1 of 28

Mobile SDK

Keyless SDK Documentation

Authenticate people, not just devices

To embed privacy-preserving biometric authentication in your mobile applications:

Step 1: Understand how the Keyless components interact with your application server.

Step 2: Understand a typical biometric authentication flow and how it interacts with your application.

Step 3: Follow the getting started guide for Android or iOS.

Next steps

Learn about user and device management with the Admin portal.
Learn about user and device management with the RESTful API.

Introduction

Components

Learn about the interaction between Keyless components

The diagrams below show how the Keyless SDK, which runs within your mobile app on the user’s device, interacts with your application server and with the Keyless network.

Enrollment

During enrollment, your mobile app invokes the enroll method from the Keyless SDK, and then:

Guides the user through capturing a biometric signal with the device camera.
Interacts with Keyless to generate a new user identifier (Keyless ID), which is then returned to your mobile app.

Authentication

Authentication involves your application server, your mobile app, and the Keyless network, as depicted in Figure 2:

This process starts when the user performs an action that requires authentication using your mobile app.
The app provides the details of this action to your application server, which generates a challenge. The challenge is sent to the mobile app, which uses the Keyless SDK to compute the corresponding authentication token using the authenticate method.
The Keyless SDK authenticates the user by capturing the user’s biometrics using the mobile device’s camera.
The Keyless SDK connects to the Keyless network, and runs a secure multi-party computation protocol that authenticates the user and generates the authentication token in response to the challenge provided in Step 2. The Keyless SDK returns the authentication token to the mobile app.
The app sends the token to your application server, which verifies it.
If the authentication token is valid, the application server completes the transaction and notifies your mobile app.

Account Deletion

Account deletion is similar to authentication. First, your mobile app performs authentication steps 1-6, then it notifies your application server that the user wants to delete the account. Next, your mobile app invokes the deEnroll method from the Keyless SDK. This method issues a deletion request to the Keyless network (Step 7). The request removes all data associated with the user from the Keyless network.

Integration Flows

Learn how the Keyless components interact with your app.

Introduction

Learn how the Keyless SDK components can be integrated into a mobile application and backend server, to enable biometric authentication.

Integration Overview

Enrollment Flow

To authenticate with Keyless, a user must first enroll their biometric template. Enrollment with Keyless consists of registering the user’s biometric features in a privacy-preserving manner using the various enrollment methods from the Keyless SDK.

Authentication Flow

The most common authentications scenarios for the Keyless SDK are:

access to a web application
access on a mobile application

Authentication in a web application

In this scenario the user is trying access to a resource in a web application for which strong authentication is required. The web application backend sends a push notification to the customer app to request that the user identify themselves with Keyless. After biometric authentication is successful, the flow returns to the web application backend, which leverages the APIs exposed by the Keyless backend to perform additional security checks.

Once the Keyless backend confirms that the authentication was successful, the user is allowed access to the resource.

Authentication on a mobile app

In this scenario the user is trying access to a resource directly in the mobile application for which strong authentication is required. The mobile application sends a push notification to the customer app to request that the user identify themselves with Keyless. After biometric authentication is successful, the flow returns to the mobile application backend, which leverages the APIs exposed by the Keyless backend to perform additional security checks.

Once the Keyless backend confirms that the authentication was successful, the user is allowed access to the resource.

Keyless Components

As mentioned, Keyless is composed of two main blocks:

Keyless SDK
Keyless backend / Confirmation API Service

Keyless SDK

The Keyless SDK supports both Android and iOS, and exposes API methods to interact with the Keyless Privacy-Preserving Network to perform the following actions:

Enroll a user
Authenticate
De-Enroll
Restore backup

Keyless backend

The Keyless SaaS backend offers APIs which can be used to perform security checks through Backend-to-Backend calls. Specifically, it is possible to interrogate the Keyless Backend after the SDK returns an OK response for an Authentication attempt.

Mobile SDK Guide

1️⃣ Getting started

In this short guide, you will learn how to integrate the Keyless SDK in your Android or iOS mobile application, and enroll and authenticate users through the Keyless platform.

Before jumping into your code editor, make sure that you're familiar with the various components of the authentication system, and common biometic authentication flows.

Prerequisites

Make sure you have both required API keys, and the list of productions hosts from your Keyless contact:

YOUR_CLOUDSMITH_TOKEN to download the SDK from cloudsmith repository
KEYLESS_API_KEY to configure the mobile SDK
KEYLESS_HOSTS a list of node URLs

Review the Keyless SDK requirements:

The Keyless SDK uses

Set up a physical iOS device for running your app and enable the following permissions:

Enable Camera permissions: add the Privacy - Camera Usage Description key in your project’s Info.plist by adding the following (in XCode under Project > Info):

<key>NSCameraUsageDescription</key>
<string>Keyless needs access to your camera to enroll and authenticate you. Keyless cannot be used without your camera. Please allow camera permissions.</string>

Background processing. Enable the Background processing mode under Signing & Capabilities/Background Modes. Then, add the following in your project’s Info.plit (in XCode, under the key Permitted background task scheduler identifiers):
```
<key>NSCameraUsageDescription</key>
<key>BGTaskSchedulerPermittedIdentifiers</key>
<array>
    <string>YOUR APP IDENTIFIER</string>
</array>
```

The Keyless SDK uses

Flutter 3.0 or higher
Dart 3.0 or higher
All requirements from both Android and iOS platforms

Set up the required permissions as described in the Android and iOS tabs.

Installation

To allow Keyless to handle the result of registerForActivityResult, you must call Keyless from an Activity implementing ActivityResultCaller.
Extend any androidX activity that implements the interface for you, for example let your Activity extend the generic ComponentActivity or the more widespread AppCompatActivity.

If you use Proguard, add the following rules to your Proguard configuration file:

# Keyless Proguard
-keep class io.keyless.sdk.** {*;}
-keepclassmembers class io.keyless.sdk.** {*;}

In the the repositories section of the settings.gradle file of your Android application, add the following snippet, replacing YOUR_CLOUDSMITH_TOKEN with the CloudSmith token provided to you by Keyless.

dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
        mavenCentral()
        maven {
            url "https://dl.cloudsmith.io/YOUR_CLOUDSMITH_TOKEN/keyless/partners/maven/"
        }
    }
}

In the dependencies block of your project build.gradle file, typically app/build.gradle, add:
```
dependencies {
// ...

implementation 'io.keyless:keyless-android-sdk:+'
}
```

In the android block of your project build.gradle file, typically app/build.gradle, make sure you have the following options:

android {
    // ...

    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }

    // add the following only if you're using Kotlin
    kotlinOptions {
        jvmTarget = "1.8"
    }
}

Create a Podfile if you don’t already have one
```
$ cd your-project-directory
$ pod init
```
Set up Cocoapods to use your Cloudsmith credentials, by running the following commands, replacing YOUR_CLOUDSMITH_TOKEN with the Cloudsmith token provided you by Keyless.
```
git config --global credential.helper store
echo "https://token:YOUR_CLOUDSMITH_TOKEN@dl.cloudsmith.io" >> ~/.git-credentials
```

Add the KeylessSDK pod to your Podfile

# This is the Keyless repository for partners
source 'https://dl.cloudsmith.io/basic/keyless/partners/cocoapods/index.git'

target 'MyApp' do
    use_frameworks!

    # Add the Keyless pod
    pod 'KeylessSDK'
end

Add the following at the bottom of you Podfile

post_install do |installer|
installer.pods_project.targets.each do |target|
    target.build_configurations.each do |config|
    config.build_settings['ENABLE_BITCODE'] = 'NO'
    end
end
end

Install the pods. If pod prompts you for authentication insert the string token as your username and then fill in YOUR_CLOUDSMITH_TOKEN as the password.

$ pod install

Analyzing dependencies
Cloning spec repo `cloudsmith-basic-keyless-partners-cocoapods-index` from `https://dl.cloudsmith.io/basic/keyless/partners/cocoapods/index.git`
Username for 'https://dl.cloudsmith.io': token
Password for 'https://dl.cloudsmith.io': YOUR_CLOUDSMITH_TOKEN

Add the Keyless SDK repository

echo '${CLOUDSMITH_TOKEN}' | dart pub token add https://dart.cloudsmith.io/keyless/flutter/

Add the Keyless SDK dependency to your pubspec.yaml:

dart pub add keyless_flutter_sdk:PACKAGE_VERSION --hosted-url https://dart.cloudsmith.io/keyless/flutter/

Follow the installation steps in both the Android and iOS tabs to set up the native SDKs in their respective platforms.
Run flutter pub get to download the dependencies:
```
flutter pub get
```

Essential configuration

There is some essential configuration to do before you can use the Keyless SDK.

Initialize the Keyless SDK in your Application class:

// MainApplication
override fun onCreate() {
    super.onCreate()
    // Initialize Keyless
    Keyless.initialize(this)
}

Add your application to the Manifest

<application
    ...
    android:name=".MainApplication"
    ...
</application>

Configure the Keyless SDK from your MainActivity, ViewModel or any class you use to communicate with Keyless. Note that configure is asynchronous so wait for the completion callback before calling the next Keyless APIs

The configure method requires a SetupConfig as parameter, as well as the KEYLESS_API_KEY and KEYLESS_HOSTS you received from Keyless. You should listen to the result as follows:

val setupConfig = SetupConfig(
        apiKey = "KEYLESS_API_KEY",
        hosts = listOf("KEYLESS_HOSTS")
    )

 Keyless.configure(setupConfig) { result ->
    when (result) {
        is Keyless.KeylessResult.Success -> {
            Log.d("KeylessSDK", "configure success")
            // Keyless is ready, you can now call
            // enroll/authenticate/deEnroll ...
        }
        is Keyless.KeylessResult.Failure ->{
            Log.d("KeylessSDK", "configure error")
            // Inspect result.error for more info
         }
     }
 }

Create an instance object of Keyless.SetupConfiguration and pass it to the Keyless.configure method, typically this is done in your app’s application(:didFinishLaunchingWithOptions: method:).

let setupConfig = SetupConfig(
        apiKey: "KEYLESS_API_KEY",
        hosts: ["KEYLESS_HOSTS"]
    )

if let error = Keyless.configure(configuration: setupConfig) {
    print("Keyless.Configure failed with error: \(error)")
}

Initialize the Keyless SDK in your Application class:

// MainApplication
override fun onCreate() {
    super.onCreate()
    // Initialize Keyless
    Keyless.initialize(this)
}

Add your application to the Manifest

<application
    ...
    android:name=".MainApplication"
    ...
</application>

The configure method requires a SetupConfiguration as parameter, as well as the KEYLESS_API_KEY and KEYLESS_HOSTS you received from Keyless. You should listen to the result as follows:

val setupConfiguration = SetupConfiguration.builder
    .withApiKey("KEYLESS_API_KEY")
    .withHosts(listOf("KEYLESS_HOSTS"))
    .build()

 Keyless.configure(setupConfiguration) { result ->
    when (result) {
        is Keyless.KeylessResult.Success -> {
            Log.d("KeylessSDK", "configure success")
            // Keyless is ready, you can now call
            // enroll/authenticate/deEnroll ...
        }
        is Keyless.KeylessResult.Failure ->{
            Log.d("KeylessSDK", "configure error")
            // Inspect result.error for more info
         }
     }
 }

Create an instance object of Keyless.SetupConfiguration and pass it to the Keyless.configure method, typically this is done in your app’s application(:didFinishLaunchingWithOptions: method:).

let setupConfiguration = Keyless.SetupConfiguration.builder
    .withApiKey("KEYLESS_API_KEY")
    .withHosts(["KEYLESS_HOSTS"])
    .build()

if let error = Keyless.configure(configuration: setupConfiguration) {
    print("Keyless.Configure failed with error: \(error)")
}

Configure the Keyless SDK before using any of its features:

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/setup_configuration.dart';
import 'package:keyless_flutter_sdk/models/configurations/ui_customization.dart'; // needed for the UI customization
import 'package:keyless_flutter_sdk/models/networking/networking_module.dart'; // needed for the networking module

try {
  final setupConfiguration = SetupConfiguration(
    apiKey: "KEYLESS_API_KEY",
    hosts: ["KEYLESS_HOSTS"],
    numberOfEnrollmentCircuits: 3, // optional
    loggingEnabled: true, // optional
    loggingLevel: LogLevel.info, // optional
    withDevicePrivileges: true, // optional
    lockoutAttemptsThreshold: 5, // optional
    lockoutAttemptsResetAfter: 300, // optional
    lockoutDuration: 600, // optional
    uiCustomization: UICustomization(), // optional
    networkingModule: NetworkingModule() // optional, this needs to be extended by the developer
  );

  await Keyless.instance.configure(setupConfiguration);
  print("Keyless SDK configured successfully");
} catch (error) {
  print("Failed to configure Keyless SDK: $error");
}

Additional configuration

As well as the essential configuration parameters, you can also specify the optional configuration parameters detailed in the following sections. You can inspect the Config class to see optional parameters (or the builder to see exposed methods)

Logging

Logging is disabled by default.

Please note logs do not include any Personally Identifiable Information (PII).

Keyless allows you to:

enable logging to the Keyless infrastructure - keylessLogsConfiguration
collect logging for you own analytics without sending them to the Keyless infrastructure - customLogsConfiguration

val setup = SetupConfig(
    apiKey = "...",
    hosts = listOf(""),
    keylessLogsConfiguration = LogsConfiguration(
        enabled = true,
        logLevel = LogLevels.INFO
    ),
    customLogsConfiguration = LogsConfiguration(
        enabled = true
    )
)

let configuration = SetupConfig(
    apiKey: "some api key",
    hosts: ["some.host"],
    keylessLogsConfiguration: KeylessLogsConfiguration(enabled: true),
    customLogsConfiguration: CustomLogsConfiguration(enabled: true, logLevel: .INFO, callback: { event in
        print(event)
    })
)

Keyless.configure(setupConfiguration: configuration) { error in
    // handle error
}

val setupConfiguration = SetupConfiguration.builder
    .withApiKey("")
    .withHosts(listOf("..."))
    .withLogging(
        keylessLogsConfiguration = LogsConfiguration(enabled = true),
        customLogsConfiguration = LogsConfiguration(enabled = true, logLevel = LogLevels.INFO)
    )
    .build()

let configuration = Keyless.SetupConfiguration
  .builder
  .withApiKey("some api key")
  .withHosts(["some.host"])
  .withLogging(
    keylessLogsConfiguration: KeylessLogsConfiguration(enabled: true, logLevel: .INFO),
    customLogsConfiguration: CustomLogsConfiguration(enabled: true, callback: { event in
      print(event)
    })
  )
  .build()
 
Keyless.configure(setupConfiguration: configuration) { error in
  // handle error
}

Collect logs after setting up custom logging with customLogsConfiguration option:

Start collecting the Keyless.customLogs flow (This must happen before a Keyless.configure() to get all Logs Events):

Keyless.customLogs.collect { logEvent ->
    // handle the logEvent
}

Configure the SDK with the following SetupConfig:

val setup = SetupConfig(
    apiKey = "...",
    hosts = listOf(""),
    customLogsConfiguration = LogsConfiguration(
        enabled = true,
        logLevel = LogLevels.INFO // This is optional and defaults to INFO
    )
)

var myEventCollection = [LogEvent]()
    let configuration = Keyless.SetupConfiguration
      .builder
      .withApiKey("some api key")
      .withHosts(["some.host"])
      .withLogging(
        keylessLogsConfiguration: KeylessLogsConfiguration(enabled: true, logLevel: .INFO),
        customLogsConfiguration: CustomLogsConfiguration(enabled: true, callback: { event in
          myEventCollection.append(event)
        })
      )
     .build()
    Keyless.configure(setupConfiguration: configuration) { error in
      // handle error
    }
}

Logging Levels

You may set different logging levels to provide more or less information in logs.

The available levels are the following:

INFO (default)
DEBUG
TRACE

The TRACE level provides the following additional data:

userId
devicePublicSigningKey
coreLogHistory (used for detailed debugging)

Liveness Lockout policy

Keyless has both client side (applicable to a specific device) and server side (applicable to all users and devices) lockout policies to help prevent brute force attacks.

Client side lockout is configurable in the SDK, and determines how many failed login attempts (lockoutAttemptsThreshold) are allowed over a set time period (lockoutAttemptsResetAfter) before the user is locked out for the set duration (lockoutDuration) on that device.

Account lockoutDuration must be greater than or equal to the lockoutAttemptsResetAfter so that it is not reset by lockoutAttemptsResetAfter.

lockoutDuration: Long,                //seconds - default 300 seconds
lockoutAttemptsResetAfter: Long,      //seconds - default 180 seconds
lockoutAttemptsThreshold: Int         //number  - default 5 attempts

Server side lockout works similarly, except applies to all authentication devices for a specific user, and is configured to lock a user out for 10 minutes after 5 failed attempts. A successful login resets the count of failed authentication attempts to zero.

Tampered device check

Checking for rooted/jailbroken phones is an unreliable process but you can enable the check with tamperedDeviceCheck(). If you enable this check, and the SDK detects that phone was tampered with, the Keyless SDK will return an error and prevent the user from authenticating.

Enrollment circuits

To speed up enrollment you can use the numberOfEnrollmentCircuits to upload less than the default of five circuits upon enrollment. The remainder (50 - numberOfEnrollmentCircuits) are uploaded asynchronously.

Shared circuits

This is the target desired number of circuits shared between client and server. To set this number use the numberOfSharedCircuits.

Networking module

If you need to perform network requests on behalf of Keyless SDK, you can implement the KLNetworkingModule interface. Set the networkingModule parameter with an instance of the KLNetworkingModule:

public interface KLNetworkingModule {
    public fun sendHTTPRequest(
        baseUrl: String,
        path: String,
        method: String,
        headers: Map<String, String>,
        body: String
    ): KLHTTPResponse

    public data class KLHTTPResponse(
        val errorCode: Int,
        val httpCode: Int,
        val responseBody: String
    )
}

public protocol KLNetworkingModule {
    func sendHTTPRequest (
        host: String,
        url : String,
        method: String,
        headers : [String: String],
        body : String) -> KLHTTPResponse
}

public struct KLHTTPResponse {
    var errorCode: Int
    var httpCode: Int
    var responseBody : String
    public init(errorCode: Int, httpCode: Int, responseBody: String) {
        self.errorCode = errorCode
        self.httpCode = httpCode
        self.responseBody = responseBody
    }
}

2️⃣ Enrollment

Enrollment is the process of registering a new user by connecting their facial biometrics to a Keyless account. During this process, a full and unobstructed view of the user's face is required.

val configuration = BiomEnrollConfig()

Keyless.enroll(
  configuration = configuration,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Enroll success - userId ${result.value.keylessId}")
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Enroll failure - error code ${result.error.code}")
    }
  }
)

let configuration = BiomEnrollConfig()

Keyless.enroll(
  configuration: configuration,
  onCompletion: { result in
    switch result {
    case .success(let enrollmentSuccess):
        print("Enrollment finished successfully. UserID: \(enrollmentSuccess.keylessId)")
    case .failure(let error):
        print("Enrollment finished with error: \(error.message)
    }
  })

val configuration = EnrollmentConfiguration.builder.build()

Keyless.enroll(
  enrollmentConfiguration = configuration,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Enroll success - userId ${result.value.keylessId}")
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Enroll failure - error code ${result.error.code}")
    }
  }
)

let configuration = Keyless.EnrollmentConfiguration.builder.build()

Keyless.enroll(
  enrollmentConfiguration: configuration,
  onCompletion: { result in
    switch result {
    case .success(let enrollmentSuccess):
        print("Enrollment finished successfully. UserID: \(enrollmentSuccess.keylessId)")
    case .failure(let error):
        print("Enrollment finished with error: \(error.message)
    }
  })

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/enrollment_configuration.dart';

final configuration = BiomEnrollConfig();

try {
  final result = await Keyless.instance.enroll(configuration);
  print("Enrollment finished successfully. UserID: ${result.keylessId}");
} catch (error) {
  print("Enrollment finished with error: $error");
}

Enrollment configuration

You can configure the enrollment process with optional parameters in your BiomEnrollConfig() instance or using the builder pattern methods from the EnrollmentConfiguration builder.

public data class BiomEnrollConfig(
    public val backup: KeylessBackup?,
    public val cameraDelaySeconds: Int = 2,
    public val customSecret: String?,
    public val iamToken: String?
    public val jwtSigningInfo: JwtSigningInfo?,
    public val livenessConfiguration: LivenessSettings.LivenessConfiguration = PASSIVE_STANDALONE_HIGH,
    public val livenessTimeout: Int = 60,
    public val operationInfo: OperationInfo?,
    public val shouldRetrieveTemporaryState: Boolean = false,
    public val shouldRetrieveEnrollmentSelfie: Boolean = false,
    public val temporaryState: String?,
    public val showScreenSuccessFlow: Boolean = true,
    public val showScreenSuccessFaceCapture: Boolean = true,
    public val showScreenInstructions: Boolean = true
)

public struct BiomEnrollConfig {
    public let backup: Keyless.Backup?
    public let cameraDelaySeconds: Int
    public let customSecret: String?
    public let iamToken: String?
    public let jwtSigningInfo: JwtSigningInfo?
    public let livenessConfiguration: Keyless.LivenessConfiguration
    public let livenessTimeout: Int
    public let operationInfo: Keyless.OperationInfo?
    public let shouldRetrieveTemporaryState: Bool
    public let shouldReturnEnrollmentSelfie: Bool
    public let temporaryState: String?,
    public let showScreenSuccessFlow: Bool,
    public let showScreenSuccessFaceCapture: Bool,
    public let showScreenInstructions: Bool
}

public interface EnrollmentConfigurationBuilder {

    public fun retrievingBackup(): EnrollmentConfigurationBuilder

    public fun retrievingTemporaryState(): EnrollmentConfigurationBuilder

    public fun savingSecret(customSecret: String): EnrollmentConfigurationBuilder

    public fun withBackup(backupKey: ByteArray, backupData: ByteArray): EnrollmentConfigurationBuilder

    public fun withDelay(cameraDelaySeconds: Int): EnrollmentConfigurationBuilder

    public fun withEnrollmentSelfie(): EnrollmentConfigurationBuilder

    public public fun withIAMToken(token: String)

    public fun withLivenessSettings(
        livenessConfiguration: LivenessSettings.LivenessConfiguration,
        livenessTimeout: Int
    ): EnrollmentConfigurationBuilder

    public fun withOperationInfo(
        operationId: String,
        payload: String? = null,
        externalUserId: String? = null
    ): EnrollmentConfigurationBuilder

    public fun withPin(pin: String): EnrollmentConfigurationBuilder

    public fun withTemporaryState(temporaryState: String): EnrollmentConfigurationBuilder

    public fun build(): EnrollmentConfiguration
}

public protocol EnrollmentConfigurationBuilder {

    public func retrievingBackup() -> EnrollmentConfigurationBuilder

    public func retrievingTemporaryState() -> EnrollmentConfigurationBuilder

    public func savingSecret(_ customSecret: String) -> EnrollmentConfigurationBuilder

    public func withBackup(_ backup: Keyless.Backup) -> EnrollmentConfigurationBuilder

    public func withDelay(seconds: Int) -> EnrollmentConfigurationBuilder

    public func withEnrollmentSelfie() -> EnrollmentConfigurationBuilder

    public func withIAMToken(token: String)

    public func withLivenessSettings(
        livenessConfiguration: Keyless.LivenessConfiguration,
        livenessTimeout: Int
    ) -> EnrollmentConfigurationBuilder

    public func withOperationInfo(
        id: String,
        payload: String?,
        externalUserId: String?
    ) -> EnrollmentConfigurationBuilder

    public func withPin(_ pin: String) -> EnrollmentConfigurationBuilder

    public func withTemporaryState(_ temporaryState: String) -> EnrollmentConfigurationBuilder

    public func build() -> Keyless.EnrollmentConfiguration
}

class BiomEnrollConfig {
    final String? customSecret;
    final String? temporaryState;
    final OperationInfo? operationInfo;
    final LivenessConfiguration? livenessConfiguration;
    final int? livenessTimeout;
    final bool? retrieveBackup;
    final KeylessBackup? backup;
    final int? cameraDelaySeconds;
    final String? iamToken;
    final JwtSigningInfo? jwtSigningInfo;
}

Enrollment success result

Depending on the builder methods you enable, Keyless will populate the corresponding fields in the EnrollmentSuccess result reported below.

data class EnrollmentSuccess(
    val keylessId: String,
    val backup: KeylessBackup? = null,
    val customSecret: String = "",
    val enrollmentSelfie: Bitmap? = null,
    val temporaryState: String? = null
) : KeylessSdkSuccess()

public struct EnrollmentSuccess {
    public let backup: Keyless.Backup?
    public let customSecret: String?
    public let enrollmentSelfie: CGImage?
    public let keylessId: String?
    public let temporaryState: String?
}

class EnrollmentSuccess {
    final String? keylessId;
    final String? customToken;
    final KeylessBackup? backup;
}

Backup data

Backup data is no longer recommended to perform account recovery use the temporary state. Follow the guide on account recovery.

Keyless can generate backup data that you can use to recover an account.

To create the backup data use the shouldRetrieveBackup method. Once the enrollment succeeds, copy the backup data from the EnrollmentSuccess result, and store it securely.

To recover an account, use the backup parameter more in backup.

Camera Delay

Use cameraDelaySeconds to specify the delay (in seconds) between when the camera preview appears, and when the liveness processing starts.

Custom secret

During enrollment you can specify a custom secret to be saved and encrypted along with the user's biometric data using savingSecret paramter. The custom secret can be anything you can save as an ASCII string, such as a secret that you have provided to the app from the backend, the seed of an OTP protocol, or anything else.

Enrollment Selfie

Using shouldRetrieveEnrollmentSelfie you can retrieve the image that Keyless uses to computes the facial biometrics of the user. The image can be found in the EnrollmentSuccess result as enrollmentSelfie.

IAM Token

Specifying an iamToken you can authenticate with your IAM System, follow the guide authenticating in auth0 with Keyless

JWT Signing info

You can specify a payload to be added to a JWT signed by Keyless with the jwtSigningInfo parameter, more in JWT signing.

Liveness Settings

Using livenessConfiguration you can configure the liveness security level during enrollment. The possible liveness configuration are under LivenessSettings.LivenessConfiguration :

PASSIVE_STANDALONE_MEDIUM
PASSIVE_STANDALONE_HIGH        //recommended configuration
PASSIVE_STANDALONE_HIGHEST

You can also specify a livenessTimeout (in seconds) to cancel the enrollment if the liveness takes longer than the timeout.

More details on liveness in the dedicated liveness settings section.

Operation info

The parameter operationInfo specifies a customizable unique operation identifier and associated payload stored on the Keyless backend if the enrollment succeeds. Use this to add an extra level of confirmation in your operations.

Details on how to query our backend for stored operations are available on Operations API.

Temporary State

Keyless users can be enrolled via IDV-Bridge, Identity Verification Bridge. As a result of IDV-Bridge enrollment you receive a temporary state useful to register users in your app without undergoing the full enrollment flow.

Use the temporaryState parameter to register users from a temporary state obtained through IDV-Bridge or follow the account recovery guide.

3️⃣ Authentication

Authentication is the biometric equivalent of "signing-in". During authentication Keyless compares the user's facial biometrics with the ones computed during enrollment.

If the biometrics match, Keyless authenticates the user.

val configuration = BiomAuthConfig()

Keyless.authenticate(
    configuration = configuration,
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Authentication success")
            is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Authentication failure - error code ${result.error.code}")
        }
    }
)

let configuration = BiomAuthConfig()

Keyless.authenticate(
    configuration: configuration,
    onCompletion: { result in
        switch result {
        case .success(let success):
            print("Authentication success")
        case .failure(let error):
            break
        }
    })

val configuration = AuthenticationConfiguration.builder.build()

Keyless.authenticate(
    authenticationConfiguration = configuration,
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Authentication success")
            is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Authentication failure - error code ${result.error.code}")
        }
    }
)

let configuration = Keyless.AuthenticationConfiguration.builder.build()

Keyless.authenticate(
    authenticationConfiguration: configuration,
    onCompletion: { result in
        switch result {
        case .success(let success):
            print("Authentication success")
        case .failure(let error):
            break
        }
    })

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/authentication_configuration.dart';

final configuration = BiomAuthConfig();

try {
  final result = await Keyless.instance.authenticate(configuration);
  print("Authentication success");
} catch (error) {
  print("Authentication failure");
}

Authentication configuration

You can configure the authentication process with optional parameters in your BiomAuthConfig() instance or using the builder pattern methods from the AuthenticationConfiguration builder.

public data class BiomAuthConfig(
    public val cameraDelaySeconds: Int = 0,
    public val jwtSigningInfo: JwtSigningInfo?,
    public val livenessConfiguration: LivenessSettings.LivenessConfiguration = PASSIVE_STANDALONE_HIGH,
    public val livenessTimeout: Int = 60,
    public val operationInfo: OperationInfo?,
    public val shouldRemovePin: Boolean = false,
    public val shouldRetrieveTemporaryState: Boolean = false,
    public val shouldRetrieveSecret: Boolean = false,
    public val shouldDeleteSecret: Boolean = false,
    public val showScreenSuccessFlow: Boolean = true
)

public struct BiomAuthConfig: AuthConfig {
    public let cameraDelaySeconds: Int
    public let jwtSigningInfo: JwtSigningInfo?
    public let livenessConfiguration: Keyless.LivenessConfiguration
    public let livenessTimeout: Int
    public let operationInfo: Keyless.OperationInfo?
    public let shouldRemovePin: Bool
    public let shouldRetrieveTemporaryState: Bool
    public let shouldRetrieveSecret: Bool
    public let shouldDeleteSecret: Bool
    public let showScreenSuccessFlow: Bool
}

interface AuthenticationConfigurationBuilder {

    fun retrievingBackup(): AuthenticationConfigurationBuilder

    fun retrievingSecret(): AuthenticationConfigurationBuilder

    fun deletingSecret(): AuthenticationConfigurationBuilder

    fun retrievingTemporaryState(): AuthenticationConfigurationBuilder

    fun withDelay(cameraDelaySeconds: Int): AuthenticationConfigurationBuilder

     fun withLivenessSettings(
        livenessConfiguration: LivenessSettings.LivenessConfiguration,
        livenessTimeout: Int
    ): AuthenticationConfigurationBuilder

    fun withMessageToSign(message: String): AuthenticationConfigurationBuilder

    fun withOperationInfo(
        operationId: String,
        payload: String? = null,
        externalUserId: String? = null
    ): AuthenticationConfigurationBuilder

    fun withPin(pin: String): AuthenticationConfigurationBuilder

    fun withSuccessAnimation(enabled: Boolean = true): AuthenticationConfigurationBuilder

    fun build(): AuthenticationConfiguration
}

public class Builder {

    public func retrievingBackup() -> Builder

    public func retrievingSecret() -> Builder

    public func deletingSecret() -> Builder

    public func retrievingTemporaryState() -> Builder

    public func revokingDevice(id: String) -> Builder

    public func withDelay(seconds: Int) -> Builder

    public func withLivenessSettings(
        livenessConfiguration: LivenessConfiguration,
        livenessTimeout: Int
    ) -> Builder

    public func withMessageToSign(_ message: String) -> Builder

    public func withOperationInfo(
        id: String,
        payload: String? = nil,
        externalUserId: String? = nil
    ) -> Builder

    public func withPin(_ pin: String) -> Builder

    public func withSuccessAnimation(_ enabled: Bool) -> Builder

    public func build() -> AuthenticationConfiguration
}

class BiomAuthConfig extends AuthConfig {
    final LivenessConfiguration? livenessConfiguration;
    final int? livenessTimeout;
    final int? cameraDelaySeconds;
    final bool? shouldRetrieveBackup;
    final bool? successAnimationEnabled;
    final String? b64NewDeviceData;
    final String? b64OldDeviceData;
    final String? deviceToRevoke;
    final bool? shouldRetrieveSecret;
    final bool? shouldRemovePin;
    final JwtSigningInfo? jwtSigningInfo;
    final OperationInfo? operationInfo;
}

The successAnimationEnabled field has been renamed to showScreenSuccessFlow, triggering a breaking change. Moreover the success animation is now shown by default.

Authentication success result

Depending on the builder methods you enable, Keyless will populate the corresponding fields in the AuthenticationSuccess result reported below.

data class AuthenticationSuccess(
    val backup: KeylessBackup? = null,
    val customSecret: String? = null,
    val signedJwt: String? = null,
    val temporaryState: String? = null
) : KeylessSdkSuccess()

public struct AuthenticationSuccess {
    public let backup: Keyless.Backup?
    public let customSecret: String?
    public let signedJwt: String?
    public let temporaryState: String?
}

class AuthenticationSuccess {
  final String? customToken;
  final String? signedJwt;
  final KeylessBackup? backup;
  final String? b64OldDeviceData;
}

Backup data

Backup data is no longer recommended to perform account recovery use the temporary state. Follow the guide on account recovery.

Keyless can generate backup data that you can use to recover an account.

To create the backup data use the shouldRetrieveBackup configuration parameter. Once authentication succeeds, copy the backup data from the AuthenticationSuccess result, and store it securely.

To recover an account, use backup parameter during enrollment more in backup.

Camera Delay

Use cameraDelaySeconds to specify the delay (in seconds) between when the camera preview appears, and when the liveness processing starts.

Custom Secret

If you saved a custom secret during enrollment, you can retrieve it using the shouldRetrieveSecret parameter.

Keyless will populate the field customSecret in the AuthenticationSuccess result.

Furthermore, such a custom secret can be deleted using the shouldDeleteSecret parameter.

JWT Signing info

You can specify a payload to be added to a JWT signed by Keyless with the jwtSigningInfo parameter, more in JWT signing.

Liveness Settings

Using livenessConfiguration you can configure the liveness security level during enrollment. The possible liveness configuration are under LivenessSettings.LivenessConfiguration :

PASSIVE_STANDALONE_MEDIUM
PASSIVE_STANDALONE_HIGH        //recommended configuration
PASSIVE_STANDALONE_HIGHEST

You can also specify a livenessTimeout (in seconds) to cancel the enrollment if the liveness takes longer than the timeout.

More details on liveness in the dedicated liveness settings section.

Operation info

The parameter operationInfo specifies a customizable unique operation identifier and associated payload stored on the Keyless backend if the enrollment succeeds.

Details on how to query our backend for stored operations are available on Operations API.

Temporary State

Use the shouldRetrieveTemporaryState parameter to creata a temporary state useful for the account recovery.

4️⃣ De-Enrollment

De-enrollment is biometric equivalde of an account deletion. Keyless performs an authentication to compare the user's facial biometrics with the ones computed during enrollment. If the biometrics match, the user is authenticated and their account will be removed from Keyless. This operation is irreversible.

val configuration = BiomDeEnrollConfig()

Keyless.deEnroll(
    deEnrollmentConfiguration = configuration,
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "De-enroll success")
            is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "De-enroll failure - error code ${result.error.code}")
        }
    }
)

let configuration = BiomDeEnrollConfig()
    .build()

Keyless.deEnroll(
    deEnrollmentConfiguration: configuration,
    onCompletion: { error in
        if let error = error {
              print("De-Enrollment finished with error: \(error.message)")
        } else {
              print("De-Enrollment finished with success")
        }
    }
}

val configuration = DeEnrollmentConfiguration.builder.build()

Keyless.deEnroll(
    deEnrollmentConfiguration = configuration,
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "De-enroll success")
            is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "De-enroll failure - error code ${result.error.code}")
        }
    }
)

let configuration = Keyless.DeEnrollmentConfiguration.builder
    .build()

Keyless.deEnroll(
    deEnrollmentConfiguration: configuration,
    onCompletion: { error in
        if let error = error {
              print("De-Enrollment finished with error: \(error.message)")
        } else {
              print("De-Enrollment finished with success")
        }
    }
}

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/deenrollment_configuration.dart';

// Biometric de-enrollment
final configuration = BiomDeEnrollConfig(
    livenessConfiguration: LivenessConfiguration.passiveStandaloneHigh,
    livenessTimeout: 60,
    cameraDelaySeconds: 0
);

// Or PIN-based de-enrollment
final configuration = PinDeEnrollConfig(
    pin: "1234"
);

try {
    await Keyless.instance.deEnroll(configuration);
    print("De-enrollment successful");
} catch (error) {
    print("De-enrollment failed: $error");
}

DeEnrollment configuration

Camera Delay

Use cameraDelaySeconds to specify the delay (in seconds) between when the camera preview appears, and when the liveness processing starts.

Liveness Settings

Using livenessConfiguration you can configure the liveness security level during enrollment. The possible liveness configuration are under LivenessSettings.LivenessConfiguration :

PASSIVE_STANDALONE_MEDIUM
PASSIVE_STANDALONE_HIGH        //recommended configuration
PASSIVE_STANDALONE_HIGHEST

You can also specify a livenessTimeout (in seconds) to cancel the enrollment if the liveness takes longer than the timeout.

More details on liveness in the dedicated liveness settings section.

5️⃣ Backup

Backup data is no longer the recommended approach to perform account recovery. The recommended flow is using the temporary state. Follow the guide on account recovery.

Back up your user's data so you can restore their Keyless account when necessary.

Create a backup (not recommended)

Create backups after authentication, and push them into your backup system. Each backup is encrypted with aes-gcm using the backupKey as symmetric key. You need both backupData and backupKey to restore an account with Keyless.

val configuration = AuthenticationConfiguration.builder
   .retrievingBackup()
   .build()

Keyless.authenticate(
    authenticationConfiguration = configuration,
    onCompletion = { authResult ->
        when (authResult) {
            is Keyless.KeylessResult.Success -> {
                // use the backup
                val backup: KeylessBackup? = authResult.value.backup
            }
            is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Authentication failure - error code ${result.error.code}")
        }
    }
)

let authenticationConfiguration = Keyless.AuthenticationConfiguration.builder
    .retrievingBackup()
    .build()

Keyless.authenticate(authenticationConfiguration: authenticationConfiguration) { result in
    switch result {
    case .success(let authenticationSuccess):
        // Handle your backup system logic
        print("Retrieve data for backup successful")
        print("Backup data: \(authenticationSuccess.backup?.data)")
        print("Backup key: \(authenticationSuccess.backup?.key)")
    case .failure(let error):
        // Handle error and display an error to the user.
        print("Retrieve data for backup failed with error: \(error.message)")
    }
}

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/authentication_configuration.dart';

// Create enrollment configuration with backup
final configuration = BiomAuthConfig(retrieveBackup: true);

try {
    final result = await Keyless.instance.authenticate(configuration);
    print("Backup retrieved successfully");
} catch (error) {
    print("Backup retrieval failed: $error");
}

Restore from a backup (not recommended)

Restore the user account by providing backupData and backupKey to the withBackup method:

val configuration = EnrollmentConfiguration.builder
  .withBackup(
    backupKey = backupKey,
    backupData = backupData
  )
  .build()


Keyless.enroll(
  enrollmentConfiguration = configuration,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Enroll success - userId ${result.value.keylessId}")
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Enroll failure - error code ${result.error.code}")
    }
  })

let enrollmentConfiguration = Keyless.EnrollmentConfiguration.builder
    .withBackup(Keyless.Backup(data: backupData, key: backupKey))
    .build()

Keyless.enroll(enrollmentConfiguration: enrollmentConfiguration) { result in
    switch result {
    case .success(let enrollmentSuccess):
        print("Enrollment from backup finished successfully")
    case .failure(let error):
        print("Enrollment from backup finished with error: \(error.message)")
    }
}

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/enrollment_configuration.dart';

// Create enrollment configuration with backup
final configuration = BiomEnrollConfig(
    backup: KeylessBackup(
        data: backupData,
        key: backupKey
    )
);

try {
    final result = await Keyless.instance.enroll(configuration);
    print("Enrollment from backup successful");
} catch (error) {
    print("Enrollment from backup failed: $error");
}

6️⃣ User and device management

The Keyless SDK "caches" the enrolled user locally on the device.

There are some use cases where it is possible to delete the user from server API and delete the device from server API. The Keyless SDK will not be notified about such deletions. For this reason if you try to authenticate a user or a device that have been deleted from server API you will get an error.

Call validateUserAndDeviceActive before authenticating, to validate that both the user and the device are still active in the Keyless backend, to avoid asking the user for biometric data which will still not let them authenticate.

Keyless.validateUserAndDeviceActive(
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "user and device active")
            is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "user or device not ofund - error code ${result.error.code}")
            // error code 1131 = user is not enrolled on the device (not even locally so did not check on backend)
            // error code 534 = user not found or deactivated on backend
            // error code 535 = device not found or deactivated on backend
        }
    }
)

Keyless.validateUserDeviceActive(
    onCompletion: { result in
        switch result {
        case .success(let success):
            print("user and device active")
        case .failure(let error):
            print("user or device deactivated")
            // error code 1131 = user is not enrolled on the device (not even locally so did not check on backend)
            // error code 534 = user not found or deactivated on backend
            // error code 535 = device not found or deactivated on backend
            break
        }
    })

User identifier

Retrieve the user identifier with Keyless.getUserId():

fun getUserId(): KeylessResult<String, KeylessSdkError>

func getUserId() -> Result<String, KeylessSDKError>

Device identifier

The device is identified by its public signing key. To retrieve the public signing key use Keyless.getDevicePublicSigningKey():

fun getDevicePublicSigningKey(): KeylessResult<ByteArray, KeylessSdkError>

func getDevicePublicSigningKey() -> Result<String, KeylessSDKError>

Keyless SDK reset

Resetting the Keyless SDK to a clean state deletes local data from the device, but does not de-enoll the user from the Keyless backend or deactivate the device from the Keyless backend:

fun reset(
  onCompletion: (KeylessResult<Unit, KeylessSdkError>) -> Unit
)

func reset() -> KeylessSDKError?

Lockout management

The getRateLimitInfo API checks whether the user is currently rate-limited and, if so, for how many seconds. This API is typically used to provide feedback to users after multiple failed authentication attempts.

Keyless.getRateLimitInfo { result ->
    when (result) {
        is Keyless.KeylessResult.Success -> {
            val rateLimitInfo = result.value
            println("User is rate limited: ${rateLimitInfo.isRateLimited} with remaining seconds: ${rateLimitInfo.remainingSeconds}")
        }
        is Keyless.KeylessResult.Failure -> {
            println("Error: ${result.error.message}")
        }
    }
}

Keyless.getRateLimitInfo(completion: { result in
        switch result {
        case .success(let success):
            print("User is rate limited: \(success.isRateLimited) with remaining seconds: \(success.remainingSeconds)")
        case .failure(let error):
            print("Error: \(error.message)")
        }
})

Mobile SDK Reference

UI Customization

The Keyless SDK can be customised in order to provide a more familiar UX when integrated in any custom app.

Theme

The SDK theme can be customized to be dark, light or system.

Keyless will use the system defined theme by default.

Keyless.UI.Color.sdkTheme = SdkTheme.SYSTEM

// default theme is SYSTEM
public enum class SdkTheme {
    DARK,
    LIGHT,
    SYSTEM
}

Keyless.UI.Color.sdkTheme = .system

// default theme is system
public enum SDKTheme {
   case dark
   case light
   case system
}

Colors

It is possible to customize the following colors:

primary color This color is the one that appears most frequently across the screens and components.
onPrimary color The color used for elements that appear on top of the PrimaryColor, ensuring clear contrast and visibility.

Example

Keyless.UI.Color.primary = 0xFF1833B8
Keyless.UI.Color.onPrimary = 0xFFFED900

Keyless.UI.Color.primary = .magenta
Keyless.UI.Color.onPrimary = .cyan

final uiCustomization = UICustomization(
    primaryColor: 0xFF1833B8,
    onPrimaryColor: 0xFFFED900,
);

// Pass the UI customization when configuring the SDK
final setupConfiguration = SetupConfiguration(
    apiKey: "YOUR_API_KEY",
    hosts: ["YOUR_HOSTS"],
    uiCustomization: uiCustomization
);

Text

It is possible to customize the following text:

Enrollment

We suggest to not use more than three lines of text.

Step0 (information screen before enrollment)
- title
- description
- prerequisiteCenterFace
- prerequisiteDirectLook
- prerequisiteWellLitArea
- prerequisiteRemoveEyeWear
- continueCta
- closeScreenButtonContentDescription (the content description of the close button for accessibility)
- ~~prerequisiteAloneInPhoto~~ deprecated (will no longer be shown)

Step1
- text1 Showed before the user face is framed.

step1Success
- message Showed after the user face is framed with a successful animation.

Step2
- text1 Showed after the user face has been framed and the progress is between 0% and 33%.
- text2 Showed after the user face has been framed and the progress is between 34% and 66%.
- text3 Showed after the user face has been framed and the progress is between 67% and 100%.
- subtitle1 Showed during the entire enrollment progress

Step3
- text1 Showed when the enrollment has been successfully completed.
- subtitle1 Showed when the enrollment has been successfully completed

Authentication

We suggest to not use more than two lines of text.

Step1
- text1 Showed before the user face is framed.
Step2
- text1 Showed after the user face has been framed.
Step3
- text1
  - Showed when the authentication has been successfully completed.

Example

// Custom text for enrollment

// prelimiar information for enrollment
Keyless.UI.Text.Enrollment.Step0.title = "(custom) Enroll your face"
Keyless.UI.Text.Enrollment.Step0.description = "(custom) On the next screen, we will take a photo of your face to create your account."

Keyless.UI.Text.Enrollment.Step0.prerequisiteCenterFace = "(custom) Center your face in the frame"
Keyless.UI.Text.Enrollment.Step0.prerequisiteDirectLook = "(custom) Look directly at the screen"
Keyless.UI.Text.Enrollment.Step0.prerequisiteWellLitArea = "(custom) Ensure you are in a well-lit area"
Keyless.UI.Text.Enrollment.Step0.prerequisiteRemoveEyeWear = "(custom) Remove any eyewear or hats"
Keyless.UI.Text.Enrollment.Step0.continueCta = "(custom) Continue"

// remaining steps of the enrollment
Keyless.UI.Text.Enrollment.Step1.text1 = "(custom) Put your face within the frame"
Keyless.UI.Text.Enrollment.Step1Success.message = "(custom) Photo captured successfully"

Keyless.UI.Text.Enrollment.Step2.text1 = "(custom 1) Enrolling, please wait…"
Keyless.UI.Text.Enrollment.Step2.text2 = "(custom 2) Enrolling, please wait…"
Keyless.UI.Text.Enrollment.Step2.text3 = "(custom 3) Enrolling, please wait…"
Keyless.UI.Text.Enrollment.Step3.text1 = "(custom) Keyless account created successfully!"

// Custom text for authentication
Keyless.UI.Text.Authentication.Step1.text1 = "(custom) Please look into the camera"
Keyless.UI.Text.Authentication.Step2.text1 = "(custom) Communicating with the Keyless network"
Keyless.UI.Text.Authentication.Step3.text1 = "(custom) Approved"

// Custom text for enrollment

// prelimiar information for enrollment
Keyless.UI.Text.Enrollment.Step0.title = "(custom) Enroll your face"
Keyless.UI.Text.Enrollment.Step0.description = "(custom) On the next screen, we will take a photo of your face to create your account."

Keyless.UI.Text.Enrollment.Step0.prerequisiteCenterFace = "(custom) Center your face in the frame"
Keyless.UI.Text.Enrollment.Step0.prerequisiteDirectLook = "(custom) Look directly at the screen"
Keyless.UI.Text.Enrollment.Step0.prerequisiteWellLitArea = "(custom) Ensure you are in a well-lit area"
Keyless.UI.Text.Enrollment.Step0.prerequisiteRemoveEyeWear = "(custom) Remove any eyewear or hats"
Keyless.UI.Text.Enrollment.Step0.continueCta = "(custom) Continue"

// remaining steps of the enrollment
Keyless.UI.Text.Enrollment.Step1.text1 = "(custom) Put your face within the frame"
Keyless.UI.Text.Enrollment.Step1Success.message = "(custom) Position your face within the frame"

Keyless.UI.Text.Enrollment.Step2.text1 = "(custom 1) Enrolling, please wait…"
Keyless.UI.Text.Enrollment.Step2.text2 = "(custom 2) Enrolling, please wait…"
Keyless.UI.Text.Enrollment.Step2.text3 = "(custom 3) Enrolling, please wait…"
Keyless.UI.Text.Enrollment.Step3.text1 = "(custom) Keyless account created successfully!"

// Custom text for authentication
Keyless.UI.Text.Authentication.Step1.text1 = "(custom) Please look into the camera"
Keyless.UI.Text.Authentication.Step2.text1 = "(custom) Communicating with the Keyless network"
Keyless.UI.Text.Authentication.Step3.text1 = "(custom) Approved"

final uiCustomization = UICustomization(
    // Enrollment Step 0
    enrollmentStep0Title: "(custom) Enroll your face",
    enrollmentStep0Description: "(custom) On the next screen, we will take a photo of your face to create your account.",
    enrollmentStep0PrerequisiteCenterFace: "(custom) Center your face in the frame",
    enrollmentStep0PrerequisiteDirectLook: "(custom) Look directly at the screen",
    enrollmentStep0PrerequisiteWellLitArea: "(custom) Ensure you are in a well-lit area",
    enrollmentStep0PrerequisiteRemoveEyeWear: "(custom) Remove any eyewear or hats",
    enrollmentStep0ContinueCta: "(custom) Continue",
    
    // Enrollment Steps
    enrollmentStep1Text: "(custom) Put your face within the frame",
    enrollmentStep1SuccessText: "(custom) Photo captured successfully",
    
    enrollmentStep2Text1: "(custom 1) Enrolling, please wait…",
    enrollmentStep2Text2: "(custom 2) Enrolling, please wait…",
    enrollmentStep2Text3: "(custom 3) Enrolling, please wait…",
    enrollmentStep2Subtitle: "(custom) Processing your enrollment",
    
    enrollmentStep3Text: "(custom) Keyless account created successfully!",
    enrollmentStep3Subtitle: "(custom) You're all set!",
    
    // Authentication Steps
    authenticationStep1: "(custom) Please look into the camera",
    authenticationStep2: "(custom) Communicating with the Keyless network",
    authenticationStep3: "(custom) Approved",
);

// Pass the UI customization when configuring the SDK
final setupConfiguration = SetupConfiguration(
    apiKey: "YOUR_API_KEY",
    hosts: ["YOUR_HOSTS"],
    uiCustomization: uiCustomization
);

Optional Screens

It is possible to show or hide some of the Enrollment and Authentication steps above by setting to false the following fields.

The default value for all of them is true which means that the step is shown.

Enrollment

Use the following fields of a BiomEnrollConfig:

showScreenInstructions: affects the Step0
showScreenSuccessFaceCapture: affects the Step1Success
showScreenSuccessFlow: affects the Step3

Example

val biomEnrollConfig = BiomEnrollConfig(
    showScreenInstructions = false,
    showScreenSuccessFaceCapture = false,
    showScreenSuccessFlow = false
)

Keyless.enroll(
    configuration = biomEnrollConfig, 
    onProgress = { /* handle progress */ },
    onCompletion = { /* handle completion */ }
)

let biomEnrollConfig = BiomEnrollConfig(
    showScreenSuccessFlow: false,
    showScreenSuccessFaceCapture: false,
    showScreenInstructions: false
)
        
Keyless.enroll(
    configuration: biomEnrollConfig,
    onProgress: { _ in /* handle progress */ },
    onCompletion: { _ in /* handle completion */ }
)

Authentication

Use the following fields of a BiomAuthConfig:

showScreenSuccessFlow: affects the Step3

Example

val biomAuthConfig = BiomAuthConfig(
    showScreenSuccessFlow = false
)

Keyless.authenticate(
    configuration = biomAuthConfig,
    onCompletion = { /* handle completion */ }
)

let biomAuthConfig = BiomAuthConfig(
    showScreenSuccessFlow: false
)
        
Keyless.authenticate(
    configuration: biomAuthConfig,
    onCompletion: { _ in /* handle completion */ }
)

Fonts

It is possible to customize the font.

Android: requires an android.graphics.Typeface object.
iOS: requires a String, the name of the font.

The custom font must be set as soon as available, a good moment to do so is before calling Keyless.configure

Example

Keyless.UI.Font.customFont: Typeface = Typeface.SERIF

Keyless.UI.Font.customFont: String = "Serif"

final uiCustomization = UICustomization(
    customFont: "Serif"
);

Logo

You can show your custom logo during Enrollment, Authentication and de-enrollment. It will be shown in the upper-right corner; any custom logo can be used, it will be resized but not stretched.

logo positioning may overlap with custom text depending on your custom text

Example

Add your own image .png in your /res/drawable folder to set it using Keyless.UI.Logo.bitmap property.

Keyless.UI.Logo.bitmap = BitmapFactory.decodeResource(
                resources,
                R.drawable.icon_example)

Add your own image to the app bundle and set it using Keyless.UI.Logo property.

Keyless.UI.Image.logoImage = UIImage(named: "your custom image")

Error handling

The Keyless SDK uses three classes of errors, each error has a code and a description:

Internal errors: triggered by Keyless internals.
Integration errors: triggered by a KeylessSDK integration misconfiguration.
User errors: triggered by user behavior.

If you're implementing the Keyless SDK, you should handle these errors so they are not displayed to the end user. User errors are most likely to require application logic, and are explained in more detail below.

User errors

Note that many of these errors are predictions only, when writing messages for your users it's often best to assume positive intent. For example, suggest that they make sure that nothing is obstructing the camera instead of suggesting that are attempting to spoof.

Spoofing

The user might be placing a picture or a video in front of the camera.

Timeout

The operation timed out.

Mask detected

The user might be wearing a mask, or there might be something hiding their face.

User cancelled

The user manually cancelled the operation.

Face not matching

The face of the user trying to perform an operation is different from the face of the user who is enrolled.

No network connection

The device is offline.

User lockout

The user is temporarily locked out of Keyless after too many failed authentication attempts.

Examples

val configuration = Keyless.AuthenticationConfiguration()

Keyless.authenticate(
    authenticationConfiguration = configuration,
    onCompletion = { result ->
        when (result) {
            is Keyless.KeylessResult.Success -> {
                Log.d("IntegratorActivity ", "Authenticate success")
            }
            is Keyless.KeylessResult.Failure -> {
                when (result.error) {
                    is KeylessUserError.FaceNotMatching -> Log.d("IntegratorActivity ", "Face not matching")
                    is KeylessUserError.MaskDetected -> Log.d("IntegratorActivity ", "Mask detected")
                    is KeylessUserError.Spoofing -> Log.d("IntegratorActivity ", "Spoofing detected")
                    is KeylessUserError.Timeout -> Log.d("IntegratorActivity ", "The operation timed out")
                    is KeylessUserError.UserCancelled -> Log.d("IntegratorActivity ", "The user cancelled the operation")
                    is KeylessUserError.NoNetworkConnection -> Log.d("IntegratorActivity ", "No network connection available")
                    is KeylessUserError.Lockout -> Log.d("IntegratorActivity ", "Your account is temporarily locked")
                    else -> {
                        Log.d("IntegratorActivity ", "Authenticate failure")

                        val errorCode = result.error.code
                        val errorMessage = result.error.message
                        val errorCause = result.error.cause?.printStackTrace()
                        // here you could display a generic error popup with the error code
                    }
                }
            }
        }
    }
)

let configuration = Keyless.AuthenticationConfiguration.builder.build()

Keyless.authenticate(authenticationConfiguration: configuration) { result in
    switch result {
    case .success(let authenticationSuccess):
        print("authenticationDidFinish:  \(authenticationSuccess.token)")
    case .failure(let error):
        switch error.kind {
        case .userError(let userError):
            switch userError {
            case .faceNotMatching:
                print("Face not matching")
            case .maskDetected:
                print("Mask detected")
            case .spoofing:
                print("Spoofing detected")
            case .timeout:
                print("The operation timed out")
            case .userCancelled:
                print("The user cancelled the operation")
            case .noNetworkConnection:
                print("No network connection available")
            case .lockout:
                print("Your account is temporarily locked")
            }
        default:
            let code = error.code
            let message = error.message
            // here you could display a generic error popup with the error code
        }
    }
}

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/authentication_configuration.dart';

final configuration = BiomAuthConfig();

try {
  final result = await Keyless.instance.authenticate(configuration);
  print("Authentication successful");
} catch (error) {
  if (error is KeylessError) {
    switch (error.errorType) {
      case KeylessErrorType.user:
        if (error.code == KeylessErrorCase.faceNotMatching.code) {
          print("Face not matching");
        } else if (error.code == KeylessErrorCase.maskDetected.code) {
          print("Mask detected");
        } else if (error.code == KeylessErrorCase.spoofing.code) {
          print("Spoofing detected");
        } else if (error.code == KeylessErrorCase.timeout.code) {
          print("The operation timed out");
        } else if (error.code == KeylessErrorCase.userCancelled.code) {
          print("The user cancelled the operation");
        } else if (error.code == KeylessErrorCase.noNetworkConnection.code) {
          print("No network connection available");
        } else if (error.code == KeylessErrorCase.deviceTampered.code) {
          print("Device security check failed");
        } else if (error.code == KeylessErrorCase.lockout.code) {
          print("Your account is temporarily locked");
        }
        break;
      default:
        // Handle internal or integration errors
        print("Authentication failed: ${error.message} (Code: ${error.code})");
        // Here you could display a generic error popup with the error code
    }
  }
}

Liveness Settings

Keyless SDK provides three officially-supported configurations for the liveness detection (antispoofing component), listed below from the lowest to the highest level of security:

PASSIVE_STANDALONE_MEDIUM - for testing purposes only
PASSIVE_STANDALONE_HIGH - for most production use (SDK default)
PASSIVE_STANDALONE_HIGHEST - for higher security production use

Increasing the security level increases the ability of the system to reject spoof attempts (true positive rate, or TPR). A higher security level also increases the genuine reject rate (false positive rate, or FPR) and the time required by the anti-spoofing module to make a decision.

For most production scenarios, Keyless recommends the use of PASSIVE_STANDALONE_HIGH. This setting offers a good tradeoff between TPR, FPR, and time-to-decision. For scenarios that require a higher security level, we recommend increasing this setting to PASSIVE_STANDALONE_HIGHEST.

To customize the liveness detection call .withLivenessSettings(livenessConfiguration, livenessTimeout) when initializing any configuration.

// Authentication Configuration
val authenticationConfiguration = AuthenticationConfiguration.builder
        .withLivenessSettings(livenessConfiguration: livenessConfiguration, livenessTimeout: livenessTimout)
//...
        .build()

// Enrollment Configuration
val enrollmentConfiguration = EnrollmentConfiguration.builder
        .withLivenessSettings(livenessConfiguration: livenessConfiguration, livenessTimeout: livenessTimout)
//...
        .build()

// De-Enrollment Configuration
val deEnrollmentConfiguration = DeEnrollmentConfiguration.builder
        .withLivenessSettings(livenessConfiguration: livenessConfiguration, livenessTimeout: livenessTimout)
//...
        .build()

// Authentication Configuration
let authenticationConfiguration = Keyless.AuthenticationConfiguration.builder
        .withLivenessSettings(livenessConfiguration: livenessConfiguration, livenessTimeout: livenessTimout)
//...
        .build()

// Enrollment Configuration
let enrollmentConfiguration = Keyless.EnrollmentConfiguration.builder
        .withLivenessSettings(livenessConfiguration: livenessConfiguration, livenessTimeout: livenessTimout)
//...
        .build()

// De-Enrollment Configuration
let deEnrollmentConfiguration = Keyless.DeEnrollmentConfiguration.builder
        .withLivenessSettings(livenessConfiguration: livenessConfiguration, livenessTimeout: livenessTimout)
//...
        .build()

// Authentication Configuration
final authenticationConfiguration = BiomAuthConfig(
    livenessConfiguration: livenessConfiguration,
    livenessTimeout: livenessTimeout,
    //...
);

// Enrollment Configuration
final enrollmentConfiguration = EnrollmentConfiguration(
    livenessConfiguration: livenessConfiguration,
    livenessTimeout: livenessTimeout,
    //...
);

// De-Enrollment Configuration
final deEnrollmentConfiguration = DeEnrollmentConfiguration(
    livenessConfiguration: livenessConfiguration,
    livenessTimeout: livenessTimeout,
    //...
);

JWT signing

Keyelss mobile SDK can generate a signed a JWT containing a custom payload. You can use the signed JWT to implement .

Generate signed JWT

Pass JwtSigningInfo to the authentication to generate a signed JWT:

//Keyless adds a td claim to the JWTs containing the data you specify
val jwtSigningInfo = JwtSigningInfo(claimTransactionData = "<your custom data")

// if you want to authenticate with biometric
val biomAuthConfig = BiomAuthConfig(jwtSigningInfo = jwtSigningInfo)
// if you want to authenticate with pin
val pinAuthConfig = PinAuthConfig(pin = "1234", jwtSigningInfo = jwtSigningInfo)

// perform the authentication
Keyless.authenticate(
    configuration = biomAuthConfig, // pinAuthConfig if you use pin
    onCompletion = { /*TODO: process result*/ }
)

//Keyless adds a td claim to the JWTs containing the data you specify
let jwtSigningInfo = JwtSigningInfo(claimTransactionData: "<your custom data>")

// if you want to authenticate with biometric
let biomAuthConfig = BiomAuthConfig(jwtSigningInfo: jwtSigningInfo)
// if you want to authenticate with pin
let pinAuthConfig = PinAuthConfig(pin: "1234", jwtSigningInfo: jwtSigningInfo)

// perform the authentication
Keyless.authenticate(
    configuration: biomAuthConfig, // pinAuthConfig if you use pin
    onCompletion : { /*TODO: process result*/ }
)

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/jwt_signing_info.dart';
import 'package:keyless_flutter_sdk/models/configurations/authentication_configuration.dart';

// Keyless adds a td claim to the JWTs containing the data you specify
final jwtSigningInfo = JwtSigningInfo("<your custom data>");

// if you want to authenticate with biometric
final biomAuthConfig = BiomAuthConfig(
    jwtSigningInfo: jwtSigningInfo
);

// if you want to authenticate with pin
final pinAuthConfig = PinAuthConfig(
    pin: "1234",
    jwtSigningInfo: jwtSigningInfo
);

try {
    // perform the authentication
    final result = await Keyless.instance.authenticate(
        biomAuthConfig // or pinAuthConfig if you use pin
    );
    print("JWT signed successfully: ${result.signedJwt}");
} catch (error) {
    print("Authentication failed: $error");
}

User signing public key

The AuthenticationSuccess contains the following fields:

signedJwt: the signed JWT.

PIN authentication

Use a PIN to perform specific operations when biometric authentication is not necessary

For authentication scenarios that don't necessitate biometric recognition, you can use PIN as an alternative.

PIN authentication has limited capabilities compared to biometric authentication. PIN supports:

Keyless requires at least one of the following authentication factor to be present for each user:

biometric factor
PIN factor

PIN factor can be any valid String. Numbers are not enforced but are recommended, given the familiarity of numeric PINs for end users.

Enrollment with PIN

To enroll using the PIN factor create the following configuration:

val configuration = PinEnrollConfig(pin = "1234")

Keyless.enroll(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =  PinEnrollConfig(pin: "1234")

Keyless.enroll(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

val configuration = EnrollmentConfiguration.builder
  .withPin("1234")
  .build()

Keyless.enroll(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration = Keyless.EnrollmentConfiguration.builder
  .withPin("1234")
  .build()

Keyless.enroll(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

final configuration = EnrollmentConfig(
    pin: "1234"
);

try {
    await Keyless.instance.enroll(configuration);
    print("Enrollment successful");
} catch (error) {
    print("Enrollment failed: $error");
}

To enroll multiple authentication factors you need call Keyless.enroll for each factor.

Authentication with PIN

To authenticate using the PIN factor create the following configuration:

val configuration = PinAuthConfig(pin = "1234")

Keyless.authenticate(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =  PinAuthConfig(pin: "1234")

Keyless.authenticate(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

val configuration = AuthenticationConfiguration.builder
  .withPin("1234")
  .build()

Keyless.authenticate(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration = Keyless.AuthenticationConfiguration.builder
  .withPin("1234")
  .build()

Keyless.authenticate(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

final configuration = PinAuthConfig(
    pin: "1234"
);

try {
    final result = await Keyless.instance.authenticate(configuration);
    print("Authentication successful");
} catch (error) {
    print("Authentication failed: $error");
}

De-enrollment with PIN

To de-enroll using the PIN authentication factor, create the following configuration:

val configuration = PinDeEnrollConfig(pin = "1234")

Keyless.deEnroll(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =  PinDeEnrollConfig(pin: "1234")

Keyless.deEnroll(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

val configuration =
DeEnrollmentConfiguration.builder
  .withPin("myPin")
  .build()

Keyless.deEnroll(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =
Keyless.DeEnrollmentConfiguration.builder
  .withPin("myPin")
  .build()

Keyless.deEnroll(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

final configuration = PinDeEnrollConfig(
    pin: "1234"
);

try {
    await Keyless.instance.deEnroll(configuration);
    print("De-enrollment successful");
} catch (error) {
    print("De-enrollment failed: $error");
}

Remove PIN (keeping biometric factor)

To remove the PIN factor, while still keeping the biometric factor, perform a biometric authentication using the following configuration:

val configuration = BiomAuthConfig(shouldRemovePin = true)

Keyless.authenticate(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =  BiomAuthConfig(shouldRemovePin: true)

Keyless.authenticate(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

val configuration =
AuthenticationConfiguration.builder
  .removingPin()
  .build()

Keyless.authenticate(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =
Keyless.AuthenticationConfiguration.builder
  .removingPin()
  .build()

Keyless.authenticate(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

final configuration = BiomAuthConfig(
    shouldRemovePin: true
);

try {
    await Keyless.instance.authenticate(configuration);
    print("Pin remove successful");
} catch (error) {
    print("Pin remove failed: $error");
}

PIN utilities

To change the PIN use the newPin parameter in the PinAuthConfig:

val configuration = PinAuthConfig(pin = "1234", newPin = "5678")

Keyless.authenticate(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =  PinAuthConfig(pin: "1234", newPin: "5678")

Keyless.authenticate(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

Future<void> changePin({
  required String oldPin,
  required String newPin
})

To remove the PIN factor and keep the user enrolled with the biometric factor use the shouldRemovePin parameter in PinAuthConfig:

val configuration = PinAuthConfig(pin = "1234", shouldRemovePin = true)

Keyless.authenticate(
  configuration = configuration,
  onCompletion = { /*TODO: process result*/  }
)

let configuration =  PinAuthConfig(pin: "1234", shouldRemovePin: true)

Keyless.authenticate(
  configuration: configuration,
  onCompletion: { /*TODO: process result*/  }
)

Future<void> removePin({
  required String pin
})

Mobile SDK Use Cases

Account recovery

Keyless is able to recover an account from what we refer to as temporary state.

The temporary state is obtained:

from your backend through Keyless Identity Verification Bridge. More in .
from your client app using the Keyless Mobile SDK.

What follows refers to option 2: obtain the temporary state from the Keyless Mobile SDK.

What is the temporary state?

The Keyless temporary state contains all the necessary information to restore an account. It can be created during enrollment and authentication.

To create and use the temporary state Keyless requires the user biometric.

The temporay state internals are not important but you can expect a string similar to the following that you should pass as-is to recover the account:

"{\"artifact\":{\"family\":\"davideface_lite\",\"version\":\"1.2.0\",\"target\":\"mobile_sdk\",\"liveness\":\"liveness\"},\"core-client-state\":\"BASE_64_STATE\"}"

Obtain the temporary state

Use the shouldRetrieveTemporaryState parameter of the BiomEnrollConfig or BiomAuthConfig depending if you want to retrieve the temporary state during enrollment or authencation flows.

Dunring the enrollment flow:

val enrollConfig = BiomEnrollConfig(shouldRetrieveTemporaryState = true)

Keyless.enroll(
  configuration = enrollConfig,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> {

      	val temporaryState = result.value.temporaryState
      	// store the temporary state on your backend to recover the account in the future

      }
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "error code ${result.error.code}")
    }
  }
)

During the authentication flow:

val authConfig = BiomAuthConfig(shouldRetrieveTemporaryState = true)

Keyless.authenticate(
  configuration = authConfig,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> {

      	val temporaryState = result.value.temporaryState
      	// store the temporary state on your backend to recover the account in the future

      }
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "error code ${result.error.code}")
    }
  }
)

During the enrollment flow:

let enrollConfig = BiomEnrollConfig(shouldRetrieveTemporaryState: true)

Keyless.enroll(
  configuration: enrollConfig,
  onCompletion: { result in
    switch result {
    case .success(let enrollSuccess):
    	
    	let temporaryState = enrollSuccess.temporaryState
    	// store the temporary state on your backend to recover the account in the future

    case .failure(let error):
        print("error code: \(error.code)
    }
  })

During the authentication flow:

let authConfig = BiomAuthConfig(shouldRetrieveTemporaryState: true)

Keyless.authenticate(
  configuration: authConfig,
  onCompletion: { result in
    switch result {
    case .success(let authSuccess):
    	
    	let temporaryState = authSuccess.temporaryState
    	// store the temporary state on your backend to recover the account in the future

    case .failure(let error):
        print("error code: \(error.code)
    }
  })

Recover from temporary state

Pass the temporary state during the enrollment flow to recover the account. The temporary state is the one you obtained and stored securely in the previous step.

When enrolling from the temporary state, Keyless shows the authentication UI to users. In the past users already went through the enrollment "onboarding" flow, we can reduce the friction in account recovery performing the authentication flow. For technical reasons developers need to call Keyless.enroll instead of Keyless.authenticate even if the UI is the one from authentication flow.


// temporaryState retrieved from previous step
val temporaryState = "<your_temporary_state>"

val enrollConfig = BiomEnrollConfig(temporaryState = temporaryState)

Keyless.enroll(
  configuration = enrollConfig,
  onCompletion = { result ->
    when (result) {
      is Keyless.KeylessResult.Success -> {

      	// account recovered
      	val userId = result.value.userId

      }
      is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "error code ${result.error.code}")
    }
  }
)


// temporaryState retrieved from previous step
let temporaryState = "<your_temporary_state>"

let enrollConfig = BiomEnrollConfig(temporaryState: temporaryState)

Keyless.enroll(
  configuration: enrollConfig,
  onCompletion: { result in
    switch result {
    case .success(let enrollSuccess):
    	
    	// account recovered
      	let userId = enrollSuccess.userId

    case .failure(let error):
        print("error code: \(error.code)
    }
  })

The account is recovered and it's now possible to authenticate the user.

Dynamic Linking

You can leverage the Keyless authentication mechanism to sign unrelated transactions, including Strong customer authentication (SCA) transactions.

Payment service providers compliant with are required to:

Generate an authentication code specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction
Make the payer aware of the amount of the payment transaction, and of the payee

Keyless helps you by:

protecting the authentication code that you use for dynamic linking.
displaying and signing the information to make the payer aware of details of the transaction.

Keyless is not a payment service provider. Keyless won't issue an authentication code tied to the transaction information.

Strong customer authentication (SCA)

By adding Keyless to your checkout flow you also benefit from .

SCA requires authentication to use at least two of the following three elements.

Something that only the customer knows. For example, a password or PIN.
Something that only the customer has. For example, a mobile phone or hardware token.
Something that the customer is. For example, a biometric such as a fingerprint or face.

With Keyless Passwordless MFA you can satisfy the last two points from the list above.

SCA Compliant Dynamic Linking

The following sections contain some examples on implementing SCA with Keyless.

Display transaction information

Keyless displays a screen containing a list of labels and associated information on your behalf. For this reason, the format of the dynamicLinkingInfo must be a jsonArray containing jsonObjects (key/value pairs). We expect a valid JSON as follows:

[
    {key1 : value1},
    {key2 : value2},
    ...
    {keyN: valueN}
]

This information is added to the Authentication request that the user needs to approve.

SCA tied to the authentication code

Once the user approves the transaction data, Keyless starts the authentication to:

Authenticate the payer with the device factor and the biometric factor using Keyless MFA.
Tie the transaction data to the Keyless MFA

To tie the transaction data to the Keyless MFA, populate the parameter dynamicLinkingInfo of the authentication configuration AuthConfig. Add the authentication code or any other information you want to display to the user and sign with Keyless MFA. For example, add the "authentication code".

Keyless can produce a signed JWT containing a claim titled td (transaction data) that contains the payload you passed as dynamicLinnkingInfo.

Keyless is not storing history of records about the transaction amount, the payee, the payer and the authentication code.

//Keyless adds a td claim to the JWTs containing the data you specify
val dynamicLinkingInfo = DynamicLinkingInfo(transactionData = "<your transaction data to display and sign>")

// authenticate with biometric
val biomAuthConfig = BiomAuthConfig(dynamicLinkingInfo = dynamicLinkingInfo)

// perform the authentication
Keyless.authenticate(
    configuration = biomAuthConfig,
    onCompletion = { /*TODO: process result*/ }
)

//Keyless adds a td claim to the JWTs containing the data you specify
let dynamicLinkingInfo = DynamicLinkingInfo(transactionData = "<your transaction data to display and sign>")

// authenticate with biometric
let biomAuthConfig = BiomAuthConfig(dynamicLinkingInfo: dynamicLinkingInfo)

// perform the authentication
Keyless.authenticate(
    configuration: biomAuthConfig,
    onCompletion: { /*TODO: process result*/ }
)

Verify the transaction

If the authentication is successful, the AuthenticationSuccess contains the following fields:

signedJwt: the signed JWT (specs below).

// JWT header
{
  "alg": "ES256",
  "typ": "JWT",
  "kid": "PIN/FACE"
}
// JWT payload
{
  "iat": 1720519812,
  "td": "your transaction data to display and sign",
  "version": "1.1.0",
  "sub": "keyless_id"
}

Congrats, you just performed a Strong Customer Authentication displaying and signing the transaction information.

Authenticating in Auth0 with Keyless

Integrating the Keyless authentication mechanism with existing IAMs requires some preliminary work on various parts of the customer’s Service Provider:

Binding of the user’s Auth0 identity with a Keyless ID: this happens via Keyless Enrollment. The user performs a normal enrollment with an option in the configuration that accepts an idToken, coming from Auth0. This can be retrieved via standard Auth0 login flow.
Account linking: After the user’s idToken has been bound to a Keyless Identity, the Auth0 authentication with Keyless will succeed. This authentication, though, returns a different user_id. This is because the Auth0 user_id and the Keyless user_id have not been linked. There are many tutorials on how to perform

Configure Enterprise OIDC Connection to Keyless in Auth0

Create a secure connection between Keyless and Auth0, allowing you to leverage Keyless as an Identity Provider in Auth0.

Before following this guide, contact the Keyless Delivery Team to get the following information:

Discovery URL: https://idp.keyless.io/realms/YOUR_REALM/.well-known/openid-configuration
Client ID: Will be provided by Keyless Delivery team.
Client Secret: Will be provided by Keyless Delivery team.
Scopes: Include any additional scopes you want to request (e.g., openid, profile, email).

Step 1: Create a Connection in Auth0

Log in to your Auth0 account and navigate to the Dashboard.
In the Dashboard, go to Authentication > Enterprise > OpenID Connect.
Click Create Connection
- Name: Enter a name for your connection (e.g., Keyless-SDK-Connection).
- Issuer URL: Enter the Discovery URL provided by the Delivery team
Test the Connection by logging in with a test user and navigating to the Try Connection option in the Auth0 Dashboard.

Step 2: Enable the Connection for Applications

In the Auth0 Dashboard, go to Applications > Applications.
Select the application you want to connect to Keyless, navigate to the Connections tab, and enable the newly created Keyless connection.

Once everything has been set up, specify the name of the Auth0 connection you’ve just created as part of the /authorize endpoint of Auth0 within the SDK configuration.

Step 3: Link Keyless accounts to Auth0 accounts

This step can vary considerably by implementation. Contact the Keyless Solution Engineering team to discuss the best approach for your setup.

Mobile Integration

Enrollment

To enroll a user,

Retrieve the id_token from Auth0
Perform a Keyless Enrollment, providing the id_token into the withIAMToken builder function:

val idToken = ... // retrieve your id_token from Auth0

val configuration = EnrollmentConfiguration.builder
.withIAMToken(token = idToken)
.build()

Keyless.enroll(
enrollmentConfiguration = configuration,
onCompletion = { result ->
    when (result) {
        is Keyless.KeylessResult.Success -> Log.d("KeylessSDK ", "Enroll success - userId ${result.value.keylessId}")
        is Keyless.KeylessResult.Failure -> Log.d("KeylessSDK ", "Enroll failure - error code ${result.error.code}")
    }
}
)

let idToken = // retrieve your id_token from Auth0
let configuration = Keyless.EnrollmentConfiguration.builder
    .withIAMToken(token: idToken)
    .build()

Keyless.enroll(enrollmentConfiguration: configuration, onProgress: nil) { result in
    switch result {
    case .success(let success):
        print("Enroll success - userID \(success.keylessId)")
    case .failure(let failure):
        print("Enroll failed - error \(failure.message)")
    }
}

Once the Enrollment phase completes successfully, authenticate the user.

Authentication

Two preliminary steps are necessary before authentication:

Generatie a cryptographically secure UUID that we’re going to call operationId
Retrieve a value called keylessId via the getUserId() API.

Concatenate the UUID and keylessId to produce the login_hint: login_hint = <operation_id>;<keyless_id>
Authenticate with Keyless providing the operationId:

val configuration = AuthenticationConfiguration.builder
val operationId = UUID.randomUUID().toString()
val configuration = AuthenticationConfiguration.builder
  .withOperationInfo(operationId = operationId)
  .build()

Keyless.authenticate(
    authenticationConfiguration = configuration,
    onCompletion = { result ->
        when (result) {
          is Keyless.KeylessResult.Success -> {
            Log.d("KeylessSDK ", "Authentication success")
            val keylessId = ... // get from Keyless.getUserId() in case of success
            val loginHint = "$operationId;$keylessId"
            // After having generated the `loginHint`, you can start your
            // normal Auth0 flow with the Keyless connection and passing
            // the loginHint above
          }
          is Keyless.KeylessResult.Failure -> {
            Log.d("KeylessSDK ", "Authentication failure - error code ${result.error.code}")
          }
       }
    }
)

let operationID = UUID().uuidString // or some other true random generation method
let configuration = Keyless.AuthenticationConfiguration.builder
    .withOperationInfo(id: operationID)
    .build()

Keyless.authenticate(authenticationConfiguration: configuration) { result in
    switch result {
    case .success(let success):
        let loginHint = "\(operationID);\(Keyless.getUserId())"
        // After having generated the `loginHint`, you can start your
        // normal Auth0 flow with the Keyless connection and passing
        // the loginHint above
    case .failure(let error):
        print("Failed authentication, cannot start Auth0 login flow.")
    }
}

Once successfully authenticated, launch a custom tab to log in with Keyless via Auth0, providing the login_hint previously built as a parameter with key login_hint.

OpenID URL Configuration

Once you’re given access to the Keyless Dashboard by our tech support team, configure the OpenID URL in the Keyless Dashboard, o

Open the Access Control page.
Click on the IDP Configuration tab, this will redirect you to another page which contains what we’re looking for, the OpenID Configuration.
Set the OpenID Configuration URL please type a valid OpenID URL, here some examples of valid URLs:
- https://yourdomain.auth0.com/.well-known/
- https://yourdomain.auth0.com/.well-known
- https://yourdomain.auth0.com/
- https://yourdomain.auth0.com
Click the Save Configuration button.

Mobile SDK Changelog

Changelog

For a seamless SDK integration make sure to follow the section .

You can check all the prerequisites that your app must meet for a successsful SDK integration under the .

Please note releases marked as release candidate - rc are available to select customers in advance of the official release via partners-rc cloudsmith repo. Please note regression tests and QA activity is incomplete and we strongly advise against shipping these versions into production environments.

4.8.0 - `release candidate`

Improved biometric performances

4.7.4

Highlights

UX: optional screens - it is now possible to opt-out the optional screens you don’t wish to show -
Enhancement: query remaining lockout time -

UX: optional screens

We understand that the experience our customers create for their end users is of the utmost importance. To provide greater flexibility, we’ve made certain screens and steps in the Authentication and Enrollment flows optional. These screens will remain visible by default, but you now have the ability to opt out of displaying those that are not relevant to your workflow. For more details, please refer to the .

Please note that the camera view and Step 2 (“Enrollment Progress”) will remain mandatory for now, as they are critical to ensuring liveness detection and security during the capture process. However, Step 2 is highly customizable in terms of text and color scheme to align with your branding.

In upcoming releases, we will also be adding sample code and “User Flow” guides to further empower integrators and designers in tailoring their user experience.

Enhancement: query remaining lockout time

Customers can configure the maximum number of errors a user can make before being locked out for a 10-minute period.

This enhancement enables customers to display the remaining lockout time to users at any given moment, improving transparency and user experience.

Bugs and Fixes

Fix (Android): Resolved a compatibility issue between the Compose Material library and Flutter.

4.7.3

Feature: possibility to specify a path to Keyless artifacts. Artifacts are provided by Keyless by default. Artifacts path can be overridden by the customer.

4.7.2

Fix: remove lottie dependency
UX: remove success animation in favor of static image

4.7.0

API Surface: deprecate builder pattern in favor of optional config constructor parameters (builders are deprecated)

4.6.7

Bugfix: internal data cleanup
Performance improvements: avoid unnecessary assets extraction

4.6.6

Feature: Shared Circuits: integrators can now set the desired number of shared circuits when calling an sdk configure Fix: Liveness: update liveness setting for higher security

4.6.5

Feature: enroll with Keyless from an Auth0 user’s IdToken

4.6.3

Dynamic linking feature: new API exposing interface to choose one authentication method (BiomAuthConfig | PinAuthConfig)
UI customization: it is now possible to customize the font for Keyless SDK screens
UI customization: it is now possible to customize the brand color (primary accent color) for Keyless SDK screens

Server API

Getting Started

This API allows for backend-to-backend communication between your backend and the Keyless servers.

The server API has end points for automating aspects of your Keyless setup:

List and revoke
Remove
Perform extra backend to backend security

API Access

All API endpoints require the X-Api-Key: <SECRET_API_KEY> header with your security key
All API endpoints are available at https://api.keyless.io

Users

This set of API calls allows you to make operations on various Keyless users.

Devices

This set of API calls allows you to fetch and manipulate Keyless enabled devices.

Operations

This set of API calls allows you to fetch operations on various Keyless entities.

Operations

JWT

1️⃣ Getting started

In this short guide, you will learn how to integrate the Keyless SDK in your Android or iOS mobile application, and enroll and authenticate users through the Keyless platform.

Before jumping into your code editor, make sure that you're familiar with the various components of the authentication system, and common biometic authentication flows.

Prerequisites

Make sure you have both required API keys, and the list of productions hosts from your Keyless contact:

YOUR_CLOUDSMITH_TOKEN to download the SDK from cloudsmith repository
KEYLESS_API_KEY to configure the mobile SDK
KEYLESS_HOSTS a list of node URLs

Review the Keyless SDK requirements:

The Keyless SDK uses

Set up a physical iOS device for running your app and enable the following permissions:

Enable Camera permissions: add the Privacy - Camera Usage Description key in your project’s Info.plist by adding the following (in XCode under Project > Info):

<key>NSCameraUsageDescription</key>
<string>Keyless needs access to your camera to enroll and authenticate you. Keyless cannot be used without your camera. Please allow camera permissions.</string>

Background processing. Enable the Background processing mode under Signing & Capabilities/Background Modes. Then, add the following in your project’s Info.plit (in XCode, under the key Permitted background task scheduler identifiers):
```
<key>NSCameraUsageDescription</key>
<key>BGTaskSchedulerPermittedIdentifiers</key>
<array>
    <string>YOUR APP IDENTIFIER</string>
</array>
```

The Keyless SDK uses

Flutter 3.0 or higher
Dart 3.0 or higher
All requirements from both Android and iOS platforms

Set up the required permissions as described in the Android and iOS tabs.

Installation

To allow Keyless to handle the result of registerForActivityResult, you must call Keyless from an Activity implementing ActivityResultCaller.
Extend any androidX activity that implements the interface for you, for example let your Activity extend the generic ComponentActivity or the more widespread AppCompatActivity.

If you use Proguard, add the following rules to your Proguard configuration file:

# Keyless Proguard
-keep class io.keyless.sdk.** {*;}
-keepclassmembers class io.keyless.sdk.** {*;}

dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
        mavenCentral()
        maven {
            url "https://dl.cloudsmith.io/YOUR_CLOUDSMITH_TOKEN/keyless/partners/maven/"
        }
    }
}

In the dependencies block of your project build.gradle file, typically app/build.gradle, add:
```
dependencies {
// ...

implementation 'io.keyless:keyless-android-sdk:+'
}
```

In the android block of your project build.gradle file, typically app/build.gradle, make sure you have the following options:

android {
    // ...

    compileOptions {
        sourceCompatibility JavaVersion.VERSION_1_8
        targetCompatibility JavaVersion.VERSION_1_8
    }

    // add the following only if you're using Kotlin
    kotlinOptions {
        jvmTarget = "1.8"
    }
}

Create a Podfile if you don’t already have one
```
$ cd your-project-directory
$ pod init
```
Set up Cocoapods to use your Cloudsmith credentials, by running the following commands, replacing YOUR_CLOUDSMITH_TOKEN with the Cloudsmith token provided you by Keyless.
```
git config --global credential.helper store
echo "https://token:YOUR_CLOUDSMITH_TOKEN@dl.cloudsmith.io" >> ~/.git-credentials
```

Add the KeylessSDK pod to your Podfile

# This is the Keyless repository for partners
source 'https://dl.cloudsmith.io/basic/keyless/partners/cocoapods/index.git'

target 'MyApp' do
    use_frameworks!

    # Add the Keyless pod
    pod 'KeylessSDK'
end

Add the following at the bottom of you Podfile

post_install do |installer|
installer.pods_project.targets.each do |target|
    target.build_configurations.each do |config|
    config.build_settings['ENABLE_BITCODE'] = 'NO'
    end
end
end

Install the pods. If pod prompts you for authentication insert the string token as your username and then fill in YOUR_CLOUDSMITH_TOKEN as the password.

$ pod install

Analyzing dependencies
Cloning spec repo `cloudsmith-basic-keyless-partners-cocoapods-index` from `https://dl.cloudsmith.io/basic/keyless/partners/cocoapods/index.git`
Username for 'https://dl.cloudsmith.io': token
Password for 'https://dl.cloudsmith.io': YOUR_CLOUDSMITH_TOKEN

Add the Keyless SDK repository

echo '${CLOUDSMITH_TOKEN}' | dart pub token add https://dart.cloudsmith.io/keyless/flutter/

Add the Keyless SDK dependency to your pubspec.yaml:

dart pub add keyless_flutter_sdk:PACKAGE_VERSION --hosted-url https://dart.cloudsmith.io/keyless/flutter/

Follow the installation steps in both the Android and iOS tabs to set up the native SDKs in their respective platforms.
Run flutter pub get to download the dependencies:
```
flutter pub get
```

Essential configuration

There is some essential configuration to do before you can use the Keyless SDK.

Initialize the Keyless SDK in your Application class:

// MainApplication
override fun onCreate() {
    super.onCreate()
    // Initialize Keyless
    Keyless.initialize(this)
}

Add your application to the Manifest

<application
    ...
    android:name=".MainApplication"
    ...
</application>

The configure method requires a SetupConfig as parameter, as well as the KEYLESS_API_KEY and KEYLESS_HOSTS you received from Keyless. You should listen to the result as follows:

val setupConfig = SetupConfig(
        apiKey = "KEYLESS_API_KEY",
        hosts = listOf("KEYLESS_HOSTS")
    )

 Keyless.configure(setupConfig) { result ->
    when (result) {
        is Keyless.KeylessResult.Success -> {
            Log.d("KeylessSDK", "configure success")
            // Keyless is ready, you can now call
            // enroll/authenticate/deEnroll ...
        }
        is Keyless.KeylessResult.Failure ->{
            Log.d("KeylessSDK", "configure error")
            // Inspect result.error for more info
         }
     }
 }

Create an instance object of Keyless.SetupConfiguration and pass it to the Keyless.configure method, typically this is done in your app’s application(:didFinishLaunchingWithOptions: method:).

let setupConfig = SetupConfig(
        apiKey: "KEYLESS_API_KEY",
        hosts: ["KEYLESS_HOSTS"]
    )

if let error = Keyless.configure(configuration: setupConfig) {
    print("Keyless.Configure failed with error: \(error)")
}

Initialize the Keyless SDK in your Application class:

// MainApplication
override fun onCreate() {
    super.onCreate()
    // Initialize Keyless
    Keyless.initialize(this)
}

Add your application to the Manifest

<application
    ...
    android:name=".MainApplication"
    ...
</application>

The configure method requires a SetupConfiguration as parameter, as well as the KEYLESS_API_KEY and KEYLESS_HOSTS you received from Keyless. You should listen to the result as follows:

val setupConfiguration = SetupConfiguration.builder
    .withApiKey("KEYLESS_API_KEY")
    .withHosts(listOf("KEYLESS_HOSTS"))
    .build()

 Keyless.configure(setupConfiguration) { result ->
    when (result) {
        is Keyless.KeylessResult.Success -> {
            Log.d("KeylessSDK", "configure success")
            // Keyless is ready, you can now call
            // enroll/authenticate/deEnroll ...
        }
        is Keyless.KeylessResult.Failure ->{
            Log.d("KeylessSDK", "configure error")
            // Inspect result.error for more info
         }
     }
 }

Create an instance object of Keyless.SetupConfiguration and pass it to the Keyless.configure method, typically this is done in your app’s application(:didFinishLaunchingWithOptions: method:).

let setupConfiguration = Keyless.SetupConfiguration.builder
    .withApiKey("KEYLESS_API_KEY")
    .withHosts(["KEYLESS_HOSTS"])
    .build()

if let error = Keyless.configure(configuration: setupConfiguration) {
    print("Keyless.Configure failed with error: \(error)")
}

Configure the Keyless SDK before using any of its features:

import 'package:keyless_flutter_sdk/keyless.dart';
import 'package:keyless_flutter_sdk/models/configurations/setup_configuration.dart';
import 'package:keyless_flutter_sdk/models/configurations/ui_customization.dart'; // needed for the UI customization
import 'package:keyless_flutter_sdk/models/networking/networking_module.dart'; // needed for the networking module

try {
  final setupConfiguration = SetupConfiguration(
    apiKey: "KEYLESS_API_KEY",
    hosts: ["KEYLESS_HOSTS"],
    numberOfEnrollmentCircuits: 3, // optional
    loggingEnabled: true, // optional
    loggingLevel: LogLevel.info, // optional
    withDevicePrivileges: true, // optional
    lockoutAttemptsThreshold: 5, // optional
    lockoutAttemptsResetAfter: 300, // optional
    lockoutDuration: 600, // optional
    uiCustomization: UICustomization(), // optional
    networkingModule: NetworkingModule() // optional, this needs to be extended by the developer
  );

  await Keyless.instance.configure(setupConfiguration);
  print("Keyless SDK configured successfully");
} catch (error) {
  print("Failed to configure Keyless SDK: $error");
}

Additional configuration

Logging

Logging is disabled by default.

Please note logs do not include any Personally Identifiable Information (PII).

Keyless allows you to:

enable logging to the Keyless infrastructure - keylessLogsConfiguration
collect logging for you own analytics without sending them to the Keyless infrastructure - customLogsConfiguration

val setup = SetupConfig(
    apiKey = "...",
    hosts = listOf(""),
    keylessLogsConfiguration = LogsConfiguration(
        enabled = true,
        logLevel = LogLevels.INFO
    ),
    customLogsConfiguration = LogsConfiguration(
        enabled = true
    )
)

let configuration = SetupConfig(
    apiKey: "some api key",
    hosts: ["some.host"],
    keylessLogsConfiguration: KeylessLogsConfiguration(enabled: true),
    customLogsConfiguration: CustomLogsConfiguration(enabled: true, logLevel: .INFO, callback: { event in
        print(event)
    })
)

Keyless.configure(setupConfiguration: configuration) { error in
    // handle error
}

val setupConfiguration = SetupConfiguration.builder
    .withApiKey("")
    .withHosts(listOf("..."))
    .withLogging(
        keylessLogsConfiguration = LogsConfiguration(enabled = true),
        customLogsConfiguration = LogsConfiguration(enabled = true, logLevel = LogLevels.INFO)
    )
    .build()

let configuration = Keyless.SetupConfiguration
  .builder
  .withApiKey("some api key")
  .withHosts(["some.host"])
  .withLogging(
    keylessLogsConfiguration: KeylessLogsConfiguration(enabled: true, logLevel: .INFO),
    customLogsConfiguration: CustomLogsConfiguration(enabled: true, callback: { event in
      print(event)
    })
  )
  .build()
 
Keyless.configure(setupConfiguration: configuration) { error in
  // handle error
}

Collect logs after setting up custom logging with customLogsConfiguration option:

Start collecting the Keyless.customLogs flow (This must happen before a Keyless.configure() to get all Logs Events):

Keyless.customLogs.collect { logEvent ->
    // handle the logEvent
}

Configure the SDK with the following SetupConfig:

val setup = SetupConfig(
    apiKey = "...",
    hosts = listOf(""),
    customLogsConfiguration = LogsConfiguration(
        enabled = true,
        logLevel = LogLevels.INFO // This is optional and defaults to INFO
    )
)

var myEventCollection = [LogEvent]()
    let configuration = Keyless.SetupConfiguration
      .builder
      .withApiKey("some api key")
      .withHosts(["some.host"])
      .withLogging(
        keylessLogsConfiguration: KeylessLogsConfiguration(enabled: true, logLevel: .INFO),
        customLogsConfiguration: CustomLogsConfiguration(enabled: true, callback: { event in
          myEventCollection.append(event)
        })
      )
     .build()
    Keyless.configure(setupConfiguration: configuration) { error in
      // handle error
    }
}

Logging Levels

You may set different logging levels to provide more or less information in logs.

The available levels are the following:

INFO (default)
DEBUG
TRACE

The TRACE level provides the following additional data:

userId
devicePublicSigningKey
coreLogHistory (used for detailed debugging)

Liveness Lockout policy

Keyless has both client side (applicable to a specific device) and server side (applicable to all users and devices) lockout policies to help prevent brute force attacks.

Account lockoutDuration must be greater than or equal to the lockoutAttemptsResetAfter so that it is not reset by lockoutAttemptsResetAfter.

lockoutDuration: Long,                //seconds - default 300 seconds
lockoutAttemptsResetAfter: Long,      //seconds - default 180 seconds
lockoutAttemptsThreshold: Int         //number  - default 5 attempts

Tampered device check

Enrollment circuits

Shared circuits

This is the target desired number of circuits shared between client and server. To set this number use the numberOfSharedCircuits.

Networking module

public interface KLNetworkingModule {
    public fun sendHTTPRequest(
        baseUrl: String,
        path: String,
        method: String,
        headers: Map<String, String>,
        body: String
    ): KLHTTPResponse

    public data class KLHTTPResponse(
        val errorCode: Int,
        val httpCode: Int,
        val responseBody: String
    )
}

public protocol KLNetworkingModule {
    func sendHTTPRequest (
        host: String,
        url : String,
        method: String,
        headers : [String: String],
        body : String) -> KLHTTPResponse
}

public struct KLHTTPResponse {
    var errorCode: Int
    var httpCode: Int
    var responseBody : String
    public init(errorCode: Int, httpCode: Int, responseBody: String) {
        self.errorCode = errorCode
        self.httpCode = httpCode
        self.responseBody = responseBody
    }
}