Call Center Quick Start

The BindID service is an app-less, strong portable authenticator offered by Transmit Security. BindID uses FIDO-based biometrics for secure, convenient, and consistent passwordless authentication. This guide explains how to integrate BindID into Call Center applications using the CIBA poll mode, which will allow Call Center representatives and IVR systems to initiate out-of-band authentication flows for users. Note that this guide assumes that the user is already registered to the BindID service, and linked to a user in your system (e.g., Call Center). Learn more about BindID

For more information on CIBA ping and poll modes, see Get User Identity and Trust.

Step 1: Get Your BindID Credentials

To integrate with BindID, you'll need to configure an application in the BindID Admin Portal (see Admin Portal: Get Started). You can either create a new application or use one that you already created.

From Applications, here is the basic client setup that is required for your application:

  • Get your BindID credentials—Obtain the client ID and client secret used to identify your web application to the BindID Service.
  • Enable CIBA support for the client (select the CIBA supported option).

Step 2: Initiate Authentication

Your application can initiate an out-of-band authentication flow for a user by sending the BindID service a backchannel authentication request. The request can either be used to obtain a direct link (for example, to embed in a QR code) or to send the user a link by SMS. When opened, this link will initiate an authentication process.

To initiate an authentication flow by sending an SMS link, send the following HTTP POST request, after substituting the tokens as described below:

POST /authorize_ciba HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: signin.bindid-sandbox.io
client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]&scope=openid&channel=%7B%22type%22%3A%22sms%22%2C%20%22target%22%3A%22%[PHONE_NUMBER]%22%7D
TokenSubstitute with...
[PHONE_NUMBER]User's mobile phone number which will receive an SMS link to initiate authentication. Remember to escape the leading + when you add it.
[CLIENT_ID]Client ID obtained in step 1.
[CLIENT_SECRET]Client Secret obtained in step 1.

The response to this request will include an authentication request identifier, which should be used to obtain user information in step 3:

HTTP/1.1 200 OK
Content-Type: application/json
{
"auth_req_id": [AUTH_REQ_ID],
"expires_in": [EXPIRATION_TIME]
}
TokenDescription
[AUTH_REQ_ID]Authentication request identifier to use to obtain the user token in step 3.
[EXPIRATION_TIME]Time in seconds until the authentication request identifier expires.

Note: By default, links expire after 30 minutes. To change this, contact your Transmit representative to enable a preview feature where the expiration time can be set on the Application's settings page in the Admin Portal.

Step 3: Get User Token

You can obtain the user token by polling the BindID Service using the authentication request identifier received in step 2, along with the client credentials obtained in step 1. Note that only standard polling is supported (see the OIDC CIBA standard for more).

To obtain the user token, send the following backend HTTP POST request, after substituting the tokens as described below:

POST /token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: signin.bindid-sandbox.io
grant_type=urn%3Aopenid%3Aparams%3Agrant-type%3Aciba&auth_req_id=[AUTH_REQ_ID]&client_id=[CLIENT_ID]&client_secret=[CLIENT_SECRET]
TokenSubstitute with...
[AUTH_REQ_ID]Authentication request identifier received in step 2.
[CLIENT_ID]Client ID obtained in step 1.
[CLIENT_SECRET]Client Secret obtained in step 1.

Until the authentication flow is completed, the response to this request will be an HTTP 200 response with an authorization_pending error. Once the authentication is successfully completed, the response will include a JWT token encoding the user information:

HTTP/1.1 200 OK
Content-Type: application/json
{
"access_token": [ACCESS_TOKEN],
"token_type": "Bearer",
"expires_in": [EXPIRATION_TIME],
"id_token": [ID_TOKEN]
}
TokenDescription
[ACCESS_TOKEN]Access token.
[EXPIRATION_TIME]Time in seconds until the access token expires.
[ID_TOKEN]JWT encoding identifying info and other info about the authenticating user.

Step 4: Test Your Integration

Once you complete your integration with BindID, test your integration (for an SMS flow) as follows:

  1. Trigger an authentication request for a test user, which calls the backend API described in step 2.
  2. The user should receive an SMS message that includes a link.
  3. The user clicks the link to initiate an authentication flow from their mobile device.
  4. The BindID service appears in the browser of their mobile device with your logo.
  5. The user approves the information in the mobile device.
  6. The user runs the biometric authentication process on the mobile device.
  7. Your application should obtain the user token as described in step 3, and compare it with the user record you have in your system.