mail. Use these static activation codes to simulate specific scenarios when calling PUT /v1/mfa/challenges/signatures/{id}.

ScenarioActivation Code StringExpected Result
Successful Bindingstatic_activation_code_valid_abcdefghijklmnopqrstuvwxyz123456789204 No Content (Success)
Code Expiredstatic_activation_code_expired_abcdefghijklmnopqrstuvwxyz1234567400 Error (error_code: activation_code_expired)
Usage Limit Reachedstatic_activation_code_usage_limit_exceeded_abcdefghijklmnopqrst400 Error (error_code: activation_code_usage_limit_reached)
Previous page
Next page