Guide mAccess integration in C / C# - (Former version)

This document is the reference guide for inWebo mAccess, the SDK product from inWebo Technologies. inWebo mAccess is an OTP generator library available in C, C# and Java. Any application implementing mAccess should be linked to an inWebo account that can be created online at http://www.inwebo.com. This library performs only internal computation on data in memory. The only system call is to get the time elapsed from 01/01/1970. Data types are simple:

• int

• string

The Booleans are coded as 'int' (0: false; !=0: true) Host: We will further call 'host', the application which is using this library.Functions may return errors. In each function's description we present the errors the function could return. There is an additional error (IW_ERR_OTHER) which could be returned by any function, but not in a normal behavior.

The Activation Code was formerly called "Secure Site ID" in some authentication tools or in the documentation.
Please note that a "Secure Site ID" refers to an activation code.

General Principles

Local storage

The host application must store locally the internal state of mAccess. This internal state is an ASCII string provides by the function IWStorageDataGet ().The implementation of this storage is system-dependent, and up to the developer to design.After each call to a library function, the host must call IWStorageDataChanged (), in order to find out if the internal state has changed. If this function returns a non-zero integer, the host must call IWStorageDataGet () and then update the local storage. When the host application starts, it must get the ASCII string stored locally and give it to the library using the function IWStorageDataSet ().

Synchronous or Asynchronous mode

Some mAccess library functions execute network calls, namely webservice calls, to query inWebo servers. And most mAccess webservice calls are divided in two steps, i.e. two functions, a start function and a finalize function.There are two different ways of implementing the webservice calls: synchronously or asynchronously. The code architecture of the host will vary according to the chosen mode.Note that on Windows Phone 8 and 8.1, all network calls MUST be asynchronous.Let's illustrate this with a dummy API action.

Synchronous mode

The host function myAction will execute the IWActionStart () function and will directly fetch the result of the webservice call. If the result of the IWActionStart() is successful it will then execute the IWActionFinalize ().

Function myAction (params) {

	Int result = IWActionStart (params)

	If (result == IW_ERR_OK) {

 		Int result = IWActionFinalize (otherParams);

  		%%//%%Handle final result here
	}
}

Asynchronous mode

In this case the result of the webservice calls will be handled by callback functions which are passed to the start and finalize functions.

Function myActionStart (params) {

	IWActionStartAsync (params, myActionStartDone);

}

Function myActionStartDone (result) {

	If (result == IW_ERR_OK) {

		IWActionFinalizeAsync (params, myActionFinalizeDone);

	}

}

Function myActionFinalizeDone (result) {

	%%//%%Handle final result here

}

Web services calls

mAccess uses platform dependent functions to call inWebo web services. These functions should be part of the host. mAccess code samples exposes such functions in each proposed language. You may use them as is or enhance them.

Synchronous mode

In this mode, the host code should contain only one function:

WebServiceCall: (string URL, int timeout) -> String

This function performs a GET request to a specific URL. The call is synchronous, and the timeout is given in milliseconds. The response is directly fetched inside the function. It consists of an XML document (as an ASCII string).

On success, the function will have to call IWSetWsBuffer () with the result (XML response). On failure, the function just returns.

Asynchronous mode

In this case the host code should contain two functions:The function executing the API webservice call:

WebServiceCall: (string URL, int timeout) -> Int

This function performs a GET request to a specific URL.The network call response is handled by a second function:

HandleWebServiceCallResult: (object result) -> Void

Depending on the platform implementing the mAccess library the way of declaring this handler function and the structure of the fetched result object may vary.The final API call result (which is normally a property or a field of the result object) is an XML Document (as an ASCII string).

On success the handler function will have to call IWSetWsBuffer () with the response. Then the function will have to execute the callback function (passed in argument of the mAccess API asynchronous function) with argument 0 (0 = success).

Typically:

IWSetWsBuffer (string response);

WSCallBack (0);

On failure:

• The handler function will have to execute the callback function (passed in argument of the mAccess API asynchronous function) with argument 1 (1 = error).

WSCallBack (1);

Should I use online or offline OTP?

In order to generate an online OTP, mAccess will perform one or more webservice calls to inWebo servers. This mode is suitable for a connected application (online banking for instance), as the token will always be synchronized with inWebo Servers.For a non-connected application (VPN dialer, authenticator-type app), Offline OTP is recommended. In this case, an OTP will be generated without any network call. The drawback of this method is the possibility for the token to desynchronize.

Using mobile push notifications

If you plan to use mAccess within a mobile phone application, you may request your users to authenticate with their mobile phones via mobile push notifications. In this case, InWebo servers need to know the unique Device ID of the phone.Push notification mechanisms are different according to the platform the host is designed for: Microsoft, Apple, and Google, all have their own architecture and channels to send notifications. So the first prerequisite is to understand this mechanism platform per platform:

• How do I get the unique user or device ID that is used within the notification mechanism of the platform to communicate with a given device

• How do I handle notifications on the device, i.e. what is the format of the received notifications, how do I parse their content to extract variables, etc.

With regards to mAccess, your concerns are:

• The unique identifier of the user or device that needs to be sent to inWebo servers via the IWPushRegistrationStart() function. It will allow inWebo to send push notifications to your App via the communication channels of the platform

• The variables received inside the notifications that will be passed in argument in mAccess API push activation and authentication functions (activation code, transaction alias).

• The notification platform used on the application site will depend on the DeviceOS you'll set via the IWSetDeviceOS() function and must match the mAccess push notification parameters you will set in the inWebo Admin console.

You will also have to fill in the "mAccess push notification parameters" section in the "Service Parameters" of your inWebo service: 

Firebase push notifications for iOS

Firebase push notifications are supported for iOS environment: you should set the deviceOS value to "firebase", using the IWSetDeviceOS function.

Particular case: two applications

To have two applications on the same service, which receive push notifications, you should:

1. Use the Firebase notifications → change the deviceOS value to "firebase", using IWSetDeviceOS in C.

2. Set push notifications in the Admin Console > Service parameters tab > "mAccess push notification parameters" > Firebase → leave the parameters “Notification Collapse Key” and “Application Package Name” fields empty, so all applications will receive the notifications.

   

API

This section describes the exhaustive list of primitives included in mAccess.

Error codes

Pin mode code

Initialization and configuration

IWInit: (Boolean ma, string SN, string Data, func webcall, object user) -> void

Boolean ma is unused and should be set to 0 or false.You application may provide 2 strings: One should be linked to the device (Serial Number) and the other one to the installation (timestamp of an install directory). These strings should not change over the lifetime of your application. If they do, the application will be locked.webcall is the function that makes webservices calls. It is provided in the SDK as an example that you can customize.user is an object that you can pass. It can be used in callbacks when using Async functions. Please note that SN and Data parameters should be sent as ASCII strings.

IWVersionGet: () -> string

The library provides its version number, as a string

IWHostVersionSet: (string) -> int

The host provides its version number, as a string. In order to be compliant with inWebo convention, it needs to be formatted as: AppName-Version. Example: myApp-1.3.0

IWWsTimeoutSet: (int timeout) -> int

The host defines the timeout value for the web service calls, in millisecond.Returns always true.

IWWsServerSet: (string server) -> int

The host defines the server value for the web service calls, such as “https://www.myinWebo.com:443”.Returns always true.

IWLangSet: (string) -> void

The host provides the language (“fr” or “en”). This may be changed at runtime.

IWMaccessSet: (string) -> void

The host provides the mAccess ID associated to its service.

Storage

IWStorageDataChanged: () -> int

The library indicates whether the stored data has changed. When true, the host should call IWStorageDataGet () and update the locally stored data.

IWStorageDataGet: () -> string

The library returns the data to be stored locally. This string contains everything mAccess requires (keys, service description …). The host should not try to process this string: it should only store it locally.

IWStorageDataSet: (string data) -> int

The host provides the stored data to the library. This should be done only once, at initialization.May return IW_ERR_SN.

Information

IWMajorVersionRequired: () -> int

Returns 1 if a major version update is available and therefore required. The host should stop working.

IWNewVersionAvailable: () -> string

The library indicates whether a new version of the host is available. If no new version is available, it returns empty string. If a new version is available, it returns the name of this new version.Use IWMajorVersionRequired () to know whether this new version is major or minor.

IWNewVersionURL: () -> string

When IWNewVersionAvailable returns a non-empty string, this function will return a URL to get the new version. Else it will return empty string.

ShouldAskForMinorUpdate: () -> int

Returns 1 if a minor version update should be proposed to the user. After this function returns 1 once, it will always return 0.

IWIsActivated: () -> int

The library indicates whether the application is activated.

IWMustUpgrade: () -> int

The library indicates whether the application must upgrade first (the local data is from an old version).

IWIsBlocked: () -> int

The library indicates whether the device is blocked. If yes, it has to regenerate first.

IWServiceNb: () -> int

The library indicates the number of services.A typical mAccess implementation will return 1 (your mAccess is linked to only one service).

IWServiceName: (int i) -> string

The library indicates the name of the ith service.A typical call of this function in a mAccess implementation will be IWServiceName (0) as there will be only one service whose index in the service list is 0.

IWServiceLogo: (int i) -> string

The library indicates the URL of the PNG logo of the ith service.A typical call of this function in a mAccess implementation will be IWServiceLogo (0) as there will be only one service whose index in the service list is 0.

IWServiceDisabled: (int i) -> int

The library indicates whether the service is disabled or not. When disabled, it may be displayed as grayed, and should not be accessible.A typical call of this function in a mAccess implementation will be IWServiceDisabled (0) as there will be only one service whose index in the service list is 0.

IWPinMode: () -> int

The library indicates whether the password is required for the current operation. For example, this may be called after IWActivationStart () to know if the user has to define his password, or type in his existing one.May return:

IWSynchroJustDone: () -> int

The library indicates whether a full synchronization just occurred. If yes, it means that the list of services may have changed, as well as the list of logos.
The host may need to refresh its display and reload the logos from the net.

Synchronous mode

IWCheckStatus: () -> int

This function returns the server-side status of your mAccess instance. Use it for instance to check whether the device has been unlocked by an administrator or another device.May return:

Asynchronous mode

IWCheckStatusAsync: (function callback) -> int

This function returns the server-side status of your mAccess instance. Use it for instance to check whether the device has been unlocked by an administrator or another device.

Activation

Synchronous mode

IWActivationStart: (string code) -> int

The library starts the activation process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is already activated

• IW_ERR_SN: syntax error for “code”

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or new or biokey)

IWActivationFinalize: (string code, string pin, string name) -> int

The library finalizes the activation process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is already activated

• IW_ERR_SYNCHROFAILED: the device is activated but not synchronized. Should propose to resynchronize.

• IW_ERR_PINREFUSED: syntax error for “pin”

• IW_ERR_CODE: bad code.

• IW_ERR_SN: syntax error for “code”

• IW_ERR_TIMEOUT: timeout since IWActivationStart

Asynchronous mode

IWActivationStartAsync: (string code, function callback) -> int

The library starts the activation process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is already activated

• IW_ERR_SN: syntax error for “code”

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or new)

IWActivationFinalizeAsync: (string code, string pin, string name, function callback) -> int

The library finalizes the activation process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is already activated

• IW_ERR_SYNCHROFAILED: the device is activated but not synchronized. Should propose to resynchronize.

• IW_ERR_PINREFUSED: syntax error for “pin”

• IW_ERR_CODE: bad code.

• IW_ERR_SN: syntax error for “code”

• IW_ERR_TIMEOUT: timeout since IWActivationStart

Set Biometric Key

If you choose to implement biometric factors in you mobile application, you will need to use the following functions in order to manipulate biometric keys.

Synchronous mode

SetBiokeyStart () -> int

Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none)

SetBiokeyFinalize (string biokey, string pin) -> int

The 'biokey' is a string generated by the application. The 'pin' code is the pincode of the user or an empty string for a service without pin. In the case of a service without pin, it is not possible to call this function repeatedly to change the Biokey.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPwdUpdateStart

Asynchronous mode

SetBiokeyStartAsync (function callback) -> int

Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none)

SetBiokeyFinalizeAsync (string biokey, string pin, function callback) -> int

The 'biokey' is a string generated by the application. The 'pin' code is the pincode of the user or an empty string for a service without pin. In the case of a service without pin, it is not possible to call this function repeatedly to change the Biokey.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPwdUpdateStartAsync

Unset biometric keys

Use the following functions in order to reset all biometric keys registered. The library performs all the biometric keys reset process.

In C or C#

Synchronous mode

IWUnsetBiokeysStart (IW* iw)

Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none)

IWUnsetBiokeysFinalize (IW* iw, char* pin)

The ‘iw’ is structure data type. The character array ’pin' is the pin code of the user.

Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPwdUpdateStart

Asynchronous mode

IWUnsetBiokeysStartAsync (IW* iw, IWCALLBACK callback, void* user)

Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none)

IWUnsetBiokeysFinalizeAsync (IW* iw, char* pin, IWCALLBACK callback, void* user)

The ‘iw’ is structure data type. The character array ’pin' is the pin code of the user.

Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPwdUpdateStartAsync

Connection

IWConnected: () -> int

The library indicates whether the mAccess is connected or not, and how long it will be. The return value is the number of seconds. 0 means “not connected”.“Not connected” means that the password will be required for any operation.

IWServiceConnected: (int service) -> int

The library indicates whether the mAccess is connected or not for a specific service, and how long it will be. The return value is the number of seconds. 0 means “not connected”. “Not connected” means that the password will be required for any operation.

Synchronous mode

IWDisconnect: () -> int

The library disconnects from the server. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

Asynchronous mode

IWDisconnectAsync: (function callback) -> int

The library disconnects from the server. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

Offline OTP

IWDisplayTime: () -> int

The library indicates the time the OTP should be displayed to the user.

IWOtpShouldSynchronize: (int service) -> int

The library indicates if synchronization should be proposed to the user, BEFORE it tries to generate an OTP (i.e. before calling IWOtpModeQuery ()). This would signify that more than 3 generations are performed in less than 2 minutes for the same service.

IWOtpModeQuery: (int service) -> int

The library indicates whether the password should be requested. The “service” argument is the index of the service.

IWOtpGenerate: (string pin) -> string

The library generates the OTP for the specific service. The “pin” argument should be empty if no password was requested (see IWOtpModeQuery ()).

IWOtpResult: (int used) -> void

The host indicates whether the OTP was used by the user.

• RESULT_USEDOK=0; // OTP used

• RESULT_USEDCANCEL=1; // OTP not used

Online OTP

Synchronous mode

IWOnlineOtpStart: (int service_index) -> int

The library starts the “online OTP generation” process. It will perform at least one webservice call.
Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none or biokey).

IWOnlineOtpFinalize: (int service, string pin) -> int

OR when using biometric keys:

IWOnlineOtpFinalizeExt: (int service, string pin, int keytype) -> int

Possible values for 'keytype' are:

• 0 : pincode entered

• 1 : biokey used
  

The library finalizes the “online OTP generation” process. It will perform at least one webservice call.
Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWOnlineOtpStart

On success, the host will get the OTP by calling IWOtpAnswersGet () and IWOtpAnswerOtp ().

Asynchronous mode

IWOnlineOtpStartAsync: (int service, function callback) -> int

The library starts the “online OTP generation” process. It will perform at least one webservice call.
Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none or biokey).

IWOnlineOtpFinalizeAsync: (int service, string pin, function callback) -> int

OR when using biometric keys:

IWOnlineOtpFinalizeExtAsync: (int service_index, string pin, int keytype, function callback) -> int

Possible values for 'keytype' are:

• 0 : pincode entered

• 1 : biokey used

The library finalizes the “online OTP generation” process. It will perform at least one webservice call. Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWOnlineOtpStartAsync

On success, the host will get the OTP by calling IWOtpAnswersGet () and IWOtpAnswerOtp ().

IWOtpAnswersGet: () -> int

After a successful call to IWOnlineOtpFinalize () or IWOnlineOtpFinalizeAsync (), the library returns a mask of available data:MSK_OTP (1) OTP; use IWOtpAnswerOtp () to retrieve the OTP.

IWOtpAnswerOtp: () -> string

After a successful call to IWOnlineOtpFinalize (), IWOnlineOtpFinalizeExt (), IWOnlineOtpFinalizeAsync () or IWOnlineOtpFinalizeAsyncExt (), the library provides the OTP.

Offline Seal

Before using sealing feature, be sure that the “Transaction sealing” option is set to “Yes” (admin console > service parameters tab).

• 

IWSealShouldSynchronize: (int service) -> int

The library indicates if synchronization should be proposed to the user, BEFORE it tries to generate a Seal (i.e. before calling IWSealModeQuery ()). This would signify that more than 3 generations are performed in less than 2 minutes for the same service.

IWSealModeQuery: (int service) -> int

This function initializes the Offline Seal Process. It will always return 1.

IWSealGenerate: (string pin, string data) -> string

The library generates the Seal for the specific service.

IWOtpResult: (int used) -> void

The host indicates whether the Seal was used by the user.

• RESULT_USEDOK=0; // Seal used

• RESULT_USEDCANCEL=1; // Seal not used

IWDisplayTime: () -> int

The library indicates the time the OTP should be displayed to the user.

Online Seal

Before using sealing feature, be sure that the “Transaction sealing” option is set to “Yes” (admin console > service parameters tab).

• 

Synchronous mode

IWOnlineSealStart: (int service) -> int

The library starts the “online seal generation” process. It will perform at least one webservice call.
Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

For Seal Generation, PIN Mode is always set to 1 (current). This means that the user will have to type his PIN to generate a seal.

IWOnlineSealFinalize: (int service, string pin, string data) -> int

OR when using biometric keys:

IWOnlineSealFinalizeExt(int service, string pin, int keytype, string sealdata) -> int

Possible values for 'keytype' are:
0 : pincode entered
1 : biokey used

The library finalizes the “online seal generation” process. It will perform at least one webservice call. Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWOnlineSealStart

On success, the host will get the Seal by calling IWSealAnswersGet () and IWSealAnswerOtp ().

Asynchronous mode

IWOnlineSealStartAsync: (int service, function callback) -> int

The library starts the “online seal generation” process. It will perform at least one webservice call.
Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

For Seal Generation, PIN Mode is always set to 1 (current). This means that the user will have to type his PIN to generate a seal.

IWOnlineSealFinalizeAsync: (int service, string pin, string data, function callback) -> int

OR when using biometric keys:

IWOnlineSealFinalizeExtAsync(int service, string pin, int keytype, string sealdata, function callback) -> int

Possible values for 'keytype' are:
0 : pincode entered
1 : biokey used

The library finalizes the “online seal generation” process. It will perform at least one webservice call. Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWOnlineSealStartAsync

On success, the host will get the Seal by calling IWSealAnswersGet () and IWSealAnswerOtp ().

IWSealAnswersGet: () -> int

After a successful call to IWOnlineSealFinalize () or IWOnlineSealFinalizeAsync (), the library returns a mask of available data:MSK_SEAL (2) seal; use IWSealAnswerOtp () to retrieve the seal.

IWSealAnswerOtp: () -> string

After a successful call to IWOnlineSealFinalize () or IWOnlineSealFinalizeAsync (), the library provides the Seal.

Reset (Unlock)

Synchronous mode

IWResetStart: (string code) -> int

The library starts the reset process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_CODE: bad code.

• IW_ERR_SN: syntax error for “code”

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode will indicate which kind of password is required (current or new).

IWResetFinalize: (string code, string pin) -> int

The library finalizes the reset process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_SN: syntax error for “code”

• IW_ERR_PINREFUSED: syntax error for “password”

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWResetStart

Asynchronous mode

IWResetStartAsync: (string code, function callback) -> int

The library starts the reset process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_CODE: bad code.

• IW_ERR_SN: syntax error for “code”

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or new).

IWResetFinalizeAsync: (string code, string pin, function callback) -> int

The library finalizes the reset process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_SN: syntax error for “code”

• IW_ERR_PINREFUSED: syntax error for “password”

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWResetStartAsync

Request Activation code

This function allows the user to get an Activation code from inWebo. This 9-digit code will be used to activate a new inWebo token (typically a new inWebo Helium browser token).

Synchronous mode

IWActivationcodeRequestStart: () -> int

The library starts the “request Activation code” process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none).

IWActivationcodeRequestFinalize: (string pin) -> int

The library finalizes the “request Activation code” process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWActivationcodeRequestStart

On success, the host will retrieve the Activation code by calling IWCode ().

Asynchronous mode

IWActivationcodeRequestStartAsync: (function callback) -> int

The library starts the “request Activation code” process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none).

IWActivationcodeRequestFinalizeAsync: (string pin, function callback) -> int

The library finalizes the “request Activation code” process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWActivationcodeRequestStartAsync

On success, the host will retrieve the Activation code by calling IWCode ().

Update password

Synchronous mode

IWPwdUpdateStart: () -> int

The library starts the password update process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none).

IWPwdUpdateFinalize: (string newPin, string pin) -> int

The library finalizes the password update process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_PINREFUSED: syntax error for “password”

• IW_ERR_PINREUSED: new password equals previous password

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPwdUpdateStart

Asynchronous mode

IWPwdUpdateStartAsync: (function callback) -> int

The library starts the password update process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or not blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none).

IWPwdUpdateFinalizeAsync: (string newPin, string pin, function callback) -> int

The library finalizes the password update process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_PINREFUSED: syntax error for “password”

• IW_ERR_PINREUSED: new password equals previous password

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPwdUpdateStartAsync

Upgrade

The upgrade process is required when the device detects that the local data is from a previous version of the library (it is not the update of the host; it is AFTER an update of the host).

Synchronous mode

IWUpgradeStart: () -> int

The library starts the upgrade process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none).

IWUpgradeFinalize: (string pin, string oldSerial) -> int

The library finalizes the upgrade process. It will perform at least one webservice call. It requires the old serial number, as it was computed before.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWUpgradeStart

Asynchronous mode

IWUpgradeStartAsync: (function callback) -> int

The library starts the upgrade process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_VERSION: version error, user must upgrade the device (see IWNewVersionAvailable above)

A call to IWPinMode () will indicate which kind of password is required (current or none).

IWUpgradeFinalizeAsync: (string pin, string oldSerial, function callback) -> int

The library finalizes the upgrade process. It will perform at least one webservice call. It requires the old serial number, as it was computed before.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not to be upgraded

• IW_ERR_ACCESS: wrong password.

• IW_ERR_SYNCHROFAILED: the last step of the synchronization failed. Should propose to resynchronize.

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWUpgradeStartAsync

Push registration

Synchronous mode

IWPushRegistrationStart: () -> int

The library starts the push registration process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

IWPushRegistrationFinalize: (string pushId) -> int

The library finalizes the push registration process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPushRegistrationStart

Asynchronous mode

IWPushRegistrationStartAsync: (function callback) -> int

The library starts the push registration process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

IWPushRegistrationFinalizeAsync: (string pushId, function callback) -> int

The library finalizes the push registration process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPushRegistrationStartAsync

Important note: To use firebase notification service you must change the device OS to "firebase" using IWSetDeviceOS("firebase") → voidIf your mobile is on a filtered network (wifi by example), please ensure the following ports are opened to be able to register for push notifications and also to receive them:

• Android (Google):  outbound TCP ports 5228 to 5230.

• iOS (Apple): outbound TCP port 5223 

Get Pending Push

IWCheckPush: () -> int

Check if a push notification is available on inWebo server for the active instance of mAccess. Typically this function can be called when starting the mAccess application. In case of a push notification not received, this function will retrieve this pending authentication request.

IWPushAlias: () -> String

Get the push session id, or alias, related to the retrieved push

IWPushAction: () -> String

Get the push action (“activate” or “authenticate”) related to the retrieved push

IWPushContext: () -> String

Authentication only. Get the push context information related to the retrieved push. To be used if a context has been sent during the pushAuthenticate APIcall.

Push Activate

This function should be used when a user tries to activate helium on his PC, using a Push notification to his mobile app as a security check. The Push notification sent by InWebo servers contains an “alias” that must be passed as a parameter.

Synchronous mode

IWPushActivateCaStart: (string alias) -> int

The library starts the push activation process. It will perform at least one webservice call.Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

IWPushActivateCaFinalize: (string alias, string pin, int confirm) -> int

The library finalizes the push registration process. It will perform at least one webservice call. Confirm is an integer telling whether the activation via push notification is refused (0) or accepted (1). Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPushActivateCaStart

Asynchronous mode

IWPushActivateCaStartAsync: (string alias, function callback) -> int

The library starts the push activation process. It will perform at least one webservice call. Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

IWPushActivateCaFinalizeAsync: (string alias, string pin, int confirm, function callback) -> int

The library finalizes the push activation process. It will perform at least one webservice call. Confirm is an integer telling whether the activation via push notification is refused (0) or accepted (1). Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPushActivateCaStartAsync

Push OTP

Synchronous mode

IWPushOTPStart: (string alias) -> int

The library starts the push OTP process. It will perform at least one webservice call. Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

A call to IWPinMode () will indicate which kind of password is required (current or none or biokey).

IWPushOTPFinalize: (string alias, string pin, int confirm) -> int

OR

IWPushOTPFinalizeExt(string alias, string pin, int confirm, int keytype) -> int

'IWPushOTPFinalizeExt' is a new extended version of 'IWPushOTPFinalize' that must be used if you implement biometric factors in your application. In both cases, the library finalizes the push connection process. It will perform at least one webservice call. Possible values for 'keytype' are: (0) : pincode entered or (1) : biokey used. Confirm is an integer telling whether the activation via push notification is refused (0) or accepted (1). Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPushOTPStart

Asynchronous mode

IWPushOTPStartAsync: (string alias, function callback) -> int

The library starts the push OTP process. It will perform at least one webservice call. Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

A call to IWPinMode () will indicate which kind of password is required (current or none or biokey).

IWPushOTPFinalizeAsync: (string alias, string pin, int confirm, function callback) -> int

OR

IWPushOTPFinalizeExtAsync(string alias, string pin, int confirm, int keytype, function callback) -> int

'IWPushOTPFinalizeExtAsync' is a new extended version of 'IWPushOTPFinalizeAsync' that must be used if you implement biometric factors in your application. In both cases, theThe library finalizes the push connection process. It will perform at least one webservice call. Possible values for 'keytype' are: (0) : pincode entered or (1) : biokey used. Confirm is an integer telling whether the activation via push notification is refused (0) or accepted (1). Returns an error code:

• IW_ERR_OK: no error

• IW_ERR_NETWORK: network error

• IW_ERR_FORBIDDEN: device is not activated or blocked or to be upgraded

• IW_ERR_NODEVICE: the device is unknown or has been permanently disabled

• IW_ERR_TIMEOUT: timeout since IWPushOTPStartAsync

Implementation

You will find below implementation guidelines to help you understand how to chain mAccess API functions to run the library. These guidelines are valid for both synchronous and asynchronous modes.

Startup

At host startup, you need to:A) Initialize the library

• call IWInit ()

• call IWHostVersionSet ()

• call IWWsServerSet ()

• call IWWsTimeoutSet ()

• call IWMaccessSet () and provide mAccess ID, that can be found in inWebo Admin Console

• Read the ASCII string stored locally, and pass it to the function IWStorageDataSet ().

• Determine whether mAccess is activated or not by calling IWIsActivated (). If this function returns “1”, mAccess is activated.

• If mAccess is not activated, go to step B).

• Determine whether mAccess is blocked or not by calling IWIsBlocked ().

  • If this function returns “1”, mAccess is blocked. Go to section “Reset”.

  • If mAccess is activated and not blocked, startup procedure is over and completed successfully

B) Activation

• Prompt the user for an Activation code

• Once entered, call the function IWActivationStart () with this code as a parameter

• Then, call IWPinMode () in order to find out if the user has to define a new password, or enter his existing password for verification.

  • New password: request it twice and make sure they are identical

  • Existing password: request only once

• Then, call IWActivationFinalize ()

Push registration

After a successful activation, you can proceed to push registration:

• Retrieve the device unique ID

• Register the App calling IWPushRegistrationStart ()

Push registration should be performed only once. Yet you may want to check at application start-up if the unique parameter identifying the device and the user has been updated. In case this unique ID has changed you can safely call IWPushRegistrationStart () again.

Synchronization

In order to perform a synchronization:

• First call IWSynchronizeStart ()

• Then call IWPinMode () to know if a password is required

• Then, prompt for the password

• Finally, call IWSynchronizeFinalize ()

Generate an offline OTP

mAccess has been designed to support more than one service. This means that mAccess will be able to generate different OTPs for different sites or applications. This will be useful for multi-purposes host applications. In this example, we will assume that mAccess has only one service (i=0).A) Check if synchronization is requiredWhen the user requests an OTP, you first need to call IWOtpShouldSynchronize (0) in order to know if a synchronization should be proposed to the user prior to generate the OTPIf IWOtpShouldSynchronize returns 1, you should display a page such as “Your application seems desynchronized. Do you want to force synchronization?”If the user chooses “no”, go to step B)If the user chooses “yes” implement a synchronization at this stage (see later in the doc)B) Prompt the user for his mAccess passwordC) Display the OTP returned by the function IWOtpGenerate (PIN).The OTP will be valid for n seconds, where n is the result of IWDisplayTime ()If the host application knows whether the OTP was submitted or not, additional step will be useful to prevent desynchronization:

• If the OTP was not submitted, call IWOtpResult (RESULT_USED_CANCEL)

• If the OTP was submitted, or the information is not available, call IWOtpResult (RESULT_USED_OK)

The same logic can be used to implement offline sealing.

Generate an online OTP

When the user requests an OTP:

• Call IWOnlineOtpStart (0)

• Then call IWPinMode () to know if the password should be requested

• Prompt for the password if needed

• Call IWOnlineOtpFinalize (0,password) with the password as parameter

• Call IWOtpAnswerOtp () to get the OTP

The same logic can be used to implement online sealing.

Activate other tokens with push notifications

This feature can be used to activate inWebo browser tokens (inWebo Helium) via mobile push notifications. Prerequisites:

• inWebo push registration (see guideline above)

• Implement the code to handle push notification in the host application. When receiving a notification parse the content to verify if it is an activation notification or a connection notification

If an activation notification is received:

• Get the transaction ID alias from the notification content

• Call IWPushActivateCaStart (alias)

• Then call IWPinMode () to know if the password should be requested

• Then prompt for the password

• Then propose two buttons allowing the user to accept or refuse the activation

• If activation is refused call IWPushActivateCaFinalize(alias, pin, 0)

• If activation is accepted call IWPushActivateCaFinalize(alias, pin, 1)

• Pin should be set to an empty string if IWPinMode() returns IW_PINMODE_NONE

Connect user to your applications with push notifications

This feature can be used to connect a user via push notifications sent either by your platform (using inWebo API on your server) or via inWebo browser tokens (inWebo Helium). Prerequisites:

• inWebo push registration (see guideline above)

• Implement the code to handle push notification in the host application. When receiving a notification parse the content to verify if it is an activation notification or a connection notification

If a connection notification is received:

• Get the transaction ID alias from the notification content

• Call IWPushOTPStart (alias)

• Then call IWPinMode () to know if the password should be requested

• Then prompt for the password and / or propose two buttons allowing the user to accept or refuse the connection

• If connection is refused call IWPushOTPFinalize(alias, pin, 0)

• If connection is accepted call IWPushOTPFinalize(alias, pin, 1)

• Pin should be set to an empty string if IWPinMode() returns IW_PINMODE_NONE

Get an Activation code to activate another inWebo token

This feature is optional. It allows a user to activate an inWebo Helium token in a browser.

• Call IWActivationcodeRequestStart ()

• Then call IWPinMode () to know if a password is required

• Then prompt for the password

• Call IWActivationcodeRequestFinalize (Password) and then IWCode () to get and display the Activation code

Password change

• Call IWPwdUpdateStart ()

• Prompt for the current Password

• Prompt twice for the new password

• Call IWPwdUpdateFinalize (NEWPIN, PIN)

• Parse the return code

Reset

If mAccess is blocked (IWIsBlocked ()), you need to:

• Display a “Reset” page prompting for a “reset code”

• call IWResetStart (code), and then IWPinMode () to know whether to prompt for a new password or the existing password

• call IWResetFinalize (Password)

Password change with all biometric keys reset

• Call IWPwdUpdateStart ()

• Prompt for the current Password

• Prompt twice for the new password

• Call IWPwdUpdateFinalize ()

• Parse the return code

• Call IWUnsetBiokeysStart ()

• Call IWUnsetBiokeysFinalize ()