Authenticate cardholders for transactions
Last updated: March 5, 2025
You can perform out-of-band (OOB) 3D Secure cardholder authentication for digital transactions in your mobile app, using the OOB Android SDK or iOS SDK. OOB authentication is a type of two-factor authentication (2FA).
You must:
- Complete your Issuing onboarding.
- Integrate the OOB Android SDK or iOS SDK.
Once you have completed the setup, the flow to authenticate cardholders is as follows:
- Perform Strong Customer Authentication (SCA).
- Register the cardholder's device.
- Authenticate the transaction.
Perform SCA on the cardholder.
You can generate multiple tokens for different systems during a single authentication session. For example, for sign in, to get an SDK session token, or to get an internal authentication token.
However, you can only generate a single SDK session token for each SCA flow requested.
Register the cardholder's device and app for OOB. This is also known as device-binding.
You can choose to register the device as a background process when you onboard the cardholder in your app, or offer an explicit option to do so. For example, by displaying a button.
Note
You can only register a card for OOB for a single device and app combination. If you register another device for the same card, it overwrites the previously registered device and app combination.
For the iOS SDK, you must be in an asynchronous context to call the SDK's async functions – for example, you can use a Task
.
To register the cardholder's device:
1// Prepare the device registration request2val deviceRegistrationRequest = DeviceRegistration(3token = "CardHolder access token",4cardId = "CardID",5applicationID = "Unique Application ID",6phoneNumber = PhoneNumber(countryCode = "+230", number = "52520782"),7cardLocale = CardLocale.EN,8)910// Initialize device registration with the OOB SDK11val registerDeviceResult = oobManager.registerDevice(deviceRegistrationRequest)12registerDeviceResult.collect { result ->13result.onSuccess {14// Success result (Type:Unit)15}.onFailure {16val message = provideErrorMessage(it)17// Handle errors here18}19}
In the core authentication flow, the cardholder is presented the option to approve or reject the transaction in your app.
- Perform SCA on the cardholder again.
- Listen for the transaction details webhook you set up for the Android SDK or iOS SDK.
- Inject the transaction details into the OOB SDK.
- Verify the online card transaction performed by your cardholder.
1// Prepare the authentication request2val authenticationRequest = Authentication(3transactionId = "Acs Transaction ID",4token = "CardHolder access token",5cardId = "cardID",6method = Method.OOB_BIOMETRICS,7decision = Decision.ACCEPTED,8)910// Initialize transaction authentication with the OOB SDK11val authenticatePaymentResult = oobManager.authenticatePayment(data)12authenticatePaymentResult.collect { result ->13result.onSuccess {14// Success result (Type:Unit)15}.onFailure {16val message = provideErrorMessage(it)17// Handle errors here18}19}