4.2 Register without Password

The registerEmployeeWithoutPassword function creates a new employee on Bayun's system with supplied (companyName, companyEmployeeId) combination, and links it to Bayun user account with userId matching the supplied email address (creating one if necessary). All subsequent authentication requests for this employee will require user-credentials matching the supplied security questionsAnswers (or passphrase if set). The function takes the following parameters :

Let's say the user is registering an account with the app using their login-id of username@bayunsystems.com.

• sessionId : Unique sessionId.

  You can provide a unique sessionId to the registerEmployeeWithoutPassword function call. If an empty sessionId i.e " " is provided, Bayun creates and returns a unique sessionId in the successful registration response in ShAuthenticateResponse.

  Same sessionId should be provided in all the subsequent calls to the Bayun APIs as an argument.

• companyName : Unique name of the company/tenant the registering employee belongs to, preferably in domain-name format for consistency, e.g. bayunsystems.com. This assumes that the user is getting access to the corresponding enterprise tenant with the same domain-name managed by their employer. In some cases the email domain of the user could be different from the domain of the tenant this user belongs to e.g. username@customdomain.com registering on a tenant with domain bayunsystems.com as a contractor, or on a generic tenant for individual accounts in a consumer use-case (e.g. tenant domain of gmail.com). In such a case, the domain-name part of the tenant is what should be used as the companyName parameter. Alternatively you can also choose to pass app's own internal companyId/tenantId for the registering employee as a parameter.

• companyEmployeeId : EmployeeId unique within the company, e.g. "username@bayunsystems.com". While just the "username" portion might suffice in some cases, it is preferable to use the full loginId for consistency (especially considering that full loginId has to be anyway used for a contractor or consumer use-case). Alternatively you can also choose to pass app's own internal employeeId that is unique within the specific companyName that was used above.

• email : Bayun userId for the new user being registered, in the form of User Principal Name (UPN) represented as an email address e.g. username@bayunsystems.com. For a consumer use-case, it can be the email address provided by the user themselves, or one provided/generated by the app. If no email address is available, the app can choose to construct a dummy email by concatenating the user's companyName and companyEmployeeId, e.g. <companyEmployeeId>@<companyName>.dummy-email. This email is not needed for subsequent login requests from the registered employee (as combination of companyName and companyEmployeeId uniquely identify the employee), but the credentials associated with the corresponding userId/email (e.g. security answers) will always be used for authorizing this employee from a new device.

• isCompanyOwnedEmail : Whether the user email is an enterprise email address owned and controlled by the companyName provided above. Relevant only for enterprise apps that typically allow employees of a company to login via SSO (in such cases, the email and companyEmployeeId will be the same as user’s corporate email-address, and the domain-name of these will also match the domain of the tenant provided as companyName). It should otherwise be set to false by default. If it's a company-owned enterprise email address, then we know that the company owns it, and it can be deleted or reclaimed by the company for potential reassignment to another employee as desired.

• questionsAnswers : User is required to provide five Security Questions and their Answers. Questions Answers are in the form of an ArrayList of Object. The developer can either offer a list of Security Questions from their own question-bank to make choosing easier for the user, or they can let each user craft their own questions along-with the answers. Bayun just needs any five questions or prompts for the user to provide their respective answers, which will be cryptographically intermingled together into a single complex key to ensure that independent guessing of any specific answer can’t cause any harm.

A user should choose questions and answers such that user will be able to remember the answer to each question when asked, but others will find it difficult to guess. These answers are used to protect the user's data in such a way that nobody other than the user is able to access it. If the user is not able to remember answers to at least 3 questions, user will lose his/her data for ever.

• passphrase : Optional Passphrase provided by the User at the time of account creation. The developer can either set it to null by default, in which case the user will need to use Security Answers for login from a new device. Or alternatively the developer can let the user choose whether to set a passphrase or not, and supply the passphrase if chosen.

This optional passphrase allows easier login without having to enter answers to user's security questions. A user must choose a strong passphrase, otherwise it is better to skip this step instead and rely on security questions for login.

The registerEmployeeWithoutPassword function returns shared pointer to the classAuthenticateResponse i.e ShAuthenticateResponse.

Following are the possible values of BayunAuthResponseCode in ShAuthenticateResponse:

• Success : Authentication is successful.

• VerifySecurityQuestions : When two-factor authorization is enabled for the employee registering with Bayun. The Security Questions and QuestionIds are returned in the form of std::vector<SecurityQuestionInfo*>in ShAuthenticateResponse .

  Registration completes when answers are validated for the security questions.

• VerifyPassphrase : When two-factor authorization is enabled for the employee registering with Bayun. Registration completes when passphrase is validated.

• EmployeeAuthorizationPending : When BayunCore is inited with App Secret having only role Creation , EmployeeAuthorizationPendingis returned as BayunAuthResponseCode when a new employee is created. Employee Public Key data is returned as employeePublicKey. Check Authorize Employee for employee authorization.

First account of the Company registered with Bayun is the Security Admin account which has security administrative privileges.

Sample Code

C++

#include "BayunCore.h"

std::string sessionId = "<sessionId>"
std::string companyName = "bayunsystems.com"; // company portion from loginId
std::string companyEmployeeId = "username"; //username portion from loginId
std::string email = "username@bayunsystems.com"; //loginId
std::string passphrase = "<passphrase>" // passphrase is OPTIONAL
std::vector<Bayun::ShSecurityQuestionAnswer> questionsAnswers;
questionsAnswers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("","<question>", "<answer>"));
questionsAnswers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("","<question>", "<answer>"));
questionsAnswers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("","<question>", "<answer>"));
questionsAnswers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("","<question>", "<answer>"));
questionsAnswers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("","<question>", "<answer>"));

Bayun::ShAuthenticateResponse authResponse =
bayunCore->registerUserWithoutPassword(sessionId, companyName, companyEmployeeId, email, questionsAnswers, passphrase);
if (authResponse != nullptr) {
  std::string sessionId = authResponse->sessionId.c_str();
  Bayun::BayunAuthResponseCode responseCode = authResponse->responseCode;
  
  if (responseCode == Bayun::BayunAuthResponseCode::Success) {
    //perform Bayun Operations
  } else if (responseCode == Bayun::BayunAuthResponseCode::EmployeeAuthorizationPending) {
    //EmployeeAuthorizationPending
  } else if (responseCode == Bayun::BayunAuthResponseCode::VerifySecurityQuestions)  {
    
    std::vector<Bayun::ShSecurityQuestionInfo> securityQuestions; =  authResponse->getSecurityQuestions();
    std::vector<Bayun::ShSecurityQuestionAnswer> answers;
    
    answers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("<questionId>", "<answer>"));
    answers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("<questionId>", "<answer>"));
    answers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("<questionId>", "<answer>"));
    answers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("<questionId>", "<answer>"));
    answers.push_back(std::make_shared<Bayun::SecurityQuestionAnswer>("<questionId>", "<answer>"));
    
    Bayun::ShValidateSecurityQuesResponse response =  bayunCore->validateSecurityQuestions(sessionId, answers);
    if (response != nullptr) {
      sessionId = response->sessionId.c_str();
      responseCode = response->getResponseCode();
      if (responseCode == Bayun::BayunAuthResponseCode::Success) {
        //perform Bayun Operations
      }
    }
  }
  else if (responseCode == Bayun::BayunAuthResponseCode::VerifyPassphrase) {
    
    //Validating Passphrase for demonstration.
    Bayun::ShValidatePassphraseResponse response = bayunCore->validatePassphrase(sessionId, "<passphrase>");
    if (response != nullptr) {
      sessionId = response->sessionId.c_str();
      responseCode = response->getResponseCode();
      if (responseCode == Bayun::BayunAuthResponseCode::Success) {
        //perform Bayun Operations
      }
    }
  }
}