Silent Authentication Advanced for Web Browsers [Alpha]
Note: Silent Authentication Advanced is currently in alpha stage. Live supply onboarding is ongoing, which means end-to-end testing is not yet possible. This guide is primarily informational. You can use the Virtual Operator for development and testing purposes.
This guide explains how to implement Silent Authentication Advanced in a web browser environment using the Digital Credentials API. In this flow, the web / desktop browser displays a QR code that the user scans with a mobile wallet. The wallet performs the TS.43 cryptographic handshake and returns an encrypted credential to your backend. Your backend will then submit this credential to the Vonage Verify API for verification.
Desktop/laptop browser flow: The browser displays a QR code and the wallet uses Bluetooth proximity as part of the user-mediated verification flow.
Mobile browser flow: There is no QR code scan and no Bluetooth proximity check. Instead:
- The browser launches the digital wallet and the user selects credentials to share.
- The mobile wallet returns an encrypted TS.43 digital credential (JWE) directly to the browser.
- The browser forwards the credential to the ASP backend.
- The ASP backend submits the TS.43 token to the Vonage Verify API, which returns
match=trueormatch=false.
To implement the desktop/laptop browser flow described below, you need to handle the full Digital Credentials API integration in your web application. This includes handling the QR code display, communication with the wallet, and submitting the encrypted credential to your backend.
For implementing Silent Authentication Advanced on Android, refer to the Silent Authentication Advanced Asynchronous Implementation guide. For more information about Silent Authentication Advanced, refer to the conceptual guide on Silent Authentication Advanced.
Implementation Flow
This section describes the Digital Credentials API flow for a desktop / laptop browser Silent Authentication Advanced session.
Steps
- The end user clicks Verify in the web browser.
- The ASP (Application Service Provider) backend calls the Verify API to start verification using the customer's phone number, then retrieves the SIM-based authentication request and transforms it into an OpenID4VP (OpenID for Verifiable Presentations) format via a webhook.
- The ASP backend returns the digital credential request to the browser.
- The web browser makes a digital credential request by calling
navigator.credentials.get(). - The browser displays a QR code, which the user scans with their mobile wallet.
- The mobile wallet uses Bluetooth to verify that the device is physically near the browser and confirms that its keys match those in the QR code. It then returns an encrypted TS.43 digital credential (JWE - JSON Web Encryption) to the ASP backend.
- The ASP backend submits the TS.43 token to the Verify API. The token confirms that the phone number is verified, independently of the Bluetooth proximity check. The Verify API returns a
match=trueormatch=falseresult.
Potential Risks and Mitigations
The following table outlines potential risks when implementing Silent Authentication Advanced for web browsers and the recommended mitigation strategies:
| Risk | Mitigation |
|---|---|
| Browser does not support the Digital Credentials API | Fall back to manual input or a native app deep link |
| Mobile wallet does not support TS.43 | Limit to certified wallets and provide an upgrade prompt |
| Bluetooth failure | Fall back to NFC or manual proximity confirmation |