Call Center Quick Start

The BindID service is an app-less, strong portable authenticator offered by Transmit Security. BindID uses FIDO-based biometrics for secure, convenient, and consistent passwordless authentication. This guide explains how to integrate BindID into Call Center applications, which will allow Call Center representatives and IVR systems to initiate out-of-band authentication flows for users. Note that this guide assumes that the user is already registered to the BindID service, and linked to a user in your system (e.g., Call Center). Learn more about BindID

Step 1: Get Your BindID Credentials

To integrate with BindID, you'll need to obtain the BindID credentials used to identify your application in requests to BindID. You can get these credentials from the BindID Admin Portal (see Admin Portal: Get Started).

From Applications, open the settings of the built-in Call Center application to obtain your client ID and client secret.

Step 2: Initiate Authentication

Your application can initiate an out-of-band authentication flow for a user by sending the BindID service a backchannel authentication request that includes the user's phone number. BindID will then send the user a link by SMS that will initiate an authentication when clicked.

To initiate an authentication flow, send the following HTTP POST request, after substituting the tokens as described below:

POST /authorize_ciba HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: signin.bindid-sandbox.io
client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&scope=openid&login_hint=%7B%22sms_target%22%3A%22[PHONE_NUMBER]%22%7D
TokenSubstitute with...
[PHONE_NUMBER]User's mobile phone number which will receive an SMS link to initiate authentication. Remember to escape the leading + when you add it.
[CLIENT_ID]Client ID obtained in step 1.
[CLIENT_SECRET]Client Secret obtained in step 1.

The response to this request will include an authentication request identifier, which should be used to obtain user information in step 3:

HTTP/1.1 200 OK
Content-Type: application/json
{
"auth_req_id": [AUTH_REQ_ID],
"expires_in": [EXPIRATION_TIME]
}
TokenDescription
[AUTH_REQ_ID]Authentication request identifier to use to obtain the user token in step 3.
[EXPIRATION_TIME]Time in seconds until the authentication request identifier expires.

Step 3: Get User Token

You can obtain the user token by polling the BindID Service using the authentication request identifier received in step 2, along with the client credentials obtained in step 1. Note that only standard polling is supported (see the OIDC CIBA standard for more).

To obtain the user token, send the following backend HTTP POST request, after substituting the tokens as described below:

POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: signin.bindid-sandbox.io
grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba&auth_req_id=[AUTH_REQ_ID]&client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]
TokenSubstitute with...
[AUTH_REQ_ID]Authentication request identifier received in step 2.
[CLIENT_ID]Client ID obtained in step 1.
[CLIENT_SECRET]Client Secret obtained in step 1.

Until the authentication flow is completed, the response to this request will be an HTTP 200 response with an authorization_pending error. Once the authentication is successfully completed, the response will include a JWT token encoding the user information:

HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": [ACCESS_TOKEN],
"token_type": "Bearer",
"expires_in": [EXPIRATION_TIME],
"id_token": [ID_TOKEN]
}
TokenDescription
[ACCESS_TOKEN]Access token.
[EXPIRATION_TIME]Time in seconds until the access token expires.
[ID_TOKEN]JWT encoding identifying info and other info about the authenticating user.

Step 4: Test Your Integration

Once you complete your integration with BindID, test your integration as follows:

  1. Trigger an authentication request for a test user, which calls the backend API described in step 2.
  2. The user should receive an SMS message that includes a link.
  3. The user clicks the link to initiate an authentication flow from their mobile device.
  4. The BindID service appears in the browser of their mobile device with your logo.
  5. The user approves the information in the mobile device.
  6. The user runs the biometric authentication process on the mobile device.
  7. Your application should obtain the user token as described in step 3, and compare it with the user record you have in your system.