Freja Mobile

Question: What is Freja Mobile?

Freja Mobile is a next-generation solution for mobile authentication. It consists of two components: the smartphone application called Freja Mobile Token (FMT) and its server-side component – Mobile Authentication Secure Server (MASS). Freja Mobile can be used in a range of scenarios, from remote access for corporate or public-service resources to e-commerce and online banking.

Keywords: Freja Mobile/mobile authentication

Question: Offline vs online use?

Freja Mobile Token can work in two different modes: OTP mode and Sign mode.

  • In OTP mode, the token is used in a traditional way – the application works as a simple one-time password (OTP) generator and it can be used for VPN access and similar. This mode does not require an Internet connection which is why it is sometimes referred to as offline mode. The token is time-based, with intervals of typically 30-60 seconds, which leaves enough time to the user to enter the generated password into the web application or VPN client. The OTP value can be validated only by applications which use Freja ID as the authentication server.
  • In Sign mode, tokens have access to the full extent of the capabilities of Freja Mobile, insofar that they display information about the action the user is about to approve – such as a login or a bank transfer – and do not require the user to type a one-time password manually. This mode requires an Internet connection, because Freja Mobile needs to communicate with the mobile server and the organisation’s web application. That is why this mode is sometimes called online mode.

End-users can have their mobile token working in one or both of the describes modes. If their Freja Mobile works in both modes, it actually contains two tokens and thus two separate token serial numbers will be associated to that user.

Keywords: Freja Mobile/offline use/online use

Question: Which TLS/SSL version Freja Mobile/FMC support?

TLS 1.1 and TLS 1.2

Keywords: Freja Mobile/FMC/SSL

Question: What operating systems and platforms are supported?

Freja Mobile smartphone application is supported on all major smartphone platforms –iOS, Android and Windows Phone. End users can download it for free from Apple App Store, Google Play or Windows Store. There is also a desktop version called Freja Desktop Token (FDT).
Minimum required versions of the operating systems for the smartphone app are the following:

  • iOS: 8 and above
  • Android: 4.0 and above
  • Windows Phone: 8 and 8.1 (Currently not maintained)

Minimum required version of the operating system for Freja Desktop Token is Windows 7 and the required version of .NET framework is .NET 4.5.

Keywords: Freja Mobile/operating systems/platforms

Question: Are there big changes between different versions of operating systems in terms of using Freja Mobile app?

Differences between versions of operating systems do not affect Freja Mobile app. It will work the same on all supported versions.

Keywords: operating systems/versions

Question: Do Freja Mobile apps support advert formats?

No, at least not at the moment.

Keywords: Freja Mobile/apps support/ad formats

Question: Can I have a branded Freja – an application that matches my company design?

Yes. We provide fully functional custom style apps that cover all the important features. Contact us to tell us how you would like your Freja to look like.

Keywords: branded Freja/app/company design

Question: Will Freja Mobile work on rooted/jailbroken device?

No. We have root/jailbreak checks on start-up and we disable usage in those cases.

Keywords: Freja Mobile/rooted device/jailbroken device

Question: Can someone steal my PIN?

No. Your PIN code is not stored on the device at all.

Keywords: Freja Mobile/stolen PIN/PIN code

Question: Are there big changes required between different versions of operating systems?

  • iOS – No changes between iOS 8 and 9
  • Android – No changes between Android 4 and 5
Keywords: IOS/Android

Question: What do the industry experts have to say about app protection?

Gartner has listed top ten technology trends – one of these states that “every app needs to be self-aware and self-protecting”. Very few apps available on app stores can truly be said to be both aware and self-protecting today.

Keywords: Freja Mobile/app protection/self-protecting

Question: Can users have two or more online tokens in one app?

No, this is not possible for now. Users can have up to two tokens in one app, one working in OTP mode (token is a one-time password generator which can be used offline) and another in Sign mode (token used online for transaction signing, login approval, etc.).

Keywords: Freja Mobile/online token

Question: Can users have the same Freja Mobile token on various devices?

Yes, but this requires the application used by the organisation (in further text, Business Online Application – BOA) to support this option. Formally each device would have Freja Mobile Token installed with its own serial number, but all of them would be associated to one user and could be used equally for OTP generation and signing.
These are suggestions for possible solutions:

  • If BOA is a web application with integrated MASS API (the exact name of the library is BOA API), it will probably use some kind of database to store the token serial number. This database needs to be configured in such way that the attribute where the token serial is stored allows multiple serial numbers to be entered and therefore associated to one user. When the transaction is started, BOA can ask a user on which device they wish to confirm the transaction. Alternatively, it can send the transaction to all devices/tokens associated to that user and from whichever the confirmation comes first is taken into account and the transaction is considered approved. The important thing is that the mobile phone/MASS can verify that the serial number of a token from which the approval was sent is allocated to the user who started the transaction.
  • If BOA is a mobile application, where both BOA API and FMC are integrated, all actions happen locally on the mobile phone and no user database is required. When the user starts a transaction on one of the registered devices, the request will contain the token serial number of the token registered on that specific device (we assume here that the user wishes to approve the transaction on the same phone on which it was initiated).
Keywords: Freja Mobile/various devices/one token

Question: Can BOA avoid polling MASS to get a result of some action?

Not at the moment, but in the near future our API will support push operations along with pull requests. This means that MASS will be able to send notifications, without waiting for BOA to ask for the status of an action.

Keywords: BOA/polling/MASS

Question: Can two applications of the same organisation use the same token?

Theoretically, if Freja Mobile Core SDK is integrated in both apps, it is possible for them to share memory space reserved for those apps on the phone. To be more precise, they would need to share the part of that memory space where the token data is stored. However, this option has not been tested.

Keywords: delete token/user database

Question: What happens if the connection between BOA and MASS breaks at the moment when MASS returns a confirmation for the started transaction (e.g. that it is registered and sent to the phone, or that it is approved) and BOA never gets it?

The procedure is the following: when a user starts a transaction on BOA, BOA sends all the relevant information to MASS. This information comprises the transaction text, which will be displayed on the mobile app, a token serial number, and optionally, the transaction’s validity period. To confirm that the transaction has been registered and relayed to Freja Mobile, MASS returns the following: transaction reference number – a unique ID number associated with the transaction and a recommended polling interval for sending the next request, which is the result of the transaction. If the connection breaks when the confirmation was sent from MASS and BOA does not get that information, a problem may occur. As for MASS, the transaction is registered/approved/cancelled, but BOA does not know what is the state of that transaction. For instance, the transaction might expire or be cancelled on BOA even though the end user had received the transaction and approved it.
BOA API and MASS service will soon support an option which will allow BOA to query MASS for the state of the same transaction as many times as necessary, until an answer about the transaction state is received: started, approved, cancelled, expired.

Keywords: broken connection/transaction confirmation

Question: When the user is no longer a client of the organisation, how to delete their token?

When a user stops using organisation’s services, it is sufficient to delete the token serial number associated to them from the database (LDAP). This way the user will no longer be able to use the token. If the organisation considers that this is not enough, token can be deleted from Freja ID as well. It can be done easily through the Token Management Console or using deleteToken method on Freja ID’s Provisioning API.

Keywords: delete token/user database

Question: Can users sign a transaction or confirm login even if their mobile phone is offline?

Yes. Freja Mobile allows a backup option in Sign mode – offline signing is possible by scanning a QR code generated on BOA. This functionality needs to be supported by BOA and the QR code should contain all the necessary information about the started transaction/login which is to be displayed to the user. Inside the QR code, the transaction text is encoded in UTF8 format. The maximim length of the text is 1000 characters.

Keywords: offline signing/QR code