Skip to content

Second Factor Server⚓︎

The Second Factor Server will broadcast to the following topics when changes are made to its data models.

When setting up a second factor as part of the nextAuth enrolment flow or after upgrading an account, an instance is persisted to the Second Factor Server’s database. Among other things, this table also stores the number of failed PIN attempts, whether the instance has been penalised, as well as timestamps for when the PIN or biometrics were last changed and used.

Instances are grouped in virtual servers, specifying the maximum number of attempts as well as optional penalisation policies (e.g., a timeout of 30 seconds after one attempt).

nextauth-sfs-instance-status⚓︎

v1⚓︎

Attributes⚓︎

Attribute Value Comment
id UUID
source urn:itsme:nextauth/sfs
type com.nextauth.sfs.instance.v1.created
com.nextauth.sfs.instance.v1.updated
subject Subject is not set for events of type com.nextauth.sfs.instance.v1.created.
login The instance authenticated successfully to the SFS.
change_pin The user changed their PIN code.
change_bio Biometrics were toggled by the user.
use_pin The PIN code was verified, possibly unsuccessfully.
use_bio Biometrics were presented during the second factor flow.
result Result is only set for events with subject use_pin.
success The PIN code was verified successfully.
failure The PIN code failed to verify.
time Timestamp of the event that triggered the message.

Payload⚓︎

Attribute Description Comment Example
app_instance_id Identifies the app installation. String-encoded, RFC 3339. The same identifier is communicated to the Message Center and Second Factor Server. It is retained when the Mobile SDK is reset.
server Virtual server holding the account. Server
public_key_sfc Public key used to authenticate the client. String-encoded, unpadded Base64URL.
public_key_bio Public key used for signature validation when biometrics are used. String-encoded, unpadded Base64URL. Only set when biometrics have been enabled.
fail_count Number of failed PIN attempts. Resets to zero after succesful verification.
last_login_at Timestamp of the last client login. String-encoded, RFC 3339.
last_change_pin_at Timestamp of the last PIN change. String-encoded, RFC 3339.
last_change_bio_at Timestamp of the last biometrics change. String-encoded, RFC 3339.
last_use_pin_at Timestamp of the last succesful PIN verification. String-encoded, RFC 3339.
last_use_bio_at Timestamp of the last successful biometrics verification. String-encoded, RFC 3339.
penalised_until Timestamp when the user can reattempt PIN verification. String-encoded, RFC 3339. Only set when a policy has been defined.
subject_public_keys List of verified public keys included in issued attestation. One of the included keys will be the hardware public key registered for the nextAuth, allowing association of the SFS instance with a specific nextAuth Server account. [""]
Server⚓︎
{
  "server_id": "",
  "public_key": "",
  "public_key_attestation": "",
  "name": null,
  "max_fail_count": 0,
  "policies": [
    {
      "attempt": 0,
      "penalty": "0s"
    }
  ]
}

nextauth-sfs-server-status⚓︎

v1⚓︎

Note

This event has been planned, but it is not yet available today.

Attributes⚓︎

Attribute Value Comment
id UUID
source urn:itsme:nextauth/sfs
type com.nextauth.sfs.instance.v1.created
com.nextauth.sfs.instance.v1.updated
subject
time Timestamp of the event that triggered the message.

Payload⚓︎

Attribute Description Comment Example
server_id Server ID String-encoded, unpadded Base64URL.
public_key Public key used to authenticate to clients. String-encoded, unpadded Base64URL. Server
public_key_attestation Public key used to sign attestations. String-encoded, unpadded Base64URL.
name Name of the server.
max_fail_count Number of attempts after which the PIN code is blocked. Note that a blocked PIN code does not necessarily imply that the instance is blocked. Depending on the client configuration, biometrics could still be used if enabled.
policies List of penalisation policy objects. [Policy]
Policy⚓︎
{
  "attempt": 0,
  "penalty": "0s"
}