Перейти к содержанию

Service Architecture

Warning

This service is deprecated. Use the Koshelek TOTP module instead.

TOTP Service operation principles

Authentication Mechanism

For authentication of a loyalty card in the issuer’s system, the Time-Based One Time Password (TOTP) mechanism is used: when the card is presented on the device screen, the Koshelek app forms a temporary password based on the card number. The temporary password is output on the Koshelek app screen together with the card number as a barcode, which the cash desk software scans and checks at the partner’s IT infrastructure.

Card authentication via TOTP generation and verification

Passcode Verification Library

Onetime password formed by the Koshelek app for presenting a loyalty card is checked by a special component Passcode Verify. The component is designed as a dynamic library (AAR, JAR, SO, and DLL formats are available for corresponding platforms). The library can be embedded into cash desk software as well as into the back-end (server) side of the partner’s software.

The Passcode Verify library checks the input password value and returns the result of the password verification. The partner’s software processes the presented loyalty card according to the verification result and implemented business rules (for example, it write-offs the loyalty bonuses if the card is verified, or does not use the card and bonuses, otherwise).

Library Call

To verify a TOTP password, call the Passcode Verify library and put values of the following input parameters: barcode, key, prefix, interval, passLength. All the parameters are mandatory. Any changes to constant values should be pre-agreed with Koshelek.

Barcode value scanned by a cash desk from the Koshelek app screen (or entered by a cashier manually) when the loyalty card is presented. The full value consists of a static part (prefix and card number) and a dynamic postfix (TOTP code).

Info

Refer to Barcode display on the Koshelek app screen.

Another option is to put the full barcode value (barcode parameter) or the pre-separated card number and TOTP code (cardNumber and passCode parameters).

Example A (barcode):

Text Only
CM2775599991258853

Example B (separated cardNumber, passCode):

Text Only
2775599991258, 853

Private key of a partner (HEX string, 16 bytes, constant). The key value should be transferred to Koshelek in any secured way in advance.

Example:

Text Only
70ac89d41ee665408409ffdb1b6596e0

Prefix value of a barcode (constant) which specifies that the card is presented from the Koshelek app. We recommend using the short prefix “CM” (“Cardsmobile” shortened).

Example:

Text Only
CM

Time-to-live period of a TOTP code in seconds. Constant; recommended value is 300.

Example:

Text Only
300

Length of a TOTP code in characters (digits). Constant; recommended value is 3.

Example:

Text Only
3

After the Passcode Verify library processes the data, it returns a defined result of the TOTP code verification (the Boolean value; where “true” means that the code is valid). The partner’s software must process the value according to implemented business rules.

Example of TOTP Usage

The figure below presents an example of using the TOTP authentication to apply bonuses for customer during the purchase payment.

Using TOTP Service for loyalty card authentication