Visa Platforms Login

Start a Project Start a Project API Overview API Overview API Reference API Reference
Navigate to...
keyboard_arrow_down

Advanced Security

Multi-Factor Authentication

Multi-Factor Authentication

Visa Platforms Login supports Time-based One-Time Password (TOTP) multi-factor authentication for enhanced security. MFA implementation follows a strict enrollment sequence that must be completed properly to avoid integration failures.

MFA Enrollment Process

  1. Prerequisites: User must be authenticated and have NOT_ENROLLED MFA status
  2. Setup: Call POST /user/mfa/totp/setup to generate TOTP secret
  3. Configuration: User configures authenticator app with provided secret key
  4. Enrollment: Call POST /user/mfa/totp/enroll with TOTP verification
  5. Validation: User status changes to ENROLLED upon successful completion

MFA Management Operations

  • Self-Service Unenrollment: POST /user/mfa/totp/unenroll with user authentication token
  • Administrative Unenrollment: POST /user/mfa/totp/unenroll/dashboard with admin credentials and user email
  • Status Requirements: TOTP setup requires NOT_ENROLLED status; enrollment requires prior setup completion
  • Permission Differences: Admin unenrollment has different permissions than self-service operations

VBA Password Security

Password Security Integration

Visa Behavioral Analytics (VBA) integration provides real-time password security assessment to identify compromised or unsafe passwords during authentication and password change operations.

VBA Password Checking

The POST /user/vba/compromised-password endpoint checks passwords against the VBA compromised database and returns structured recommendations.

VBA Response Types:

  • Accept: Password is safe to use without additional verification
  • Challenge: Password flagged for additional verification steps
  • Reject: Password is compromised and must be changed immediately

VBA Integration Implementation

VBA responses include detailed arrays of reasons for recommendations, enabling informed security decisions. Integration should handle each recommendation type appropriately:

  • Challenge Response: Implement additional verification or require password change
  • Reject Response: Require immediate password change before allowing access
  • Response Analysis: Use detailed reason arrays to provide user feedback

Device Trust and Session Management

Device Trust and Session Management

Device trust capabilities enable secure session management and trusted device scenarios that reduce authentication friction while maintaining security.

Device Token Implementation

  • Device Registration: deviceToken parameter in login requests enables trusted device scenarios
  • Trust Management: trustDevice parameter controls device trust establishment
  • Session Benefits: Trusted devices may bypass certain authentication steps
  • Security Considerations: Device trust affects session extension capabilities

Session Extension Management

Sessions can be extended rather than requiring full re-authentication, improving user experience while maintaining security.

  • Extension Endpoint: POST /user/extend-login
  • Requirements: Valid user token and extendable session state
  • Failure Handling: 401 error indicates session cannot be extended; fall back to full authentication
  • Device Integration: Device tokens support session extension decision logic

OpenID Connect Integration

OpenID Connect Integration

OpenID Connect integration enables SSO capabilities and standardized identity claim exchange for enterprise identity management scenarios.

UserInfo Endpoint

The GET /oidc/userinfo endpoint fetches user information based on user tokens from SSO systems.

  • Required Scope: openid OAuth2 scope for OpenID Connect integration
  • Optional Parameter: gmap_id integer parameter for specific user targeting
  • Response Format: Encrypted claims response with userDetailsId and encryptedClaims

Encrypted Claims Handling

OpenID Connect responses include encrypted claims to protect sensitive user information during identity exchange.

  • Claim Format: Claims are returned as encrypted JSON strings
  • Decryption: Use appropriate decryption methods for claim processing
  • Identity Mapping: userDetailsId provides unique identifier correlation

Security Model

Authentication Separation

Visa Platforms Login intentionally separates enrollment from consumer authentication with important implications:

  • issuer Responsibility: Issuers authenticate API calls using OAuth2
  • Visa Ownership: Visa owns the consumer login and credential lifecycle
  • No Delegation: No consumer-level authentication artifacts are exchanged via the API
  • Integration Pattern: Visa Platforms Login is a secure enrollment and activation platform, not a delegated identity service

Data Protection Features

  • Password Obfuscation: Password fields use arrays for security obfuscation
  • PII Protection: National ID values are hashed for secure storage
  • PAN Security: Payment card numbers are hashed for payment card security
  • Sensitive Operations: Operations return minimal data to reduce exposure
  • Security Responses: Some endpoints deliberately return 200 OK even for non-existent users

Scope-Based Security Model

Security is enforced through granular OAuth2 scope assignments that control access to different functional areas.

  • User Operations: USER_RW scopes for standard user operations
  • System Operations: SYSTEM_USER_RW/R scopes for administrative functions
  • Guest Registration: USER_REGISTRATION_GUEST scopes for enrollment operations
  • Specialized Functions: Dedicated scopes for migration, session extension, and user removal