QR login for passwordless authentication overview

Edit online

An application can initiate a qrlogin verification transaction, then waits for that verification request to be completed by the user with IBM Verify, and then continues the runtime access.

Note: This authentication factor does not require a specific enrollment, but does require that the user registers at least one instance of the IBM Verify mobile authenticator app.

Workflow

The QRLogin workflow consists of three main steps.

Create a new QR Code login verification record

This step creates a new qrlogin verification record.
Request is generated through an unauthenticated context.
The response includes the QR Code that is to be scanned with the details for the authenticator app to complete the verification.

Poll for completion of an existing QR Login verification

This step determines whether the scanning device completed the verification either by scanning the QR Code or that the verification request moved to some other complete state. For example, Success, Timeout, or Failed.
Request is generated through an unauthenticated context.
The response includes the state of the verification request, which determines whether the verification transaction is completed.

Attempt to complete an existing QR Login verification

This step changes the state of a PENDING verification transaction to a SUCCESS state.
The request must be generated through an authenticated context. Api security entitlements are required to verify a qrlogin verification.
The response contains the Http Status code 204 if request is successfully processed.

Prerequisites

You must request a client ID and client secret for your API client from your administrator. See Creating API clients.
Get an OIDC access token.

Procedure

Get the QRLogin properties. See Get the QRLogin properties.
Update the QRLogin properties. See Update the QRLogin properties.

About this task

Variables

The following variables are used in this example. Replace these variables in the cURL commands with the actual values that you receive from your requests.

Table 1. Variable and example values
Variables	Description	Example values
{{access_token}}	Returned as a result when you exchange the {{client_id}} and {{client_secret}} that is assigned to your API client.	4hFZq9U73P3MPEA40KcF54i77Z0mDhZba0InrzUe
{{tenant}}	The fully qualified domain name that is assigned to your Verify subscription. It consists of `hostname`.verify.ibm.com.	companyAppTest.verify.ibm.com

Definitions

Table 2.
Acronym	Description
LSI	LSI is one-time code that is used by the mobile authenticator on subsequent verification attempt and stands for login session index. It is a random alpha-numeric string. This string is generated by using the configuration data model for the login session index. Configuration options are length of the login session index identifier and the character set that is used to generate the alpha-numeric identifier.
DSI	DSI is used for polling and stands for device session index. This string is generated by using the configuration data model for the device session index. Configuration options are length of the device session index identifier, and the character set that is used to generate the alpha-numeric identifier.

Get the QRLogin properties

To get the QRlogin properties, use the following cURL command.

cURL command

curl -X GET \
  https://{{tenant}}/config/v2.0/factors/qr \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {{access_token}}'

Example

curl -X GET \
  https://companyAppTest.verify.ibm.com/config/v2.0/factors/qr \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer 4hFZq9U73P3MPEA40KcF54i77Z0mDhZba0InrzUe'

Example output response

{
    "lsi": {
        "charset": "134BCDAE",
        "length": 6
    },
    "dsi": {
        "charset": "12389EFGHIJKLMN",
        "length": 40
    },
    "expiry": 60,
    "enabled": false
}

Update the QRLogin properties

Create a properties file that contains the properties that you retrieved from Get the QRLogin properties and name it config-payload.json. Edit the values to meet your requirement. For example,

{
	"lsi": {
	    "charset": "ABCDEFG123456789",
	    "length": 6
	},
	"dsi": {
	    "charset": "ABCDEFGHIJKLMNOPQRSTqrstuvwxyz0123456789",
	    "length": 40
	},
    "expiry": 60,
    "enabled": true
}

Use the following cURL command to update the QRLogin properties.

cURL command

curl -X PUT \
  https://{{tenant}}/config/v2.0/factors/qr \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer {{access_token}}' \
  -H 'Content-Type: application/json' \
  -d @config-payload.json

Example

curl -X PUT \
  https://companyAppTest.verify.ibm.com/config/v2.0/factors/qr \
  -H 'Accept: application/json' \
  -H 'Authorization: Bearer 4hFZq9U73P3MPEA40KcF54i77Z0mDhZba0InrzUe' \
  -H 'Content-Type: application/json' \
  -d @config-payload.json

Example output response

Http Status Code: 204