How Drava Works

A complete guide to biometric step-up authentication for payments

Transaction Flow

MerchantDrava APICustomer DevicePSP (Stripe)1. Create Challenge2. Push Notification3. Biometric Assertion4. Verification Result5. Process Payment6. Webhook NotificationPush < 2sRoundtrip ≤ 8s

Enrollment

Device Registration
Users register their device using WebAuthn. A unique key pair is generated and stored securely in the device's secure enclave.
Biometric Binding
The private key is bound to the user's biometric data (Face ID, Touch ID, or fingerprint) and never leaves the device.

Challenge/Response Flow

Challenge Creation
Your server creates a cryptographic challenge containing transaction details and sends it to Drava's API.
User Authentication
The user receives a push notification and authenticates using their biometric data to sign the challenge.
Assertion Verification
Drava verifies the signed assertion and returns the result to your server for payment processing.

Assertion Verification

Cryptographic Proof
Each assertion contains a cryptographic signature that proves the user authenticated with their registered device and biometric.
Replay Protection
Challenges are single-use and time-limited (8 seconds) to prevent replay attacks and ensure real-time verification.

Webhooks

Real-time Notifications
Receive instant webhooks for challenge.created, challenge.verified, and assertion.failed events.
Event Logging
All authentication events are logged with timestamps and can be retrieved via API for audit and compliance purposes.

What We Don't Store

No Biometric Templates

We never see or store your biometric data. Face ID, Touch ID, and fingerprint data remain exclusively on your device.

Device-Bound Only

Private keys are generated and stored in your device's secure hardware. They cannot be extracted or transferred.

Performance Metrics

Push < 2sRoundtrip ≤ 8s