new configuration version

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/etc/nevis/k8s-nevisauth-sts-4bad2fe3ccc54716cc87138f.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisAuth"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2411.3"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -27,20 +27,25 @@ spec:
   livenessProbe:
     soap:
       tcpSocket: true
-      initialDelaySeconds: 40
-      periodSeconds: 20
+      periodSeconds: 5
       timeoutSeconds: 4
   readinessProbe:
     management:
       httpGet:
         path: "/nevisauth/liveness"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
+  startupProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      periodSeconds: 5
+      timeoutSeconds: 6
+      failureThreshold: 50
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-5560b9df58bc00fcf3fc92f29f5f7840af9dbf26"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts"
     credentials: "git-credentials"
   keystores:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/env.conf

@@ -1,8 +1,9 @@
 RTENV_SECURITY_CHECK=no_shell
 
 JAVA_OPTS=(
-    "-Dfile.encoding=UTF-8"
     "-XX:+UseContainerSupport"
+    "-Dfile.encoding=UTF-8"
+    "-Dotel.instrumentation.metro.enabled=false"
     "-XX:MaxRAMPercentage=80.0"
     "-Djava.net.preferIPv4Stack=true"
     "-Djava.net.connectionTimeout=10000"
@@ -12,7 +13,7 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
     "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-sts-default-tls-trust/truststore.p12"
     "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-sts-default-tls-trust/keypass}"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/esauth4.xml

@@ -54,7 +54,7 @@
         </Domain>
         <AuthState name="Auth_Realm_Main_STS_Check_Trusted_Caller" class="ch.nevis.esauth.auth.states.cache.ReadFromCacheState" final="false" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <ResultCond name="miss" next="Auth_Realm_Main_STS_Dispatcher_TokenType"/>
+            <ResultCond name="miss" next="Auth_Realm_Main_STS_Validation_Client_Cert"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <ResultCond name="ok" next="Auth_Realm_Main_STS_Dispatcher_TokenType"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
@@ -66,6 +66,25 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="sess:agov.techuser.extId" value="#{request.getActorCertAsString()}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Validation_Client_Cert" class="ch.nevis.idm.authstate.IdmX509State" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="default" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Validation_Client_Cert_PostProcessing"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="AuthErrorDialog">
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="lasterror" type="error" label="#{notes.containsKey('lasterror') ? 'error.login.cert.' : ''}#{notes['lasterror']}"/>
+                </Gui>
+            </Response>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="user.certificate" value="#{request.getActorCertAsString()}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="client.name" value="Default"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_STS_Dispatcher_TokenType" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <ResultCond name="SamlAssertion" next="Auth_Realm_Main_STS_Service_Provider_State"/>
@@ -87,13 +106,45 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="condition:usernameToken" value="${request:currentResource:/nevisauth/services/sts/username:true}"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_STS_Audit_Failure" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="error" next="Auth_Realm_Main_STS_Authentication_Failed"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Authentication_Failed"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="script" value="file:///var/opt/nevisauth/default/conf/sts_audit_failure.groovy"/>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Validation_Client_Cert_PostProcessing" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="default" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Check_Impersonator"/>
+            <propertyRef name="nevisIDM_Connector"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="detaillevel.default" value="EXCLUDE"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="chooseDefaultProfile" value="true"/>
+        </AuthState>
+        <AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
+            <!-- source: pattern://8d94681ba6da73f92618e32d -->
+            <property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
+            <!-- source: pattern://8d94681ba6da73f92618e32d -->
+            <property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_STS_Service_Provider_State" class="ch.nevis.esauth.auth.states.saml.ServiceProviderState" final="false" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <ResultCond name="default" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <ResultCond name="ok" next="Auth_Realm_Main_STS_Verify_User_extID" authLevel="auth.weak"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <property name="consumerURL" value="https://me.agov-w.azure.adnovum.net/login/saml2/sso/agovidp"/>
+            <property name="consumerURL" value="https://me.agov-d.azure.adnovum.net/login/saml2/sso/agovidp"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="in.verify" value="Assertion"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
@@ -103,7 +154,7 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="in.max_age" value="30"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <property name="in.audience" value="https://me.agov-w.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect"/>
+            <property name="in.audience" value="https://me.agov-d.azure.adnovum.net/account/api/saml2/service-provider-metadata/agovidpdirect"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="in.keystoreref" value="Auth_Realm_Main_STS"/>
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
@@ -174,21 +225,6 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="detaillevel.default" value="EXCLUDE"/>
         </AuthState>
-        <AuthState name="Auth_Realm_Main_STS_STS_Audit_Failure" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
-            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <ResultCond name="error" next="Auth_Realm_Main_STS_Authentication_Failed"/>
-            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <ResultCond name="ok" next="Auth_Realm_Main_STS_Authentication_Failed"/>
-            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
-            </Response>
-            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <property name="scriptTraceGroup" value="AGOV-ACCT"/>
-            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <property name="script" value="file:///var/opt/nevisauth/default/conf/sts_audit_failure.groovy"/>
-        </AuthState>
         <AuthState name="Auth_Realm_Main_STS_Verify_User_extID" class="ch.nevis.idm.authstate.IdmUserVerifyState" final="false" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <ResultCond name="clientNotFound" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
@@ -207,6 +243,31 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="client.name" value="agov"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Gui name="Error">
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="info" type="error" label="error_99"/>
+                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                    <GuiElem name="submit" type="button" label="continue.button.label"/>
+                </Gui>
+            </Response>
+        </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Check_Impersonator" class="ch.nevis.esauth.auth.states.standard.ConditionalDispatcherState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="default" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="isImpersonator" next="Auth_Realm_Main_STS_Clear_Session"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="condition:isImpersonator" value="${response/actualRoles/^.*(nevisIdm\.Impersonator).*$}"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_STS_Verify_Shadow_User_Error" class="ch.nevis.esauth.auth.states.standard.AuthLogout" final="true" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <Response value="AUTH_ERROR">
@@ -232,24 +293,6 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="cred.type" value="CONTEXT_PASSWORD"/>
         </AuthState>
-        <AuthState name="nevisIDM_Connector" class="ch.nevis.esauth.auth.states.standard.AuthGeneric" final="false">
-            <!-- source: pattern://8d94681ba6da73f92618e32d -->
-            <property name="login.service.connection.0" value="https://idm:8989/nevisidm/services/v1/LoginService"/>
-            <!-- source: pattern://8d94681ba6da73f92618e32d -->
-            <property name="admin.service.connection.0" value="https://idm:8989/nevisidm/services/v1/AdminService"/>
-        </AuthState>
-        <AuthState name="Auth_Realm_Main_STS_Authentication_Failed" class="ch.nevis.esauth.auth.states.standard.AuthError" final="false" resumeState="true">
-            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-            <Response value="AUTH_ERROR">
-                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-                <Gui name="Error">
-                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-                    <GuiElem name="info" type="error" label="error_99"/>
-                    <!-- source: pattern://5d7dc3d51416356293a239f7 -->
-                    <GuiElem name="submit" type="button" label="continue.button.label"/>
-                </Gui>
-            </Response>
-        </AuthState>
         <AuthState name="Auth_Realm_Main_STS_Verify_User_extID_IdmGetPropertiesState" class="ch.nevis.idm.authstate.IdmGetPropertiesState" final="false" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <ResultCond name="SOAP:showGui" next="Auth_Realm_Main_STS_STS_Audit_Success"/>
@@ -271,6 +314,43 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="chooseDefaultProfile" value="true"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Clear_Session" class="ch.nevis.esauth.auth.states.standard.TransformAttributes" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Cache_Trusted_Caller"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR">
+                <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+                <Arg name="ch.nevis.isiweb4.response.status" value="403"/>
+            </Response>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:agov.techuser.extId" value="${sess:ch.adnovum.nevisidm.user.extId}"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.clientExtId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.clientId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.clientName" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.profileExtId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.profileId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.profileName" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.user.clientExtId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.user.extId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.user.loginId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.userDto" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.adnovum.nevisidm.userExtId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="sess:ch.nevis.idm.User.extId" value=""/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="removeOnEmptyValue" value="true"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_STS_STS_Audit_Success" class="ch.nevis.esauth.auth.states.scripting.ScriptState" final="false" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <ResultCond name="error" next="Auth_Realm_Main_STS_Authentication_Failed"/>
@@ -286,6 +366,26 @@
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <property name="script" value="file:///var/opt/nevisauth/default/conf/sts_audit_success.groovy"/>
         </AuthState>
+        <AuthState name="Auth_Realm_Main_STS_Cache_Trusted_Caller" class="ch.nevis.esauth.auth.states.cache.WriteToCacheState" final="false" resumeState="true">
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="failed" next="Auth_Realm_Main_STS_STS_Audit_Failure"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <ResultCond name="ok" next="Auth_Realm_Main_STS_Dispatcher_TokenType"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <Response value="AUTH_ERROR"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="cacheSpace" value="TechAuthCache"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="hashAlgorithm" value="SHA-512"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="maxAge" value="3600"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="maxEntries" value="2"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="overwriteOldEntries" value="false"/>
+            <!-- source: pattern://5d7dc3d51416356293a239f7 -->
+            <property name="#{request.getActorCertAsString()}" value="${sess:agov.techuser.extId}"/>
+        </AuthState>
         <AuthState name="Auth_Realm_Main_STS_Auth_Done" class="ch.nevis.esauth.auth.states.standard.AuthDone" final="false" resumeState="true">
             <!-- source: pattern://5d7dc3d51416356293a239f7 -->
             <Response value="AUTH_DONE">

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "EsAuthStart"
       level: "INFO"
     - name: "org.apache.catalina.loader.WebappClassLoader"
@@ -22,6 +24,8 @@ Configuration:
       level: "FATAL"
     - name: "AGOV-ACCT"
       level: "DEBUG"
+    - name: "AgovCaptcha"
+      level: "DEBUG"
     - name: "AuthEngine"
       level: "INFO"
     - name: "AuthPerf"
@@ -31,7 +35,7 @@ Configuration:
     - name: "OpTrace"
       level: "DEBUG"
     - name: "Recovery"
-      level: "INFO"
+      level: "DEBUG"
     - name: "Script"
       level: "DEBUG"
     - name: "SessCoord"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/nevisauth.yml

@@ -3,6 +3,7 @@ server:
   protocol: "https"
   port: "8991"
   host: "0.0.0.0"
+  max-threads: "200"
   tls:
     keystore: "/var/opt/keys/own/auth-sts-default-identity/keystore.p12"
     keystore-passphrase: "${exec:/var/opt/keys/own/auth-sts-default-identity/keypass}"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth-sts/var/opt/nevisauth/default/conf/otel.properties

@@ -1,4 +1,4 @@
-otel.service.name=auth-sts
-otel.traces.exporter=none
-otel.metrics.exporter=none
-otel.logs.exporter=none
+otel.service.name = auth-sts
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-internal-idp-auth-signer-trust-7022472ae407577ae604bbb8.yaml

@@ -1,7 +1,7 @@
 apiVersion: "operator.nevis-security.ch/v1"
 kind: "NevisTrustStore"
 metadata:
-  name: "auth-default-default-signer-trust"
+  name: "auth-internal-idp-auth-signer-trust"
   namespace: "adn-agov-nevisidm-01-uat"
   labels:
     deploymentTarget: "auth"
@@ -10,5 +10,7 @@ metadata:
     patternId: "7022472ae407577ae604bbb8"
 spec:
   keystores:
+  - name: "auth-sts-sh4r3d-internal-idp-auth-signer"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "auth-sh4r3d-internal-idp-auth-signer"
     namespace: "adn-agov-nevisidm-01-uat"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-auth-technical-trust-store-7022472ae407577ae604bbb8.yaml

@@ -12,6 +12,8 @@ spec:
   keystores:
   - name: "proxy-idp-notused-auth-realm-identity"
     namespace: "adn-agov-nevisidm-01-uat"
+  - name: "proxy-idp-auth-realm-main-idp-identity"
+    namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-mobile-fido-uaf-identity"
     namespace: "adn-agov-nevisidm-01-uat"
   - name: "proxy-idp-auth-realm-recovery-identity"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/etc/nevis/k8s-nevisauth-7022472ae407577ae604bbb8.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisAuth"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2411.3"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -27,20 +27,25 @@ spec:
   livenessProbe:
     soap:
       tcpSocket: true
-      initialDelaySeconds: 40
-      periodSeconds: 20
+      periodSeconds: 5
       timeoutSeconds: 4
   readinessProbe:
     management:
       httpGet:
         path: "/nevisauth/liveness"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
+  startupProbe:
+    management:
+      httpGet:
+        path: "/nevisauth/liveness"
+      periodSeconds: 5
+      timeoutSeconds: 6
+      failureThreshold: 50
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-5560b9df58bc00fcf3fc92f29f5f7840af9dbf26"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth"
     credentials: "git-credentials"
   keystores:
@@ -50,7 +55,7 @@ spec:
   truststores:
   - "auth-default-tls-trust"
   - "auth-auth-realm-mobile-fido-uaf-tls-trust-nevisfido"
-  - "auth-default-default-signer-trust"
+  - "auth-internal-idp-auth-signer-trust"
   - "auth-technical-trust-store"
   podSecurity:
     policy: "baseline"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/key.pem

@@ -1,54 +1,54 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUbPUZn/3VpMbderej
-CK2+IC16nwwCAggAMB0GCWCGSAFlAwQBKgQQvPO51vuHnkHznERAJ+mJngSCCVDI
-JlL/aK5MTWYntg5qFJ2L3w4GNTaKeVXrCE1Q/UrXo4/OnNVQdHnyWiuzOt0FoGow
-H22nWxbehwlykBPhPNw4719QOiMWQJqggR/61IUh8xOBrchqjQ2irIDjiXnTgD1N
-ADmtLHZC6duXncdFOtpeooHKMW61P6+KGBck0n8jM96+DuIKZKF2VO0hEzrUCF3d
-4ODXNX8EEc4l1UdGUU0l7r/SvxoDyprGnFW1Di+PZCRWwUkHbDrqOWEzs5UIzTRM
-2Tyt5osJB7v+0XB3f2PeBEHkQQhd9mvPIiSO5EwQF4JNQx7LMcnV1eFYXGF30pVb
-g9nG3UFbI68uH+uuuEU66yug/h/0RzMSBp8Le6eIck5/jaXBPzDstrc3VW5f1f+n
-I3LsVplUE5znK5okwcGNKr84Ppf6QJ0Hjmbx927j8/n5yMYAn8xa1X5XNeC0dmy8
-Fjbsz1YpiTx9uQ33thXWbpQXno3fJzXvTVJ258GciPwcwqUTiudkMz3eD/tk/Ehd
-SM2oxCKIFDjEUnTSJ89uj+vz9OlTAdaUr0uEfpM6vwq+610UviVRPrNpI2v/qiqJ
-SCeCsce4cN4eIjdpgPIt89H/ISDaOlpeCNQ8yLkkM4P89zXjir7Mt7jt3Uh58xoO
-rOHwQW8xUp+92BvES17PS072ywPS2jO/+hVQv6lf1LPHOmIlEWUln8no6KUBupMM
-ukaW+AmBxxYA1nycC+7IyXDUGiX8MU8GhT45xBpj6t5gKr5QwvJpGcH5oJ0qqq+s
-5B4bmIkaDUgbyAcnishANkHt8/wPvKLbefgRPkpRzaPFQqXu18nRr5GTa+dWfS1y
-GJOVtKcGEyMCHTWfvT9NQZryP3uSsVvl4unEcScWqUL12rDfe31EuTr8JD79I7US
-ssJoDtOKSsP/fFcUatUDcfsb+hkBGN19CdDb4LvPY23FhUc1ApYbWmU5HlY16uQx
-zjoVVZ3lCckJHojPlXpgv0y/CC6tOyEwKxC2u2voPunbR/D7rJ+5AIWDDc3pzzPZ
-KH1jfJPL8KbM8lBc+hpyLBtSnQpj/osN/jLY7El3ciFcux/NFSffeWKn/QuYYC8p
-LtJzWZiURZ6SWFZ4llPKbDeXsKhSOuroMt0aRUfQu2zHw++Ss94X+wJ3Tg64uP/9
-Bw9B5LFdTogChz7ObmGr9OnyJuQaj9/riWP6kowjXSQhku30RMpf6MQnxg8KLhI/
-99y4rGp+OLcxZcKbmENWIl9QcEVbyPfBq2yGSk/drT3xUJghCcPjObKToutHRs9r
-cN0IE6kzRiruRdm2bejgni+v5BhioiZRiSwr5om57G1N4e8BseTxY+zQrU2WwdJp
-ll1zqk5t2J+83uU/EQBmIkXpP+xqrod/uOUm84d5nYRXuO94DLUDwqU0KI7QKoHK
-W6XSU5TDzmynPrycl1IGW1l6ddb92h4FPYyYsppb+G78v2WfVFSsze2aBIDbDZUh
-QEaElJuNIOA+bOSctpTr0i70HXhGzVMXStXJMAIFgR9wKppxW+0IXdjYzhKVE8gx
-uXiJfwJx5pSDBWFDZqLM8uTH3hGOuvRX06iSHIFCsxjds7VWXBh91iGw9Xef9D50
-DVaIhF12dTRsrdi5AqYYkTb4AEzpUQXg7HPi678F6UnsOzCVYZqMWZaF3Ec1UHxu
-PZ9A27DvK1MsUm4QZ+7XrzWrRdkmRFXqhtfxCxHRpF+YlRPTyWSVmx0fEkGjLiAd
-uHU0D14lcqNvmusWOWXVYePOS44R3DrQFULgzfsly09bKFqRZdKGQavVjUbokP1S
-+MDQOca4I6KSxo2358rUGDhq3A0xI5U24wjinNWHktTPXkJbvcJubx/sHb8QMxST
-qSXr5vYjJfms1sU3v2QYrORU42CBOvUAaZYTwLDq+PSN37IcyQoAhTU2ZgPSzSQe
-8aJvxgZWgWedsoeKpKK54yk7rG7b+Qhk6ZHrvFS6cI0YasYQ4GHZHfieG0dTGlVS
-FAAF+HF9/TI3vZPx5qzS6jhtpy6bI/MxjCachA1suShqHZNn4dGW13C6Kf6a6Ci8
-fOMVK/3t4H5oU+2fqoo41jU/1MmLuNUFt7F08X+3eRw/dmhGuf6Mcd46L9SMPtXp
-quSmX/q8kG1YUfj0vXfxBox9rQWYY8kNjp6OUkvAwBYoy6a1j0h420ZQhyNS0vzy
-w2d3UjTjoEdo3qOKCDKLGA9ILSJvK/jzDEoS0G23eiaQJ5DHDK6m++izm+2oCMwM
-+5fcoRhn0SVzAgE63x80btbGuo52sMp57PcGZq50s8yeVYziyZEVPIb5I/vau8BH
-CxZ++8ENtvKmYWX84hXApR+2rX6hWWi/b34YIG4jtCr+aeaNumv5NT19G+g84BsL
-akcBUtt3px2icLZtUv+ck/JCG/7pUvIqZ2HMKLZgsSZan1pfdfdl1Q28xG97X/dR
-gCzr15ZjlX8bwtRNQs+xhv6lDQtFOv0wgYYW6rolZS3SOaGhWU4/E1a+RT16NUvS
-lajoYD1jFCk6Y2WWIB1tHxAlNC06EQB3oT+gPtzZ9upcM3Qv0X0RyXgPcLFcveiC
-aZZtBY6MElzXiRpRB8y6XNyvJz+1vB05DDlcCnx2ovztHAk74AiUp0VlSk6ylqDQ
-DKOaXHz5ZzFT+Ptaj3m1xBYc3m4Iyw98RXX7IGs7hOY2roaqO3rI/lmgTVuA3hv7
-m3CX8vbk3gqV1+Rt2ObuddnKtkrG07lP72HliZBLNRgEoaX1DSKdWq7A8G5uNWJj
-xvwWUDIu/PESII1x8D52pmZ0QH1VQmas17Ezme/4BGvOR5/0vwKUEXPYWhHvtB31
-4q/HMWpCCH5wF5DF0JfWmOhDpR3EvtG8HnNMzP8cdHbCLaG4SUz5uNKgJ6pI5cjV
-E+HS+McIN1wp5mFodR3qwjMdLoH2uJ4YOqP05qri1b40xXM/j6+p9tXXYuV/8d6K
-+L8sZxNvORwf6z8yys2cAHC5xPYBC8c0qKE9a1GtYJRPpjXona+iHoM5KooGFmYx
-qZz2AvqbPYIwTHD5sV/K0wA3Zjlw6HOHBnZ6C7ZINAL/idY5uLOP6c3HCmVLRz3a
-KIZCBintlvOKVSlzfGh7MjAJpEkzqGBNQIFCkRflrJW13R4/fiRL2fqRm2UjbU7q
-QQo+ffs3emwCxkfxdOpubKUoANiFdXvQlKiC2BP/Yw==
+MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU95KG57RacAYBmkeQ
+DIe1bZS0sbkCAggAMB0GCWCGSAFlAwQBKgQQyxdAya9Sd4oHLO1pzVWcYASCCVDT
+ozdXT3vjyqMzza4QKaMD4ywSAzGhQRM/TnxU5JbRLNMpdtq76Mfet2pv++UUjcof
+16EsdOOpDQdxdzQWmwGUNwjkX5YyWTaAefV8l9n6Bp8LV0XabS9We3g5Jr1KjuzP
+O/xJgB2o6BcD/WRPeOaANSGoyWce4rCkpDwqxrp+tY9EK19SoCZG9Zy2hnPPH2Hc
+QgtgCAzqaXIp49KIXHn/Uo532lIz3WqkkhzVakwgAKLKIvc/SwgP0eSXLvPjeJYS
+L8DngPP0YD7IPgIs7WmMNNE7or69e7mO0miUOl7xStNHzHpLmtLNbYI7Pk6NLT7N
+kWfh2+E21R7llsW57boMACXVr7N3CHOlZQhUNViyjPayo1njVnp6gGzuIxluhHJY
+CL070oqBeEYVfvE07HQ4Qd0BL5c02pdrKjdzBYyLwzSNKn2RzgS2R/XtEqdmOUo+
+iuRngv9D1UPSI2xlFhv84778ktEeSf8l1nLltqhPJAmJUjSAcu/zjN4Q+HXqMRaF
+IocDV4I7CaXDc2E0YdU8uHuzzUHLflJ2OZwU5N7tkoVOtAYHKUwCP4J/zpLSe2V2
+MIh40IVJK4gzb+iyBiOnsnKKQCKMPbS4lH8zC2S486MgjgbhlZeFg0nOF955c61l
+Sb4MBrexU4s1TUg/fDpYt6jPZoKivN72jzi60kV43gBFHmP3X4SRAUQ4Y3h5NFF8
+h2p4wvYRsYEexjJU/+WJG4Yi1wSi3oEqD161a6vPOsKBLBdLRo1vgnQdGFx/k83X
+vjPlI2eEUMPCntNBbrTy8eUSJz/0OH2phztZpHuh5cfy4ErUi19d9ywZUlhurGvX
+dC7ouTEqRZLkkSCfGTQM0q0O4JQJTLb5N4gWdZxQd2UwGv3jCK7m5eWx3bTdhhXi
+179DoSpYBCJF3msn0ROO6PxsccH0w/I6KMi3QNmsDlXhDr6XIBya8CU0lx9lp0pl
+5q62D26Ylr2fovd3qKKbwP6RaZarCzKLO6dWdyMqtUwVlX2FDCFd/SPGWc2TmuVS
+vLb981Zm13AfYtNUSfusroDp3TEuvl7cwozg7p33SQhuCmgKnxMd0iXd5QQZjrR0
+t+y22dHrD1agkkoFMLz/+d+930J0sY4odG/HbL2Bv8ZelVUjA8XSFoGBEA+rfQCg
+DGmLh5a+/yfzxCEKWVLqmwHWbSkub8bXdl6EKEyaO9qo1KCLAf3tArQx45sqw8bK
+8AYq2mrNIiMDhHub+XEEC0Aw2lZkJOrwwMEsTcZWfBvj56MdRNXuZMvPdarTbnDx
+zzxatqIwfvpOy/S2Poyrc6GuprbZCM6N+cDLdWQqAHVwAlx77NhiJ6s3vUnE3vB7
+aHgmXU+a8uPA64tKKaRNQJ31f7viCkWJXEbbEhVTzCvFcoqbKPPMm9w7nO8PMUTu
+BmwSFEKhd3BDKZavqTHKi66fF3A5ALFYAkMw/AlvinMitb9s+7WlWQrdvSFkqHsY
+wNQ1ankleYd24/8ZllvsQpleLMepDSxP6zUMpXSHbTKp5MZeoCaaY1RCkg7aOduz
+brnD7lRAfLp0H72nxVgC7n6VjidOSruF7k9WIN9VVbP0ZVL/QtkKRWd/hEmtMNaH
+ELg2ekdm3zvdBuvtr0jNiCxbhTr3j5OWQkT/BjZxHpZfA14XEROJC2Slo3PxUwBH
+0lE0cICWTeaeYcCX8ofawN+t1Qa6UD0sLl2670Kc7pozkJM4ul19rGA2KsHX89gE
+CaB1CkhFCqZhPbqX9yonv9XZtLb8Of8rBNVd/2QKN4/tOXcMYshzakSfSSIsyxxt
+QgMPRfz0nJTtP7v8ZbwIO+ayGoUeH7aYKhQ6Ku3qW9XuYiy+oMTIOToCSddnEI5t
+JNuPkT9kzA9stkRbFV5kBvrv5LWprWDXdA/wyAWG7txncWj6UzGlP8C3KhtMHLHv
+CiOXrE8UJdNNeT52dYI9slg+tzcCfz3sqMr9zXratvT6JMzrQZqCSis8vIx18TIK
+N5yDWHDFUOeNpo7aRqd5goW3qProwfZDjBXiqE4J+AJ5wc73PuftHt2l00zvLDWs
+SFIRvXbavNBA7GxpVtN8Qxmk6Lm0u0pBiastndowgAI5OIQVuwoA21vXyC5n9pMd
+bPJsmiPyme62OkCWmAjBNDLNVViwKMH8BxmLKJxX+6ysNsn0YY1+9YfI/zC3j4jM
+OYsK1c0NvFIv5aUxRQZLTJJt9C299jGNvdAJsfdp4LHejzZUjnx3nguz/l6RI1Vb
+vjQ1qDRPhkgErGXSHsCoCt+z5Y6mq17JWEX/FiXBWQbfSGoG/ZvoOqiBybCQ3HNl
+o9QM1sNQ5fUZDh0TgwkJB91rZXPwi828RklMW8VZszZir5gziTnndhw0ADLCZZ6z
+nA0vZAI7sjoEeIgiJq3egrsSLq2ZQRQsh5QF+Xo2QktleGvPrtMv//ZyGz4l59yc
+wX/7DtABurFhVs3KdYohcqXk2v5jJCMs+j9YDn6540QR6yXcbifp9ySqhm/PeH91
+UuL16YKxoV6QBZIGE0vjdUitGKNsS+H4ibD/0ZHYG+VcyL90eIrBq61CjfIO79O0
+L9+G4gKB91stXwtpqZWXTrlzrnjloZOPhqyQN/bs/liWQ6qy0a6Cd6nbWc141An1
+zEiOihbwLJ4ziCut+bq5lwyw6z/wWEhaVNnYspEEBr2URLMHbnBceS6zXoePT0ur
+9mQQLitmtlANlJ93vBDPhCaEjkK1v5J7MmIHQzyLSQGuLdXwz50piJukWru3aNax
+skloghJYeTMILEcGAszvyVtcvPqkrJnZXx4Qp7Luj5HK9THr78v3T4nWzirfqxPZ
+x70xRyhsC2lLcIrJ+3jkXj44edIqdh3Wvi30L2x2iUFyZ0ojQJQDo/+5b+p9k36L
+Dk8ktpeIa/BE3NsfcFaWn9bvRkQ6UAQcNn1zmkavfw5TLI4C1PnD/WUpPHZdhzNV
+K87CsUawxjEg0uCCaViShF6bD9mOWQxE3SM9yNizjTmotF6KrgkT16y/qZ17KGQM
+hJ5PraGu9jvg+L/MrQpr91eyJaeh9JFl9dM/SPM0mXo5q813bdMmqD4cc3YWCLee
+dHtmaKJ08KD1cJqHBz0DRLVV+zH00BMoYt5HZ5DmHFU1zhDekWZLhilbyWt8+z1E
+bzsoEAfZvyfvF7fJuxQ/HhYdR6TX5H+aNzZZivVc6g==
 -----END ENCRYPTED PRIVATE KEY-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/keys/own/idp-pem-signer/keystore.pem

@@ -1,56 +1,56 @@
 -----BEGIN ENCRYPTED PRIVATE KEY-----
-MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQUbPUZn/3VpMbderej
-CK2+IC16nwwCAggAMB0GCWCGSAFlAwQBKgQQvPO51vuHnkHznERAJ+mJngSCCVDI
-JlL/aK5MTWYntg5qFJ2L3w4GNTaKeVXrCE1Q/UrXo4/OnNVQdHnyWiuzOt0FoGow
-H22nWxbehwlykBPhPNw4719QOiMWQJqggR/61IUh8xOBrchqjQ2irIDjiXnTgD1N
-ADmtLHZC6duXncdFOtpeooHKMW61P6+KGBck0n8jM96+DuIKZKF2VO0hEzrUCF3d
-4ODXNX8EEc4l1UdGUU0l7r/SvxoDyprGnFW1Di+PZCRWwUkHbDrqOWEzs5UIzTRM
-2Tyt5osJB7v+0XB3f2PeBEHkQQhd9mvPIiSO5EwQF4JNQx7LMcnV1eFYXGF30pVb
-g9nG3UFbI68uH+uuuEU66yug/h/0RzMSBp8Le6eIck5/jaXBPzDstrc3VW5f1f+n
-I3LsVplUE5znK5okwcGNKr84Ppf6QJ0Hjmbx927j8/n5yMYAn8xa1X5XNeC0dmy8
-Fjbsz1YpiTx9uQ33thXWbpQXno3fJzXvTVJ258GciPwcwqUTiudkMz3eD/tk/Ehd
-SM2oxCKIFDjEUnTSJ89uj+vz9OlTAdaUr0uEfpM6vwq+610UviVRPrNpI2v/qiqJ
-SCeCsce4cN4eIjdpgPIt89H/ISDaOlpeCNQ8yLkkM4P89zXjir7Mt7jt3Uh58xoO
-rOHwQW8xUp+92BvES17PS072ywPS2jO/+hVQv6lf1LPHOmIlEWUln8no6KUBupMM
-ukaW+AmBxxYA1nycC+7IyXDUGiX8MU8GhT45xBpj6t5gKr5QwvJpGcH5oJ0qqq+s
-5B4bmIkaDUgbyAcnishANkHt8/wPvKLbefgRPkpRzaPFQqXu18nRr5GTa+dWfS1y
-GJOVtKcGEyMCHTWfvT9NQZryP3uSsVvl4unEcScWqUL12rDfe31EuTr8JD79I7US
-ssJoDtOKSsP/fFcUatUDcfsb+hkBGN19CdDb4LvPY23FhUc1ApYbWmU5HlY16uQx
-zjoVVZ3lCckJHojPlXpgv0y/CC6tOyEwKxC2u2voPunbR/D7rJ+5AIWDDc3pzzPZ
-KH1jfJPL8KbM8lBc+hpyLBtSnQpj/osN/jLY7El3ciFcux/NFSffeWKn/QuYYC8p
-LtJzWZiURZ6SWFZ4llPKbDeXsKhSOuroMt0aRUfQu2zHw++Ss94X+wJ3Tg64uP/9
-Bw9B5LFdTogChz7ObmGr9OnyJuQaj9/riWP6kowjXSQhku30RMpf6MQnxg8KLhI/
-99y4rGp+OLcxZcKbmENWIl9QcEVbyPfBq2yGSk/drT3xUJghCcPjObKToutHRs9r
-cN0IE6kzRiruRdm2bejgni+v5BhioiZRiSwr5om57G1N4e8BseTxY+zQrU2WwdJp
-ll1zqk5t2J+83uU/EQBmIkXpP+xqrod/uOUm84d5nYRXuO94DLUDwqU0KI7QKoHK
-W6XSU5TDzmynPrycl1IGW1l6ddb92h4FPYyYsppb+G78v2WfVFSsze2aBIDbDZUh
-QEaElJuNIOA+bOSctpTr0i70HXhGzVMXStXJMAIFgR9wKppxW+0IXdjYzhKVE8gx
-uXiJfwJx5pSDBWFDZqLM8uTH3hGOuvRX06iSHIFCsxjds7VWXBh91iGw9Xef9D50
-DVaIhF12dTRsrdi5AqYYkTb4AEzpUQXg7HPi678F6UnsOzCVYZqMWZaF3Ec1UHxu
-PZ9A27DvK1MsUm4QZ+7XrzWrRdkmRFXqhtfxCxHRpF+YlRPTyWSVmx0fEkGjLiAd
-uHU0D14lcqNvmusWOWXVYePOS44R3DrQFULgzfsly09bKFqRZdKGQavVjUbokP1S
-+MDQOca4I6KSxo2358rUGDhq3A0xI5U24wjinNWHktTPXkJbvcJubx/sHb8QMxST
-qSXr5vYjJfms1sU3v2QYrORU42CBOvUAaZYTwLDq+PSN37IcyQoAhTU2ZgPSzSQe
-8aJvxgZWgWedsoeKpKK54yk7rG7b+Qhk6ZHrvFS6cI0YasYQ4GHZHfieG0dTGlVS
-FAAF+HF9/TI3vZPx5qzS6jhtpy6bI/MxjCachA1suShqHZNn4dGW13C6Kf6a6Ci8
-fOMVK/3t4H5oU+2fqoo41jU/1MmLuNUFt7F08X+3eRw/dmhGuf6Mcd46L9SMPtXp
-quSmX/q8kG1YUfj0vXfxBox9rQWYY8kNjp6OUkvAwBYoy6a1j0h420ZQhyNS0vzy
-w2d3UjTjoEdo3qOKCDKLGA9ILSJvK/jzDEoS0G23eiaQJ5DHDK6m++izm+2oCMwM
-+5fcoRhn0SVzAgE63x80btbGuo52sMp57PcGZq50s8yeVYziyZEVPIb5I/vau8BH
-CxZ++8ENtvKmYWX84hXApR+2rX6hWWi/b34YIG4jtCr+aeaNumv5NT19G+g84BsL
-akcBUtt3px2icLZtUv+ck/JCG/7pUvIqZ2HMKLZgsSZan1pfdfdl1Q28xG97X/dR
-gCzr15ZjlX8bwtRNQs+xhv6lDQtFOv0wgYYW6rolZS3SOaGhWU4/E1a+RT16NUvS
-lajoYD1jFCk6Y2WWIB1tHxAlNC06EQB3oT+gPtzZ9upcM3Qv0X0RyXgPcLFcveiC
-aZZtBY6MElzXiRpRB8y6XNyvJz+1vB05DDlcCnx2ovztHAk74AiUp0VlSk6ylqDQ
-DKOaXHz5ZzFT+Ptaj3m1xBYc3m4Iyw98RXX7IGs7hOY2roaqO3rI/lmgTVuA3hv7
-m3CX8vbk3gqV1+Rt2ObuddnKtkrG07lP72HliZBLNRgEoaX1DSKdWq7A8G5uNWJj
-xvwWUDIu/PESII1x8D52pmZ0QH1VQmas17Ezme/4BGvOR5/0vwKUEXPYWhHvtB31
-4q/HMWpCCH5wF5DF0JfWmOhDpR3EvtG8HnNMzP8cdHbCLaG4SUz5uNKgJ6pI5cjV
-E+HS+McIN1wp5mFodR3qwjMdLoH2uJ4YOqP05qri1b40xXM/j6+p9tXXYuV/8d6K
-+L8sZxNvORwf6z8yys2cAHC5xPYBC8c0qKE9a1GtYJRPpjXona+iHoM5KooGFmYx
-qZz2AvqbPYIwTHD5sV/K0wA3Zjlw6HOHBnZ6C7ZINAL/idY5uLOP6c3HCmVLRz3a
-KIZCBintlvOKVSlzfGh7MjAJpEkzqGBNQIFCkRflrJW13R4/fiRL2fqRm2UjbU7q
-QQo+ffs3emwCxkfxdOpubKUoANiFdXvQlKiC2BP/Yw==
+MIIJqzBVBgkqhkiG9w0BBQ0wSDAnBgkqhkiG9w0BBQwwGgQU95KG57RacAYBmkeQ
+DIe1bZS0sbkCAggAMB0GCWCGSAFlAwQBKgQQyxdAya9Sd4oHLO1pzVWcYASCCVDT
+ozdXT3vjyqMzza4QKaMD4ywSAzGhQRM/TnxU5JbRLNMpdtq76Mfet2pv++UUjcof
+16EsdOOpDQdxdzQWmwGUNwjkX5YyWTaAefV8l9n6Bp8LV0XabS9We3g5Jr1KjuzP
+O/xJgB2o6BcD/WRPeOaANSGoyWce4rCkpDwqxrp+tY9EK19SoCZG9Zy2hnPPH2Hc
+QgtgCAzqaXIp49KIXHn/Uo532lIz3WqkkhzVakwgAKLKIvc/SwgP0eSXLvPjeJYS
+L8DngPP0YD7IPgIs7WmMNNE7or69e7mO0miUOl7xStNHzHpLmtLNbYI7Pk6NLT7N
+kWfh2+E21R7llsW57boMACXVr7N3CHOlZQhUNViyjPayo1njVnp6gGzuIxluhHJY
+CL070oqBeEYVfvE07HQ4Qd0BL5c02pdrKjdzBYyLwzSNKn2RzgS2R/XtEqdmOUo+
+iuRngv9D1UPSI2xlFhv84778ktEeSf8l1nLltqhPJAmJUjSAcu/zjN4Q+HXqMRaF
+IocDV4I7CaXDc2E0YdU8uHuzzUHLflJ2OZwU5N7tkoVOtAYHKUwCP4J/zpLSe2V2
+MIh40IVJK4gzb+iyBiOnsnKKQCKMPbS4lH8zC2S486MgjgbhlZeFg0nOF955c61l
+Sb4MBrexU4s1TUg/fDpYt6jPZoKivN72jzi60kV43gBFHmP3X4SRAUQ4Y3h5NFF8
+h2p4wvYRsYEexjJU/+WJG4Yi1wSi3oEqD161a6vPOsKBLBdLRo1vgnQdGFx/k83X
+vjPlI2eEUMPCntNBbrTy8eUSJz/0OH2phztZpHuh5cfy4ErUi19d9ywZUlhurGvX
+dC7ouTEqRZLkkSCfGTQM0q0O4JQJTLb5N4gWdZxQd2UwGv3jCK7m5eWx3bTdhhXi
+179DoSpYBCJF3msn0ROO6PxsccH0w/I6KMi3QNmsDlXhDr6XIBya8CU0lx9lp0pl
+5q62D26Ylr2fovd3qKKbwP6RaZarCzKLO6dWdyMqtUwVlX2FDCFd/SPGWc2TmuVS
+vLb981Zm13AfYtNUSfusroDp3TEuvl7cwozg7p33SQhuCmgKnxMd0iXd5QQZjrR0
+t+y22dHrD1agkkoFMLz/+d+930J0sY4odG/HbL2Bv8ZelVUjA8XSFoGBEA+rfQCg
+DGmLh5a+/yfzxCEKWVLqmwHWbSkub8bXdl6EKEyaO9qo1KCLAf3tArQx45sqw8bK
+8AYq2mrNIiMDhHub+XEEC0Aw2lZkJOrwwMEsTcZWfBvj56MdRNXuZMvPdarTbnDx
+zzxatqIwfvpOy/S2Poyrc6GuprbZCM6N+cDLdWQqAHVwAlx77NhiJ6s3vUnE3vB7
+aHgmXU+a8uPA64tKKaRNQJ31f7viCkWJXEbbEhVTzCvFcoqbKPPMm9w7nO8PMUTu
+BmwSFEKhd3BDKZavqTHKi66fF3A5ALFYAkMw/AlvinMitb9s+7WlWQrdvSFkqHsY
+wNQ1ankleYd24/8ZllvsQpleLMepDSxP6zUMpXSHbTKp5MZeoCaaY1RCkg7aOduz
+brnD7lRAfLp0H72nxVgC7n6VjidOSruF7k9WIN9VVbP0ZVL/QtkKRWd/hEmtMNaH
+ELg2ekdm3zvdBuvtr0jNiCxbhTr3j5OWQkT/BjZxHpZfA14XEROJC2Slo3PxUwBH
+0lE0cICWTeaeYcCX8ofawN+t1Qa6UD0sLl2670Kc7pozkJM4ul19rGA2KsHX89gE
+CaB1CkhFCqZhPbqX9yonv9XZtLb8Of8rBNVd/2QKN4/tOXcMYshzakSfSSIsyxxt
+QgMPRfz0nJTtP7v8ZbwIO+ayGoUeH7aYKhQ6Ku3qW9XuYiy+oMTIOToCSddnEI5t
+JNuPkT9kzA9stkRbFV5kBvrv5LWprWDXdA/wyAWG7txncWj6UzGlP8C3KhtMHLHv
+CiOXrE8UJdNNeT52dYI9slg+tzcCfz3sqMr9zXratvT6JMzrQZqCSis8vIx18TIK
+N5yDWHDFUOeNpo7aRqd5goW3qProwfZDjBXiqE4J+AJ5wc73PuftHt2l00zvLDWs
+SFIRvXbavNBA7GxpVtN8Qxmk6Lm0u0pBiastndowgAI5OIQVuwoA21vXyC5n9pMd
+bPJsmiPyme62OkCWmAjBNDLNVViwKMH8BxmLKJxX+6ysNsn0YY1+9YfI/zC3j4jM
+OYsK1c0NvFIv5aUxRQZLTJJt9C299jGNvdAJsfdp4LHejzZUjnx3nguz/l6RI1Vb
+vjQ1qDRPhkgErGXSHsCoCt+z5Y6mq17JWEX/FiXBWQbfSGoG/ZvoOqiBybCQ3HNl
+o9QM1sNQ5fUZDh0TgwkJB91rZXPwi828RklMW8VZszZir5gziTnndhw0ADLCZZ6z
+nA0vZAI7sjoEeIgiJq3egrsSLq2ZQRQsh5QF+Xo2QktleGvPrtMv//ZyGz4l59yc
+wX/7DtABurFhVs3KdYohcqXk2v5jJCMs+j9YDn6540QR6yXcbifp9ySqhm/PeH91
+UuL16YKxoV6QBZIGE0vjdUitGKNsS+H4ibD/0ZHYG+VcyL90eIrBq61CjfIO79O0
+L9+G4gKB91stXwtpqZWXTrlzrnjloZOPhqyQN/bs/liWQ6qy0a6Cd6nbWc141An1
+zEiOihbwLJ4ziCut+bq5lwyw6z/wWEhaVNnYspEEBr2URLMHbnBceS6zXoePT0ur
+9mQQLitmtlANlJ93vBDPhCaEjkK1v5J7MmIHQzyLSQGuLdXwz50piJukWru3aNax
+skloghJYeTMILEcGAszvyVtcvPqkrJnZXx4Qp7Luj5HK9THr78v3T4nWzirfqxPZ
+x70xRyhsC2lLcIrJ+3jkXj44edIqdh3Wvi30L2x2iUFyZ0ojQJQDo/+5b+p9k36L
+Dk8ktpeIa/BE3NsfcFaWn9bvRkQ6UAQcNn1zmkavfw5TLI4C1PnD/WUpPHZdhzNV
+K87CsUawxjEg0uCCaViShF6bD9mOWQxE3SM9yNizjTmotF6KrgkT16y/qZ17KGQM
+hJ5PraGu9jvg+L/MrQpr91eyJaeh9JFl9dM/SPM0mXo5q813bdMmqD4cc3YWCLee
+dHtmaKJ08KD1cJqHBz0DRLVV+zH00BMoYt5HZ5DmHFU1zhDekWZLhilbyWt8+z1E
+bzsoEAfZvyfvF7fJuxQ/HhYdR6TX5H+aNzZZivVc6g==
 -----END ENCRYPTED PRIVATE KEY-----
 
 -----BEGIN CERTIFICATE-----

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict.properties

@@ -40,7 +40,7 @@ fido2_auth.instruction2=An authentication window will appear
 fido2_auth.instruction3=Follow the instructions
 fido2_auth.skipInstructions=Skip instructions next time
 fido2_auth.switchLogin=SWITCH TO LOGIN WITH
-footer.link=https://agov.ch/?c=contact&l=en
+footer.link=https://agov.ch
 footer.link.label=Contact
 footer.text=Authentication service of Swiss authorities AGOV - a collaboration between cantons, their municipalities, and the federal administration. -
 general.AGOVAccessApp=AGOV access app
@@ -55,22 +55,31 @@ general.edit=Edit
 general.email=Email
 general.email.address=Email address
 general.entryCode=Code entry
+general.fieldRequired=Field required.
 general.getStarted=Get started
 general.goAGOVHelp=Go to AGOV help
 general.goAccessApp=Login with AGOV access
 general.help=Help
-general.help.link=https://agov.ch/pages/help_en.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Start Security key login
 general.or=OR
 general.otherOptions=OTHER OPTIONS
 general.recovery=Recovery
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Download as PDF
+general.recoveryCode.inputLabel=Recovery code
+general.recoveryCode.repeatCodeError=The code you entered was incorrect. Please ensure you have stored it correctly, then continue to resubmit.
+general.recoveryCode.repeatCodeModal.description=A lost or incorrectly stored recovery code can make it more difficult to recover your account. To ensure you have recorded your code correctly, please repeat it below.
+general.recoveryCode.repeatCodeModal.title=Repeat recovery code
+general.recoveryCode.reveal=Reveal recovery code
 general.recoveryOngoing=Ongoing recovery
 general.register=Register
 general.registerNow=Register now!
 general.registration=Registration
 general.securityKey=Security key
 general.skip.content=Skip to main content
+general.wrongPhoneNumber=Please enter a valid phone number
 generic.auth.error.message=There was a service interruption. We are working on it.
 generic.auth.error.next.steps=Please try again later. Please consult AGOV help if the problem persists.
 generic.auth.error.subtitle=Something went wrong
@@ -87,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -185,6 +194,19 @@ prompt.newpassword=New Password
 prompt.newpassword.confirm=Confirm Password
 prompt.password=Password
 prompt.userid=User-ID
+providePhoneNumber.banner=Phone number must be able to receive SMS.<br>This phone number will not be used to contact you.
+providePhoneNumber.description=AGOV now supports recovery with your phone number. This will allow you to continue with an SMS during recovery if you have lost access to your recovery code.
+providePhoneNumber.errorBanner=Phone numbers do not match. Please try again.
+providePhoneNumber.inputLabel=Phone number (optional)
+providePhoneNumber.laterModal.description1=Without a phone number, a recovery of your account might take up to 4 days if you lose access to your recovery code.
+providePhoneNumber.laterModal.description2=Adding a phone number helps you to recover your account in a matter of minutes.
+providePhoneNumber.laterModal.description3=This phone number will not be used to contact you.
+providePhoneNumber.laterModal.title=Continue without a phone number?
+providePhoneNumber.modal.description=An incorrectly stored phone number can make it more difficult to recover your account. To ensure you have recorded your phone number correctly, please repeat it below.
+providePhoneNumber.modal.inputLabel=Phone number
+providePhoneNumber.modal.title=Repeat phone number
+providePhoneNumber.saveButtonText=Save
+providePhoneNumber.title=Add phone number
 pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
 pwreset.email.sent=If your user ID exists, an email to reset your password has been sent to you.
 pwreset.info.linktext=Password forgotten
@@ -192,6 +214,7 @@ pwreset.noticket=Your password reset link is no longer valid. Please generate a
 recovery_accessapp_auth.accessAppRegistered=AGOV access app already registered
 recovery_accessapp_auth.instruction1=You have already registered a new AGOV access app !!!ACCESS_APP_NAME!!! as part of the recovery process.
 recovery_accessapp_auth.instruction2=Please use !!!ACCESS_APP_NAME!!! to identify you.
+recovery_check_code.banner.lockedError=Too many invalid input attempts. Please try again in a few minutes.
 recovery_check_code.codeIncorrect=Code entered is incorrect. Please try again.
 recovery_check_code.enterRecoveryCode=Enter recovery code
 recovery_check_code.instruction=Please enter below your personal 12-digit recovery code. You will have received the recovery code as a PDF file during registration or in AGOV me.
@@ -201,9 +224,11 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
-recovery_check_noCode.banner.error=Too many attempts or your recovery code has expired.
-recovery_check_noCode.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
-recovery_check_noCode.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_noCode.banner.error=Too many attempts.
+recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
+recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Please reveal your new code to be able to continue.
 recovery_code.instruction=Recovery codes help you gain access to your account in case you lost all of your login factors. Please store the recovery code in a safe place.
 recovery_code.newRecoveryCode=Introducing Recovery Code
@@ -215,10 +240,8 @@ recovery_fidokey_auth.instruction2=Please use !!!SECURITY_KEY_NAME!!! to follow
 recovery_fidokey_auth.keyRegistered=Security key already registered
 recovery_intro_email.banner.error=The link you used has expired. Please enter your email address to receive a new link.
 recovery_intro_email.banner.info=Please enter your email address, so we can send you a link to start the recovery process.
-recovery_intro_email.captchaUnchecked=Please tick the captcha field
 recovery_intro_email.important=Important:
 recovery_intro_email.process=The recovery process should only be used if you have lost access to your login factors (deleted AGOV access app, lost security key, lost phone, etc.).
-recovery_intro_email.siteProtectedWithRecaptcha=This site is protected by reCAPTCHA and the <a class='link' href='https://policies.google.com/privacy' target='_blank'>Google Privacy Policy</a> and <a class='link' href='https://policies.google.com/terms' target='_blank'>Terms of Service</a> apply.
 recovery_intro_email_sent.banner.button=Didn't receive the email?
 recovery_intro_email_sent.banner.success=Thank you! You will receive an email with a recovery link and instructions shortly.
 recovery_on_going.finishRecovery=Finish recovery
@@ -233,13 +256,13 @@ recovery_questionnaire_loginfactor.no=No
 recovery_questionnaire_loginfactor.question=Have you registered more than one login factor (AGOV access app or security key) to your account?
 recovery_questionnaire_loginfactor.yes=Yes
 recovery_questionnaire_no_recovery.explanation1=Based on your answers, the AGOV recovery option does not seem necessary right now.
-recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> for support articles.
-recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> and test if you can log in successfully.
-recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> to remove the one you have lost access to.
+recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> for support articles.
+recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> and test if you can log in successfully.
+recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> to remove the one you have lost access to.
 recovery_questionnaire_reason_selection.answer1=I have trouble logging in, even though I have my app / security key
 recovery_questionnaire_reason_selection.answer10=I lost one of my login factors (AGOV access app or security key)
 recovery_questionnaire_reason_selection.answer2=I was unable to finish my registration
-recovery_questionnaire_reason_selection.answer3=I have deleted or reset my AGOV access app
+recovery_questionnaire_reason_selection.answer3=I have deleted, reinstalled, or reset my AGOV access app
 recovery_questionnaire_reason_selection.answer4=I have lost my phone / security key
 recovery_questionnaire_reason_selection.answer5=I have a new phone and forgot to transfer my AGOV access app
 recovery_questionnaire_reason_selection.answer6=I forgot my PIN for the AGOV access app

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_de.properties

@@ -40,7 +40,7 @@ fido2_auth.instruction2=Ein Authentifizierungsfenster wird erscheinen
 fido2_auth.instruction3=Folgen Sie den Anweisungen
 fido2_auth.skipInstructions=Anweisungen nächstes Mal überspringen
 fido2_auth.switchLogin=WECHSEL ZU LOGIN MIT
-footer.link=https://agov.ch/?c=contact&l=de
+footer.link=https://agov.ch
 footer.link.label=Kontakt
 footer.text=Authentifizierungsdienst der Schweizer Behörden AGOV – eine Zusammenarbeit zwischen den Kantonen, deren Gemeinden und der Bundesverwaltung. -
 general.AGOVAccessApp=AGOV access App
@@ -53,24 +53,33 @@ general.contactSupport=Support kontaktieren
 general.continue=Weiter
 general.edit=Ändern
 general.email=E-Mail
-general.email.address=E-Mailadresse
+general.email.address=E-Mail-Adresse
 general.entryCode=Code-Eingabe
-general.getStarted=Get started
+general.fieldRequired=Erforderliches Feld.
+general.getStarted=Los geht's
 general.goAGOVHelp=Weiter zur AGOV help
 general.goAccessApp=Login mit AGOV access
 general.help=Hilfe
-general.help.link=https://agov.ch/pages/help_de.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Sicherheitsschlüssel-Login starten
 general.or=ODER
 general.otherOptions=WEITERE OPTIONEN
 general.recovery=Wiederherstellung
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Als PDF herunterladen
+general.recoveryCode.inputLabel=Wiederherstellungscode
+general.recoveryCode.repeatCodeError=Der von Ihnen eingegebene Code war nicht korrekt. Bitte vergewissern Sie sich, dass Sie ihn richtig abgespeichert haben, und fahren Sie dann mit der erneuten Eingabe fort.
+general.recoveryCode.repeatCodeModal.description=Ein verlorener oder falsch gespeicherter Wiederherstellungscode kann die Wiederherstellung Ihres Kontos erschweren. Um sicherzustellen, dass Sie Ihren Code richtig gespeichert haben, wiederholen Sie ihn bitte unten.
+general.recoveryCode.repeatCodeModal.title=Wiederherstellungscode wiederholen
+general.recoveryCode.reveal=Wiederherstellungscode enthüllen
 general.recoveryOngoing=Wiederherstellung nicht abgeschlossen
 general.register=Registrieren
 general.registerNow=Jetzt registrieren!
 general.registration=Registrierung
 general.securityKey=Sicherheitsschlüssel
 general.skip.content=Direkt zum Hauptteil
+general.wrongPhoneNumber=Bitte geben Sie eine gültige Telefonnummer ein
 generic.auth.error.message=Es gab eine Service-Unterbrechung. Wir arbeiten daran.
 generic.auth.error.next.steps=Versuchen Sie es bitte später noch einmal. Bitte besuchen Sie die AGOV-Hilfe, wenn das Problem weiterhin besteht.
 generic.auth.error.subtitle=Etwas ist schiefgegangen
@@ -87,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sprache wählen
 loainfo.description.200=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
 loainfo.description.300=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben durch einen von zwei Vorgängen verifizieren. Sie können die bevorzugte Methode im nächsten Schritt auswählen.
-loainfo.description.400=Für den Zugang zu dieser Anwendung müssen Sie Ihre AHV-Nummer angeben.
+loainfo.description.400=Bitte AHV-Nummer angeben, um auf die Applikation zuzugreifen.
 loainfo.helper=Ihre persönlichen Daten müssen überprüft werden!
 loainfo.later=Später
 loainfo.startNow=Möchten Sie den Prozess jetzt starten?
@@ -185,13 +194,27 @@ prompt.newpassword=Neues Passwort
 prompt.newpassword.confirm=Passwort bestätigen
 prompt.password=Passwort
 prompt.userid=Benutzer-ID
+providePhoneNumber.banner=Die Mobilnummer muss f&uuml;r den Empfang von SMS geeignet sein.<br>Diese Mobilnummer wird nicht verwendet, um Sie zu kontaktieren.
+providePhoneNumber.description=AGOV erlaubt nun die Wiederherstellung mittels Mobilnummer. So k&ouml;nnen Sie w&auml;hrend der Wiederherstellung mit einer SMS fortfahren, wenn Sie Ihren Wiederherstellungscode verloren haben.
+providePhoneNumber.errorBanner=Die Mobilnummern stimmen nicht &uuml;berein. Bitte versuchen Sie es erneut.
+providePhoneNumber.inputLabel=Mobilnummer (optional)
+providePhoneNumber.laterModal.description1=Ohne Mobilnummer kann die Wiederherstellung Ihres Kontos bis zu 4 Tage dauern, wenn Sie Ihren Wiederherstellungscode verlieren.
+providePhoneNumber.laterModal.description2=Durch Hinzuf&uuml;gen einer Mobilnummer k&ouml;nnen Sie Ihr Konto in wenigen Minuten wiederherstellen.
+providePhoneNumber.laterModal.description3=Diese Mobilnummer wird nicht verwendet, um Sie zu kontaktieren.
+providePhoneNumber.laterModal.title=Ohne Mobilnummer weiterfahren?
+providePhoneNumber.modal.description=Eine falsch gespeicherte Mobilnummer kann die Wiederherstellung Ihres Kontos erschweren. Um sicherzustellen, dass Sie Ihre Mobilnummer richtig gespeichert haben, wiederholen Sie sie bitte unten.
+providePhoneNumber.modal.inputLabel=Mobilnummer
+providePhoneNumber.modal.title=Mobilnummer wiederholen
+providePhoneNumber.saveButtonText=Speichern
+providePhoneNumber.title=Mobilnummer angeben
 pwreset.done.info=Ihr Passwort wurde erfolgreich ge&auml;ndert. Bitte klicken Sie auf Weiter, um sich einzuloggen.
 pwreset.email.sent=Wenn Ihre Benutzer-ID existiert, haben Sie eine E-Mail erhalten, um Ihr Passwort zurückzusetzen..
 pwreset.info.linktext=Passwort vergessen
 pwreset.noticket=Ihr Link ist nicht mehr g&uuml;ltig. Bitte generieren Sie ein Neuen.
 recovery_accessapp_auth.accessAppRegistered=AGOV access app schon registriert
 recovery_accessapp_auth.instruction1=Sie haben bereits eine neue AGOV access App !!!ACCESS_APP_NAME!!! im Rahmen des Wiederherstellungsprozesses registriert.
-recovery_accessapp_auth.instruction2=Verwenden Sie !!!ACCESS_APP_NAME!!! um Sie zu identifizieren.
+recovery_accessapp_auth.instruction2=Verwenden Sie !!!ACCESS_APP_NAME!!! um sich zu identifizieren.
+recovery_check_code.banner.lockedError=Zu viele Fehlversuche. Bitte versuchen Sie es in ein paar Minuten noch einmal.
 recovery_check_code.codeIncorrect=Der eingegebene Code ist nicht korrekt. Bitte versuchen Sie es erneut.
 recovery_check_code.enterRecoveryCode=Wiederherstellungscode eingeben
 recovery_check_code.instruction=Bitte geben Sie unten Ihren pers&ouml;nlichen 12-stelligen Wiederherstellungscode ein. Sie haben den Wiederherstellungscode in einer PDF-Datei bei der Registrierung oder in AGOV me erhalten.
@@ -201,9 +224,11 @@ recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
 recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
 recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen k&ouml;nnen?
 recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen k&ouml;nnen, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
-recovery_check_noCode.banner.error=Zu viele Versuche oder Ihr Wiederherstellungscode ist abgelaufen.
-recovery_check_noCode.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist m&ouml;glicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
-recovery_check_noCode.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
+recovery_check_code.too_many_tries.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist m&ouml;glicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_code.too_many_tries.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
+recovery_check_noCode.banner.error=Zu viele Versuche.
+recovery_check_noCode.instruction1=M&ouml;glicherweise haben Sie zu oft versucht, den Wiederherstellungscode einzugeben.
+recovery_check_noCode.instruction2=Bitte schliessen Sie den Webbrowser und starten Sie die Kontowiederherstellung in zehn Minuten erneut auf <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Bitte enth&uuml;llen Sie den Code, um fortfahren zu k&ouml;nnen.
 recovery_code.instruction=Der Wiederherstellungscode hilft Ihnen, Zugriff auf Ihr AGOV-Login zu erhalten, falls Sie alle Ihre Login-Faktoren verloren haben. Bitte bewahren Sie den Wiederherstellungscode an einem sicheren Ort auf.
 recovery_code.newRecoveryCode=Einf&uuml;hrung von Wiederherstellungscode
@@ -211,14 +236,12 @@ recovery_code.validUntil=G&uuml;ltig bis:
 recovery_fidokey_auth.button=Schl&uuml;sselauthentifizierung starten
 recovery_fidokey_auth.fidoInstruction=Klicken Sie auf "Schl&uuml;sselauthentifizierung starten"
 recovery_fidokey_auth.instruction1=Sie haben bereits einen neuen Sicherheitsschl&uuml;ssel !!!SECURITY_KEY_NAME!!! im Rahmen des Wiederherstellungsprozesses registriert.
-recovery_fidokey_auth.instruction2=Bitte verwenden Sie !!!SECURITY_KEY_NAME!!! und befolgen Sie die untenstehenden Schritte, um Sie zu identifizieren.
+recovery_fidokey_auth.instruction2=Bitte verwenden Sie !!!SECURITY_KEY_NAME!!! und befolgen Sie die untenstehenden Schritte, um sich zu identifizieren.
 recovery_fidokey_auth.keyRegistered=Sicherheitsschl&uuml;ssel schon registriert
 recovery_intro_email.banner.error=Der von Ihnen verwendete Link ist abgelaufen. Bitte geben Sie Ihre E-Mail-Adresse ein, um einen neuen Link zu erhalten.
 recovery_intro_email.banner.info=Bitte geben Sie Ihre E-Mail-Adresse ein, damit wir Ihnen einen Link schicken k&ouml;nnen, mit dem Sie den Wiederherstellungsprozess starten.
-recovery_intro_email.captchaUnchecked=Bitte kreuzen Sie das Captcha-Feld an
 recovery_intro_email.important=Wichtig:
 recovery_intro_email.process=Der Wiederherstellungsprozess sollte nur verwendet werden, wenn Sie den Zugriff auf Ihre Login-Faktoren verloren haben (gel&ouml;schte AGOV access App, verlorener Sicherheitsschl&uuml;ssel, verlorenes Telefon usw.).
-recovery_intro_email.siteProtectedWithRecaptcha=Diese Seite ist durch reCAPTCHA gesch&uuml;tzt, und es gelten die <a class='link' href='https://policies.google.com/privacy' target='_blank'>Datenschutzerkl&auml;rung</a> sowie die <a class='link' href='https://policies.google.com/terms' target='_blank'>Nutzungsbedingungen</a> von Google.
 recovery_intro_email_sent.banner.button=Keine E-Mail erhalten?
 recovery_intro_email_sent.banner.success=Vielen Dank! Sie werden in K&uuml;rze eine E-Mail mit einem Wiederherstellungslink und Anweisungen erhalten.
 recovery_on_going.finishRecovery=Wiederherstellung abschliessen
@@ -233,13 +256,13 @@ recovery_questionnaire_loginfactor.no=Nein
 recovery_questionnaire_loginfactor.question=Haben Sie mehr als einen Loginfaktor (AGOV Access App oder Sicherheitsschl&uuml;ssel) f&uuml;r Ihren AGOV-Login registriert?
 recovery_questionnaire_loginfactor.yes=Ja
 recovery_questionnaire_no_recovery.explanation1=Ausgehend von Ihren Antworten scheint eine Wiederherstellung Ihres AGOV-Logins im Moment nicht notwendig zu sein.
-recovery_questionnaire_no_recovery.explanation2=Falls Sie weitere Informationen ben&ouml;tigen, besuchen Sie bitte <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> f&uuml;r Support-Artikel.
-recovery_questionnaire_no_recovery.instruction1=Wenn Sie Probleme haben, sich bei einer Anwendung anzumelden, besuchen Sie bitte <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> und testen Sie, ob Sie sich erfolgreich anmelden k&ouml;nnen.
-recovery_questionnaire_no_recovery.instruction2=Wenn Sie mehrere Loginfaktoren registriert haben, aber den Zugriff zu einem von ihnen verloren haben, besuchen Sie bitte <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a>, um den verlorenen Loginfaktor zu entfernen.
+recovery_questionnaire_no_recovery.explanation2=Falls Sie weitere Informationen ben&ouml;tigen, besuchen Sie bitte <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> f&uuml;r Support-Artikel.
+recovery_questionnaire_no_recovery.instruction1=Wenn Sie Probleme haben, sich bei einer Anwendung anzumelden, besuchen Sie bitte <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> und testen Sie, ob Sie sich erfolgreich anmelden k&ouml;nnen.
+recovery_questionnaire_no_recovery.instruction2=Wenn Sie mehrere Loginfaktoren registriert haben, aber den Zugriff zu einem von ihnen verloren haben, besuchen Sie bitte <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a>, um den verlorenen Loginfaktor zu entfernen.
 recovery_questionnaire_reason_selection.answer1=Ich habe Probleme mich anzumelden, obwohl ich meine App / meinen Sicherheitsschl&uuml;ssel habe
 recovery_questionnaire_reason_selection.answer10=Ich habe einen meiner Loginfaktoren verloren (AGOV access App oder Sicherheitsschl&uuml;ssel)
 recovery_questionnaire_reason_selection.answer2=Ich konnte meine Registrierung nicht abschliessen
-recovery_questionnaire_reason_selection.answer3=Ich habe meine AGOV access App gel&ouml;scht oder zur&uuml;ckgesetzt
+recovery_questionnaire_reason_selection.answer3=Ich habe meine AGOV access App gel&ouml;scht, neu installiert oder zur&uuml;ckgesetzt
 recovery_questionnaire_reason_selection.answer4=Ich habe mein Telefon / Sicherheitsschl&uuml;ssel verloren
 recovery_questionnaire_reason_selection.answer5=Ich habe ein neues Telefon und habe vergessen, meine AGOV access App zu &uuml;bertragen
 recovery_questionnaire_reason_selection.answer6=Ich habe die PIN f&uuml;r meine AGOV access App vergessen

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_en.properties

@@ -40,7 +40,7 @@ fido2_auth.instruction2=An authentication window will appear
 fido2_auth.instruction3=Follow the instructions
 fido2_auth.skipInstructions=Skip instructions next time
 fido2_auth.switchLogin=SWITCH TO LOGIN WITH
-footer.link=https://agov.ch/?c=contact&l=en
+footer.link=https://agov.ch
 footer.link.label=Contact
 footer.text=Authentication service of Swiss authorities AGOV - a collaboration between cantons, their municipalities, and the federal administration. -
 general.AGOVAccessApp=AGOV access app
@@ -55,22 +55,31 @@ general.edit=Edit
 general.email=Email
 general.email.address=Email address
 general.entryCode=Code entry
+general.fieldRequired=Field required.
 general.getStarted=Get started
 general.goAGOVHelp=Go to AGOV help
 general.goAccessApp=Login with AGOV access
 general.help=Help
-general.help.link=https://agov.ch/pages/help_en.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Start Security key login
 general.or=OR
 general.otherOptions=OTHER OPTIONS
 general.recovery=Recovery
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Download as PDF
+general.recoveryCode.inputLabel=Recovery code
+general.recoveryCode.repeatCodeError=The code you entered was incorrect. Please ensure you have stored it correctly, then continue to resubmit.
+general.recoveryCode.repeatCodeModal.description=A lost or incorrectly stored recovery code can make it more difficult to recover your account. To ensure you have recorded your code correctly, please repeat it below.
+general.recoveryCode.repeatCodeModal.title=Repeat recovery code
+general.recoveryCode.reveal=Reveal recovery code
 general.recoveryOngoing=Ongoing recovery
 general.register=Register
 general.registerNow=Register now!
 general.registration=Registration
 general.securityKey=Security key
 general.skip.content=Skip to main content
+general.wrongPhoneNumber=Please enter a valid phone number
 generic.auth.error.message=There was a service interruption. We are working on it.
 generic.auth.error.next.steps=Please try again later. Please consult AGOV help if the problem persists.
 generic.auth.error.subtitle=Something went wrong
@@ -87,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -185,6 +194,19 @@ prompt.newpassword=New Password
 prompt.newpassword.confirm=Confirm Password
 prompt.password=Password
 prompt.userid=User-ID
+providePhoneNumber.banner=Phone number must be able to receive SMS.<br>This phone number will not be used to contact you.
+providePhoneNumber.description=AGOV now supports recovery with your phone number. This will allow you to continue with an SMS during recovery if you have lost access to your recovery code.
+providePhoneNumber.errorBanner=Phone numbers do not match. Please try again.
+providePhoneNumber.inputLabel=Phone number (optional)
+providePhoneNumber.laterModal.description1=Without a phone number, a recovery of your account might take up to 4 days if you lose access to your recovery code.
+providePhoneNumber.laterModal.description2=Adding a phone number helps you to recover your account in a matter of minutes.
+providePhoneNumber.laterModal.description3=This phone number will not be used to contact you.
+providePhoneNumber.laterModal.title=Continue without a phone number?
+providePhoneNumber.modal.description=An incorrectly stored phone number can make it more difficult to recover your account. To ensure you have recorded your phone number correctly, please repeat it below.
+providePhoneNumber.modal.inputLabel=Phone number
+providePhoneNumber.modal.title=Repeat phone number
+providePhoneNumber.saveButtonText=Save
+providePhoneNumber.title=Add phone number
 pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
 pwreset.email.sent=If your user ID exists, an email to reset your password has been sent to you.
 pwreset.info.linktext=Password forgotten
@@ -192,6 +214,7 @@ pwreset.noticket=Your password reset link is no longer valid. Please generate a
 recovery_accessapp_auth.accessAppRegistered=AGOV access app already registered
 recovery_accessapp_auth.instruction1=You have already registered a new AGOV access app !!!ACCESS_APP_NAME!!! as part of the recovery process.
 recovery_accessapp_auth.instruction2=Please use !!!ACCESS_APP_NAME!!! to identify you.
+recovery_check_code.banner.lockedError=Too many invalid input attempts. Please try again in a few minutes.
 recovery_check_code.codeIncorrect=Code entered is incorrect. Please try again.
 recovery_check_code.enterRecoveryCode=Enter recovery code
 recovery_check_code.instruction=Please enter below your personal 12-digit recovery code. You will have received the recovery code as a PDF file during registration or in AGOV me.
@@ -201,9 +224,11 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
-recovery_check_noCode.banner.error=Too many attempts or your recovery code has expired.
-recovery_check_noCode.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
-recovery_check_noCode.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_noCode.banner.error=Too many attempts.
+recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
+recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Please reveal your new code to be able to continue.
 recovery_code.instruction=Recovery codes help you gain access to your account in case you lost all of your login factors. Please store the recovery code in a safe place.
 recovery_code.newRecoveryCode=Introducing Recovery Code
@@ -215,10 +240,8 @@ recovery_fidokey_auth.instruction2=Please use !!!SECURITY_KEY_NAME!!! to follow
 recovery_fidokey_auth.keyRegistered=Security key already registered
 recovery_intro_email.banner.error=The link you used has expired. Please enter your email address to receive a new link.
 recovery_intro_email.banner.info=Please enter your email address, so we can send you a link to start the recovery process.
-recovery_intro_email.captchaUnchecked=Please tick the captcha field
 recovery_intro_email.important=Important:
 recovery_intro_email.process=The recovery process should only be used if you have lost access to your login factors (deleted AGOV access app, lost security key, lost phone, etc.).
-recovery_intro_email.siteProtectedWithRecaptcha=This site is protected by reCAPTCHA and the <a class='link' href='https://policies.google.com/privacy' target='_blank'>Google Privacy Policy</a> and <a class='link' href='https://policies.google.com/terms' target='_blank'>Terms of Service</a> apply.
 recovery_intro_email_sent.banner.button=Didn't receive the email?
 recovery_intro_email_sent.banner.success=Thank you! You will receive an email with a recovery link and instructions shortly.
 recovery_on_going.finishRecovery=Finish recovery
@@ -233,13 +256,13 @@ recovery_questionnaire_loginfactor.no=No
 recovery_questionnaire_loginfactor.question=Have you registered more than one login factor (AGOV access app or security key) to your account?
 recovery_questionnaire_loginfactor.yes=Yes
 recovery_questionnaire_no_recovery.explanation1=Based on your answers, the AGOV recovery option does not seem necessary right now.
-recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> for support articles.
-recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> and test if you can log in successfully.
-recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> to remove the one you have lost access to.
+recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> for support articles.
+recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> and test if you can log in successfully.
+recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> to remove the one you have lost access to.
 recovery_questionnaire_reason_selection.answer1=I have trouble logging in, even though I have my app / security key
 recovery_questionnaire_reason_selection.answer10=I lost one of my login factors (AGOV access app or security key)
 recovery_questionnaire_reason_selection.answer2=I was unable to finish my registration
-recovery_questionnaire_reason_selection.answer3=I have deleted or reset my AGOV access app
+recovery_questionnaire_reason_selection.answer3=I have deleted, reinstalled, or reset my AGOV access app
 recovery_questionnaire_reason_selection.answer4=I have lost my phone / security key
 recovery_questionnaire_reason_selection.answer5=I have a new phone and forgot to transfer my AGOV access app
 recovery_questionnaire_reason_selection.answer6=I forgot my PIN for the AGOV access app

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_fr.properties

@@ -40,7 +40,7 @@ fido2_auth.instruction2=Une fenêtre d'authentification s'affichera
 fido2_auth.instruction3=Suivez les instructions
 fido2_auth.skipInstructions=Passer les instructions la fois suivante
 fido2_auth.switchLogin=S'AUTHENTIFIER AVEC
-footer.link=https://agov.ch/?c=contact&l=fr
+footer.link=https://agov.ch
 footer.link.label=Contact
 footer.text=Service d'authentification des autorités suisses AGOV - une collaboration entre les cantons, leurs communes et l'administration fédérale. -
 general.AGOVAccessApp=Application AGOV access
@@ -55,22 +55,31 @@ general.edit=Editer
 general.email=E-mail
 general.email.address=Adresse e-mail
 general.entryCode=Entrer le code
+general.fieldRequired=Champ requis.
 general.getStarted=Démarrer
 general.goAGOVHelp=Rendez-vous sur AGOV help
 general.goAccessApp=Login avec AGOV access
 general.help=Aide
-general.help.link=https://agov.ch/pages/help_fr.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Démarrer la connexion avec la clé de sécurité
 general.or=OU
 general.otherOptions=AUTRES OPTIONS
 general.recovery=Récupération
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Télécharger en format PDF
+general.recoveryCode.inputLabel=Code de récupération
+general.recoveryCode.repeatCodeError=Le code que vous avez saisi est incorrect. Veuillez vous assurer que vous l'avez enregistré correctement, puis essayer de le soumettre à nouveau.
+general.recoveryCode.repeatCodeModal.description=Un code de récupération perdu ou mal enregistré peut rendre la récupération de votre compte plus difficile. Pour vous assurer que vous avez correctement enregistré votre code, veuillez le répéter ci-dessous.
+general.recoveryCode.repeatCodeModal.title=Répéter le code de récupération
+general.recoveryCode.reveal=Révéler le code de récupération
 general.recoveryOngoing=Récupération en cours
 general.register=Créer un compte
 general.registerNow=Enregistrez-vous dès maintenant!
 general.registration=Enregistrement
 general.securityKey=Clé de sécurité
 general.skip.content=Passer au contenu principal
+general.wrongPhoneNumber=Veuillez saisir un numéro de téléphone valable
 generic.auth.error.message=Une interruption de service s’est produite. Nous nous employons à résoudre le problème.
 generic.auth.error.next.steps=Veuillez réessayer plus tard. Veuillez vous rendre sur AGOV help si le problème persiste.
 generic.auth.error.subtitle=Un problème s’est produit
@@ -87,7 +96,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sélectionner la langue
 loainfo.description.200=Pour accéder à l'application, nous devons vérifier vos données. Ce processus peut prendre jusqu'à 2 ou 3 jours.
 loainfo.description.300=Pour accéder à l'application, nous devons vérifier vos données par le biais de l'une des deux procédures suivantes. Vous pouvez choisir la procédure que vous préférez à l'étape suivante.
-loainfo.description.400=Pour accéder à l'application, vous devez ajouter votre numéro AVS.
+loainfo.description.400=Veuillez saisir votre numéro AVS pour accéder à l'application.
 loainfo.helper=Vos données doivent être vérifiées!
 loainfo.later=Plus tard
 loainfo.startNow=Voulez-vous commencer le processus maintenant?
@@ -185,6 +194,19 @@ prompt.newpassword=Nouveau mot de passe
 prompt.newpassword.confirm=Confirmez le mot de passe
 prompt.password=Mot de passe
 prompt.userid=ID de l'utilisateur
+providePhoneNumber.banner=Ce num&eacute;ro de t&eacute;l&eacute;phone doit pouvoir recevoir des SMS.<br>Ce num&eacute;ro de t&eacute;l&eacute;phone ne sera pas utilis&eacute; pour vous contacter.
+providePhoneNumber.description=AGOV prend d&eacute;sormais en charge la r&eacute;cup&eacute;ration avec votre num&eacute;ro de t&eacute;l&eacute;phone. Cela vous permettra de vous envoyer un SMS pendant la r&eacute;cup&eacute;ration si vous avez perdu l'acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration.
+providePhoneNumber.errorBanner=Les num&eacute;ros de t&eacute;l&eacute;phone fournies ne correspondent pas. Veuillez r&eacute;essayer.
+providePhoneNumber.inputLabel=Num&eacute;ro de t&eacute;l&eacute;phone (facultatif)
+providePhoneNumber.laterModal.description1=Sans num&eacute;ro de t&eacute;l&eacute;phone, la r&eacute;cup&eacute;ration de votre compte peut prendre jusqu'&agrave; 4 jours si vous perdez l'acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration.
+providePhoneNumber.laterModal.description2=Ajouter un num&eacute;ro de t&eacute;l&eacute;phone vous permet de r&eacute;cup&eacute;rer votre compte en quelques minutes.
+providePhoneNumber.laterModal.description3=Ce num&eacute;ro de t&eacute;l&eacute;phone ne sera pas utilis&eacute; pour vous contacter.
+providePhoneNumber.laterModal.title=Continuer sans num&eacute;ro de t&eacute;l&eacute;phone ?
+providePhoneNumber.modal.description=Un num&eacute;ro de t&eacute;l&eacute;phone mal enregistr&eacute; peut rendre plus difficile la r&eacute;cup&eacute;ration de votre compte. Pour vous assurer que vous avez correctement enregistr&eacute; votre num&eacute;ro de t&eacute;l&eacute;phone, veuillez le r&eacute;p&eacute;ter ci-dessous.
+providePhoneNumber.modal.inputLabel=Num&eacute;ro de t&eacute;l&eacute;phone
+providePhoneNumber.modal.title=R&eacute;p&eacute;ter votre num&eacute;ro de t&eacute;l&eacute;phone
+providePhoneNumber.saveButtonText=Sauvegarder
+providePhoneNumber.title=Ajouter le num&eacute;ro de t&eacute;l&eacute;phone
 pwreset.done.info=Votre mot de passe a &eacute;t&eacute; chang&eacute avec succ&egrave;s. Veuillez cliquer sur continuer pour vous connecter.
 pwreset.email.sent=Si votre identifiant n'existe pas, vous avez reçu un courriel pour réinitialiser votre mot de passe.
 pwreset.info.linktext=Mot de passe oublié
@@ -192,6 +214,7 @@ pwreset.noticket=Votre lien n&apos;est plus valide. Veuillez en g&eacute;n&eacut
 recovery_accessapp_auth.accessAppRegistered=L'application AGOV access est d&eacute;j&agrave; enregistr&eacute;e
 recovery_accessapp_auth.instruction1=Vous avez d&eacute;j&agrave; enregistr&eacute; une nouvelle AGOV access app !!!ACCESS_APP_NAME!!! dans le cadre du processus de r&eacute;cup&eacute;ration.
 recovery_accessapp_auth.instruction2=Veuillez utiliser !!!ACCESS_APP_NAME!!! pour vous identifier.
+recovery_check_code.banner.lockedError=Trop de saisies erron&eacute;es. Veuillez r&eacute;essayer dans quelques minutes.
 recovery_check_code.codeIncorrect=Le code saisi est incorrect. Veuillez r&eacute;essayer.
 recovery_check_code.enterRecoveryCode=Saisir le code de r&eacute;cup&eacute;ration
 recovery_check_code.instruction=Veuillez saisir votre code de r&eacute;cup&eacute;ration &agrave; douze chiffres. Lors de votre inscription, vous avez re&ccedil;u le code de r&eacute;cup&eacute;ration sous la forme d&rsquo;un fichier PDF ou dans AGOV me.
@@ -201,9 +224,11 @@ recovery_check_code.invalid.code.tooLong=Le code est trop long
 recovery_check_code.noAccess=Je n&rsquo;ai pas acc&egrave;s &agrave; mon code de r&eacute;cup&eacute;ration
 recovery_check_code.noCodeAccess=&Ecirc;tes-vous s&ucirc;r de ne pas avoir acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration ?
 recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de r&eacute;cup&eacute;ration, veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance AGOV. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
-recovery_check_noCode.banner.error=Trop de tentatives ou expiration de votre code de r&eacute;cup&eacute;ration.
-recovery_check_noCode.instruction1=Le code de r&eacute;cup&eacute;ration que vous avez saisi a peut-&ecirc;tre expir&eacute; ou vous avez peut-&ecirc;tre essay&eacute; de le saisir trop de fois.
-recovery_check_noCode.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
+recovery_check_code.too_many_tries.instruction1=Le code de r&eacute;cup&eacute;ration que vous avez saisi a peut-&ecirc;tre expir&eacute; ou vous avez peut-&ecirc;tre essay&eacute; de le saisir trop de fois.
+recovery_check_code.too_many_tries.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
+recovery_check_noCode.banner.error=Trop de tentatives.
+recovery_check_noCode.instruction1=Vous avez peut-&ecirc;tre essay&eacute; de saisir le code de r&eacute;cup&eacute;ration trop de fois.
+recovery_check_noCode.instruction2=Veuillez fermer le navigateur web et recommencer la r&eacute;cup&eacute;ration du compte dans dix minutes &agrave; partir de <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Veuillez indiquer votre nouveau code pour pouvoir continuer.
 recovery_code.instruction=Les codes de r&eacute;cup&eacute;ration vous permettent d'acc&eacute;der &agrave; votre compte au cas o&ugrave; vous auriez perdu tous vos identifiants. Conservez le code de r&eacute;cup&eacute;ration en lieu s&ucirc;r.
 recovery_code.newRecoveryCode=Introduction du code de r&eacute;cup&eacute;ration
@@ -215,10 +240,8 @@ recovery_fidokey_auth.instruction2=Veuillez utiliser !!!SECURITY_KEY_NAME!!! pou
 recovery_fidokey_auth.keyRegistered=Cl&eacute; de s&eacute;curit&eacute; d&eacute;j&agrave; enregistr&eacute;e
 recovery_intro_email.banner.error=Le lien que vous avez utilis&eacute; a expir&eacute;. Veuillez saisir votre adresse e-mail pour recevoir un nouveau lien.
 recovery_intro_email.banner.info=Veuillez saisir votre adresse e-mail. Nous vous enverrons un e-mail vous permettant de d&eacute;marrer le processus de r&eacute;cup&eacute;ration.
-recovery_intro_email.captchaUnchecked=Veuillez cocher la case captcha
 recovery_intro_email.important=Important:
 recovery_intro_email.process=Le processus de r&eacute;cup&eacute;ration ne doit &ecirc;tre utilis&eacute; que si vous avez perdu l'acc&egrave;s &agrave; vos facteurs de connexion (application AGOV access supprim&eacute;e, cl&eacute; de s&eacute;curit&eacute; perdue, t&eacute;l&eacute;phone perdu, etc.).
-recovery_intro_email.siteProtectedWithRecaptcha=Ce site est prot&eacute;g&eacute; par reCAPTCHA: les <a class=&rsquo;link&rsquo; href=&rsquo;https://policies.google.com/privacy&rsquo; target=&rsquo;_blank&rsquo;>r&egrave;gles de confidentialit&eacute;</a> et <a class=&rsquo;link&rsquo; href=&rsquo;https://policies.google.com/terms&rsquo; target=&rsquo;_blank&rsquo;>conditions d&rsquo;utilisation</a> de Google s&rsquo;appliquent.
 recovery_intro_email_sent.banner.button=Vous n&rsquo;avez pas re&ccedil;u l'email?
 recovery_intro_email_sent.banner.success=Merci! Vous recevrez dans un instant un e-mail contenant un lien de r&eacute;cup&eacute;ration et des instructions.
 recovery_on_going.finishRecovery=Terminer la r&eacute;cup&eacute;ration
@@ -233,13 +256,13 @@ recovery_questionnaire_loginfactor.no=Non
 recovery_questionnaire_loginfactor.question=Avez-vous enregistr&eacute; plus d'un facteur d'authentification (application AGOV access ou cl&eacute; de s&eacute;curit&eacute;) sur votre compte ?
 recovery_questionnaire_loginfactor.yes=Oui
 recovery_questionnaire_no_recovery.explanation1=D'apr&egrave;s vos r&eacute;ponses, l'option de r&eacute;cup&eacute;ration d'AGOV ne semble pas n&eacute;cessaire pour l'instant.
-recovery_questionnaire_no_recovery.explanation2=Si vous avez besoin de plus amples informations, veuillez consulter <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> pour obtenir des articles de soutien.
-recovery_questionnaire_no_recovery.instruction1=Si vous rencontrez des difficult&eacute;s pour vous connecter &agrave; une application, visitez <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> et v&eacute;rifiez si vous pouvez vous connecter avec succ&egrave;s.
-recovery_questionnaire_no_recovery.instruction2=Si vous avez enregistr&eacute; plusieurs facteurs de connexion mais que vous avez perdu l'acc&egrave;s &agrave; l'un d'entre eux, veuillez consulter <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> pour supprimer celui auquel vous avez perdu l'acc&egrave;s.
+recovery_questionnaire_no_recovery.explanation2=Si vous avez besoin de plus amples informations, veuillez consulter <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> pour obtenir des articles de soutien.
+recovery_questionnaire_no_recovery.instruction1=Si vous rencontrez des difficult&eacute;s pour vous connecter &agrave; une application, visitez <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> et v&eacute;rifiez si vous pouvez vous connecter avec succ&egrave;s.
+recovery_questionnaire_no_recovery.instruction2=Si vous avez enregistr&eacute; plusieurs facteurs de connexion mais que vous avez perdu l'acc&egrave;s &agrave; l'un d'entre eux, veuillez consulter <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> pour supprimer celui auquel vous avez perdu l'acc&egrave;s.
 recovery_questionnaire_reason_selection.answer1=Je n'arrive pas &agrave; me connecter, m&ecirc;me si j'ai mon application / ma cl&eacute; de s&eacute;curit&eacute;
 recovery_questionnaire_reason_selection.answer10=J'ai perdu l'un de mes facteurs d'authentification (application AGOV access ou cl&eacute; de s&eacute;curit&eacute;)
 recovery_questionnaire_reason_selection.answer2=Je n'ai pas pu terminer mon inscription
-recovery_questionnaire_reason_selection.answer3=J'ai supprim&eacute; ou r&eacute;initialis&eacute; mon application AGOV access
+recovery_questionnaire_reason_selection.answer3=J'ai supprim&eacute;, r&eacute;install&eacute; ou r&eacute;initialis&eacute; mon application d'acc&egrave;s AGOV
 recovery_questionnaire_reason_selection.answer4=J'ai perdu mon t&eacute;l&eacute;phone / cl&eacute; de s&eacute;curit&eacute;
 recovery_questionnaire_reason_selection.answer5=J'ai un nouveau t&eacute;l&eacute;phone et j'ai oubli&eacute; de transf&eacute;rer mon application AGOV access
 recovery_questionnaire_reason_selection.answer6=J'ai oubli&eacute; mon PIN pour l'application AGOV access

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/LitDict_it.properties

@@ -3,44 +3,44 @@ accept.button.label=Accettare
 button.submit=Continua
 cancel.button.label=Abortire
 continue.button.label=Continua
-darkModeSwitch.aria.label=Attivare la modalità scura 
+darkModeSwitch.aria.label=Attivare la modalità scura
 deputy.profile.label=(profilo del delegato)
 error.policy.failed=La nuova password non è stata accettata. Scegliere una password che sia conforme ai criteri di password.
 error.saml.failed=Chiudi il browser e riprova.
 error_1=Verificare i dati inseriti.
 error_10=Scegliere l’account utente corretto.
-error_100=Impossibile caricare il certificato. Il certificato esiste già. Contattare l’help desk. 
-error_101=L’e-mail inserita non è valida. 
+error_100=Impossibile caricare il certificato. Il certificato esiste già. Contattare l’help desk.
+error_101=L’e-mail inserita non è valida.
 error_11=Utilizzare un altro certificato o accedere con altre credenziali.
 error_2=Selezionare un altro nome di accesso.
-error_3=Se la prossima autenticazione fallisce, l’account sarà bloccato. 
-error_4=La nuova password non rispetta le norme di sicurezza. Scegliere un’altra password. 
+error_3=Se la prossima autenticazione fallisce, l’account sarà bloccato.
+error_4=La nuova password non rispetta le norme di sicurezza. Scegliere un’altra password.
 error_5=Errore nella conferma della password.
-error_50=La nuova password è troppo corta. 
+error_50=La nuova password è troppo corta.
 error_55=La nuova password deve differire da quelle precedenti.
-error_6=È richiesta la modifica della password. 
-error_7=È richiesta la modifica dell’ID di accesso. 
-error_8=A causa dei ripetuti tentativi di autenticazione falliti, l’account è stato bloccato. 
-error_81=Non è stata trovata alcuna carta di accesso; l’accesso da Internet è negato. 
-error_83=La carta di accesso non è più valida. Per richiedere una nuova carta di accesso, contattare il responsabile. 
+error_6=È richiesta la modifica della password.
+error_7=È richiesta la modifica dell’ID di accesso.
+error_8=A causa dei ripetuti tentativi di autenticazione falliti, l’account è stato bloccato.
+error_81=Non è stata trovata alcuna carta di accesso; l’accesso da Internet è negato.
+error_83=La carta di accesso non è più valida. Per richiedere una nuova carta di accesso, contattare il responsabile.
 error_9=Takeover di sessione fallito.
 error_97=Accesso non autorizzato a questa risorsa.
-error_98=L’account è stato bloccato. 
-error_99=Ci sono problemi di sistema. Riprovare più tardi. 
-error_9901=Per accedere a questa pagina, è necessario un link di registrazione valido. 
-error_9902=L’e-mail utilizzata per l’autenticazione non corrisponde a quella di AGOV operations. Richiedere un nuovo link di registrazione. 
-error_9903=L’IdP utilizzato non ha inviato un’asserzione valida. Assicurarsi di utilizzare l’IdP corretto. Richiedere al supporto un nuovo link di registrazione. 
-error_9904=Il link non è più valido. Assicurarsi di utilizzare il link più recente ricevuto in AGOV operations. Se il problema persiste, richiedere un nuovo link. 
-error_9905=Si è verificato un problema con l’account AGOV operations. Contattare il supporto. 
-error_9909=Si è verificato un errore interno. Richiedere al supporto un nuovo link di registrazione. 
+error_98=L’account è stato bloccato.
+error_99=Ci sono problemi di sistema. Riprovare più tardi.
+error_9901=Per accedere a questa pagina, è necessario un link di registrazione valido.
+error_9902=L’e-mail utilizzata per l’autenticazione non corrisponde a quella di AGOV operations. Richiedere un nuovo link di registrazione.
+error_9903=L’IdP utilizzato non ha inviato un’asserzione valida. Assicurarsi di utilizzare l’IdP corretto. Richiedere al supporto un nuovo link di registrazione.
+error_9904=Il link non è più valido. Assicurarsi di utilizzare il link più recente ricevuto in AGOV operations. Se il problema persiste, richiedere un nuovo link.
+error_9905=Si è verificato un problema con l’account AGOV operations. Contattare il supporto.
+error_9909=Si è verificato un errore interno. Richiedere al supporto un nuovo link di registrazione.
 errors.duplicateValue=Il suo account è già collegato ad un altro accesso operativo.
-fido2_auth.cancel.fido=L'autenticazione con la chiave di sicurezza è stata interrotta. Assicurarsi che la chiave FIDO sia registrata e che l'indirizzo e-mail sia corretto, poi seguire le istruzioni. 
+fido2_auth.cancel.fido=L'autenticazione con la chiave di sicurezza è stata interrotta. Assicurarsi che la chiave FIDO sia registrata e che l'indirizzo e-mail sia corretto, poi seguire le istruzioni.
 fido2_auth.instruction1=Cliccare su "Continua"
-fido2_auth.instruction2=A breve si aprirà una finestra per l'autenticazione. 
+fido2_auth.instruction2=A breve si aprirà una finestra per l'autenticazione.
 fido2_auth.instruction3=Seguire le istruzioni.
 fido2_auth.skipInstructions=Non mostrare più le istruzioni
 fido2_auth.switchLogin=ACCEDERE CON
-footer.link=https://agov.ch/?c=contact&l=it
+footer.link=https://agov.ch
 footer.link.label=Contatto
 footer.text=Servizio di autenticazione delle autorità Svizzere AGOV - una collaborazione tra Cantoni, Comuni e l'Amministrazione federale. -
 general.AGOVAccessApp=App AGOV access
@@ -55,23 +55,32 @@ general.edit=Modificare
 general.email=e-mail
 general.email.address=Indirizzo e-mail
 general.entryCode=Codice
+general.fieldRequired=Campo obbligatorio.
 general.getStarted=Iniziare
 general.goAGOVHelp=Vai ad AGOV help
 general.goAccessApp=Login con AGOV access
 general.help=Aiuto
-general.help.link=https://agov.ch/pages/help_it.html
+general.help.link=https://agov.ch/help
 general.login=Accedere
 general.loginSecurityKey=Iniziare il login con la chiave di sicurezza
 general.or=O
 general.otherOptions=ALTRE OPZIONI
 general.recovery=Ripristino
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Salva come PDF
+general.recoveryCode.inputLabel=Codice di ripristino
+general.recoveryCode.repeatCodeError=Il codice inserito non è corretto. Assicurati di averlo memorizzato correttamente, quindi riprova a inviarlo.
+general.recoveryCode.repeatCodeModal.description=Un codice di ripristino perso o memorizzato in modo errato può rendere più difficile il recupero del tuo account. Per assicurarti di aver registrato correttamente il codice, inseriscilo di nuovo qui sotto.
+general.recoveryCode.repeatCodeModal.title=Ripeti il codice di ripristino
+general.recoveryCode.reveal=Mostra il codice di ripristino
 general.recoveryOngoing=Ripristino in corso
 general.register=Registrarsi
 general.registerNow=Si registri ora!
 general.registration=Registrazione
 general.securityKey=Chiave di sicurezza
 general.skip.content=Vai al contenuto principale
-generic.auth.error.message=Si è verificata un’interruzione. Stiamo lavorando per ripristinare l’esercizio. 
+general.wrongPhoneNumber=Inserire un numero di cellulare valido
+generic.auth.error.message=Si è verificata un’interruzione. Stiamo lavorando per ripristinare l’esercizio.
 generic.auth.error.next.steps=Riprovare più tardi. Se il problema persiste, consultare AGOV help.
 generic.auth.error.subtitle=Qualcosa non ha funzionato.
 generic.auth.error.title=Errore
@@ -85,11 +94,11 @@ language.en=English
 language.fr=Français
 language.it=Italiano
 languageDropdown.aria.label=Selezionare la lingua
-loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi. 
+loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi.
 loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, può selezionare la procedura di verifica desiderata.
-loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.description.400=Per accedere all'applicazione è necessario inserire il numero AVS.
 loainfo.helper=I dati devono essere verificati!
-loainfo.later=Più tardi 
+loainfo.later=Più tardi
 loainfo.startNow=Iniziare la procedura?
 loainfo.startVerification=Iniziare la verifica
 loainfo.title=Verificare i dati.
@@ -97,8 +106,8 @@ login.button.label=Login
 logout.label=Logout
 logout.text=È uscito con successo.
 mauth_usernameless.EID=Continuare con CH e-ID
-mauth_usernameless.banner.error=Autenticazione interrotta.<br>Riprovare dopo che la pagina si sar&agrave; ricaricata. 
-mauth_usernameless.banner.info=La scansione &egrave; stata eseguita.<br>Continuare nell'app AGOV access. 
+mauth_usernameless.banner.error=Autenticazione interrotta.<br>Riprovare dopo che la pagina si sar&agrave; ricaricata.
+mauth_usernameless.banner.info=La scansione &egrave; stata eseguita.<br>Continuare nell'app AGOV access.
 mauth_usernameless.banner.success=Autenticazione riuscita!<br>Aspettare di essere connessi.
 mauth_usernameless.cannotLogin=Ha perso l'accesso alla sua app/chiave di sicurezza?
 mauth_usernameless.hideQR=Nascondi il codice QR
@@ -124,9 +133,9 @@ op-admin.login.loginid=ID di accesso
 op-admin.login.password=Password
 op-admin.login.title=Accedere
 op-admin.logout=AGOV op admin
-op-admin.logout.message=La sessione &egrave; terminata. 
+op-admin.logout.message=La sessione &egrave; terminata.
 op-admin.logout.title=Disconnessione
-op-admin.pwchange.intro.message=&Egrave; richiesta la modifica della password. 
+op-admin.pwchange.intro.message=&Egrave; richiesta la modifica della password.
 op-admin.pwchange.newpassword=Nuova password
 op-admin.pwchange.newpassword2=Ripetere la nuova password
 op-admin.pwchange.password=Password attuale
@@ -148,7 +157,7 @@ op-onboarding.done.title=FINITO
 op-onboarding.failed.title=ERRORE
 op-onboarding.intro.message1=Per completare la registrazione per l'accesso AGOV operations, &egrave; necessario avere un account AGOV o FED-LOGIN.
 op-onboarding.intro.message2=Dopo aver cliccato su "Continua", si &egrave; reindirizzati al servizio di autenticazione.
-op-onboarding.intro.message3=Se utilizza AGOV e l&rsquo;account non soddisfa ancora il livello richiesto AGOVaq, potr&agrave; avviare la verifica dell&rsquo;identit&agrave; richiesta. 
+op-onboarding.intro.message3=Se utilizza AGOV e l&rsquo;account non soddisfa ancora il livello richiesto AGOVaq, potr&agrave; avviare la verifica dell&rsquo;identit&agrave; richiesta.
 op-onboarding.intro.title=INIZIARE
 op-onboarding.onboarding=Registrazione AGOV op
 op-onboarding.process.message=Qualcosa non ha funzionato. Contattare il supporto AGOV e, se necessario, richiedere un nuovo link di registrazione.
@@ -185,44 +194,58 @@ prompt.newpassword=Nuova Password
 prompt.newpassword.confirm=Conferma password
 prompt.password=Password
 prompt.userid=Nome utente
-pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
+providePhoneNumber.banner=Il numero di telefono deve essere in grado di ricevere SMS.<br>Questo numero di telefono non sar&agrave; utilizzato per contattarti.
+providePhoneNumber.description=AGOV ora supporta il ripristino tramite il tuo numero di telefono. Questo ti permetter&agrave; di continuare con un SMS durante il ripristino se hai perso l'accesso al tuo codice di ripristino.
+providePhoneNumber.errorBanner=Il numero di telefono non corrispondono. Si prega di riprovare.
+providePhoneNumber.inputLabel=Numero di telefono (facoltativo)
+providePhoneNumber.laterModal.description1=Senza un numero di telefono, il recupero del tuo account potrebbe richiedere fino a 4 giorni se perdi l'accesso al codice di ripristino.
+providePhoneNumber.laterModal.description2=Aggiungere un numero di telefono ti aiuta a recuperare il tuo account in pochi minuti.
+providePhoneNumber.laterModal.description3=Questo numero di telefono non sar&agrave; utilizzato per contattarti.
+providePhoneNumber.laterModal.title=Continuare senza un numero di telefono?
+providePhoneNumber.modal.description=Un numero di telefono memorizzato in modo errato pu&ograve; rendere pi&ugrave; difficile il recupero del tuo account. Per assicurarti di aver registrato correttamente il tuo numero di telefono, inseriscilo di nuovo qui sotto.
+providePhoneNumber.modal.inputLabel=Numero di telefono
+providePhoneNumber.modal.title=Ripetere il numero di telefono
+providePhoneNumber.saveButtonText=Salva
+providePhoneNumber.title=Aggiungi numero di telefono
+pwreset.done.info=La password &egrave; stata modificata con successo. Fare clic su continua per accedere.
 pwreset.email.sent=Se il vostro ID utente esiste, vi è stata inviata un'e-mail per reimpostare la password.
-pwreset.info.linktext=Password forgotten
-pwreset.noticket=Your password reset ticket is no longer valid. Please generate a new one.
-recovery_accessapp_auth.accessAppRegistered=App di accesso AGOV gi&agrave; registrata 
-recovery_accessapp_auth.instruction1=Ha gi&agrave; registrato una nuova app di accesso AGOV !!!SECURITY_KEY_NAME!!! come parte del processo di recupero. 
+pwreset.info.linktext=Password dimenticata
+pwreset.noticket=Il biglietto per la reimpostazione della password non &egrave; pi&ugrave; valido. Si prega di generarne uno nuovo.
+recovery_accessapp_auth.accessAppRegistered=App di accesso AGOV gi&agrave; registrata
+recovery_accessapp_auth.instruction1=Ha gi&agrave; registrato una nuova app AGOV access !!!SECURITY_KEY_NAME!!! come parte del processo di recupero.
 recovery_accessapp_auth.instruction2=Si prega di usare !!!ACCESS_APP_NAME!!! per l'identificazione.
-recovery_check_code.codeIncorrect=Il codice inserito non &egrave; corretto. Riprovare. 
+recovery_check_code.banner.lockedError=Troppi tentativi di inserimento non validi. Riprovare tra qualche minuto.
+recovery_check_code.codeIncorrect=Il codice inserito non &egrave; corretto. Riprovare.
 recovery_check_code.enterRecoveryCode=Inserisca il codice di recupero
 recovery_check_code.instruction=Inserire qui sotto il codice di ripristino a 12 caratteri alfanumerici. Ha ricevuto questo codice in un file PDF al momento della registration o in AGOV me.
-recovery_check_code.invalid.code=Il codice non &egrave; valido 
+recovery_check_code.invalid.code=Il codice non &egrave; valido
 recovery_check_code.invalid.code.required=Codice richiesto
-recovery_check_code.invalid.code.tooLong=Il codice &egrave; troppo lungo 
+recovery_check_code.invalid.code.tooLong=Il codice &egrave; troppo lungo
 recovery_check_code.noAccess=Non ho il mio codice.
 recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
 recovery_check_code.noCodeAccessInstructions=Se non ha pi&ugrave; il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assister&agrave; nel processo di ripristino.
-recovery_check_noCode.banner.error=Troppi tentativi o codice di ripristino scaduto
-recovery_check_noCode.instruction1=Il codice di ripristino inserito pu&ograve; essere scaduto o &egrave; stato inserito troppe volte. 
-recovery_check_noCode.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
+recovery_check_code.too_many_tries.instruction1=Il codice di ripristino inserito pu&ograve; essere scaduto o &egrave; stato inserito troppe volte.
+recovery_check_code.too_many_tries.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
+recovery_check_noCode.banner.error=Troppi tentativi.
+recovery_check_noCode.instruction1=Potresti aver tentato di inserire il codice di ripristino troppe volte.
+recovery_check_noCode.instruction2=Chiudi il browser web e inizia nuovamente il processo di ripristino dell'account tra dieci minuti da <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Per procedere, inserire il nuovo codice.
 recovery_code.instruction=Il codice di ripristino le aiuta ad accedere al suo conto in caso in cui lei abbia perso le credentiali di accesso. Per favore, conservi il codice di ripristino in un luogo sicuro.
 recovery_code.newRecoveryCode=Introduzione del codice di ripristino
 recovery_code.validUntil=Valido fino a:
 recovery_fidokey_auth.button=Iniziare l'authenticazione della chiave
 recovery_fidokey_auth.fidoInstruction=Cliccare su "Iniziare l'authenticazione della chiave"
-recovery_fidokey_auth.instruction1=Ha gi&agrave; registrato una nuova chiave di sicurezza !!!SECURITY_KEY_NAME!!! come parte del processo di recupero. 
+recovery_fidokey_auth.instruction1=Ha gi&agrave; registrato una nuova chiave di sicurezza !!!SECURITY_KEY_NAME!!! come parte del processo di recupero.
 recovery_fidokey_auth.instruction2=Si prega di usare !!!SECURITY_KEY_NAME!!! per poter seguire i passaggi seguenti per identificarti.
-recovery_fidokey_auth.keyRegistered=Chiave di sicurezza gi&agrave; registrata 
-recovery_intro_email.banner.error=Il link utilizzato &egrave; scaduto. Per ricevere un nuovo link, inserire l&rsquo;indirizzo e-mail. 
-recovery_intro_email.banner.info=Per ricevere il link e avviare il processo di ripristino, inserire l&rsquo;indirizzo e-mail. 
-recovery_intro_email.captchaUnchecked=Per favore selezioni il campo captcha
+recovery_fidokey_auth.keyRegistered=Chiave di sicurezza gi&agrave; registrata
+recovery_intro_email.banner.error=Il link utilizzato &egrave; scaduto. Per ricevere un nuovo link, inserire l&rsquo;indirizzo e-mail.
+recovery_intro_email.banner.info=Per ricevere il link e avviare il processo di ripristino, inserire l&rsquo;indirizzo e-mail.
 recovery_intro_email.important=Importante:
-recovery_intro_email.process=Il processo di ripristino deve essere utilizzato solo se ha perso l'accesso ai suoi fattori di accesso (app di accesso AGOV eliminata, chiave di sicurezza persa, telefono smarrito, ecc.).
-recovery_intro_email.siteProtectedWithRecaptcha=Questo sito &egrave; protetto da reCAPTCHA. Si applicano le <a class='link' href='https://policies.google.com/privacy' target='_blank'>norme sulla privacy</a> e i <a class='link' href='https://policies.google.com/terms' target='_blank'>termini di servizio di Google</a>. 
+recovery_intro_email.process=Il processo di ripristino deve essere utilizzato solo se ha perso l'accesso ai suoi fattori di accesso (app AGOV access eliminata, chiave di sicurezza persa, telefono smarrito, ecc.).
 recovery_intro_email_sent.banner.button=Non avete ricevuto l'e-mail?
-recovery_intro_email_sent.banner.success=Grazie! &Egrave; stata inviata un&rsquo;e-mail contenente il codice di ripristino e le istruzioni. 
+recovery_intro_email_sent.banner.success=Grazie! &Egrave; stata inviata un&rsquo;e-mail contenente il codice di ripristino e le istruzioni.
 recovery_on_going.finishRecovery=Completare il ripristino
-recovery_on_going.instruction=&Egrave; in corso un processo di ripristino. Il processo di ripristino pu&ograve; includere una verifica dell&rsquo;identit&agrave;. Per accedere alle applicazioni con il proprio AGOV-Login, &egrave; necessario completare la verifica dell&rsquo;identit&agrave;. 
+recovery_on_going.instruction=&Egrave; in corso un processo di ripristino. Il processo di ripristino pu&ograve; includere una verifica dell&rsquo;identit&agrave;. Per accedere alle applicazioni con il proprio AGOV-Login, &egrave; necessario completare la verifica dell&rsquo;identit&agrave;.
 recovery_on_going.title=Completare il processo di ripristino.
 recovery_questionnaire_instructions.banner.info=Tenga presente che in alcuni casi &egrave; necessario utilizzare il codice di ripristino per un ripristino riuscito.
 recovery_questionnaire_instructions.explanation=In base alle sue risposte sembra essere necessario un ripristino AGOV-Login. Fare clic su Continua e seguire le istruzioni visualizzate sullo schermo.
@@ -230,26 +253,26 @@ recovery_questionnaire_instructions.instruction1=Si prega di fornire l'indirizzo
 recovery_questionnaire_instructions.instruction2=Si prega di seguire i passaggi per recuperare il suo account (i passaggi varieranno a seconda del livello di verifica dell'account)
 recovery_questionnaire_loginfactor.banner.error=Si prega di selezionare una risposta.
 recovery_questionnaire_loginfactor.no=No
-recovery_questionnaire_loginfactor.question=Ha registrato pi&ugrave; di un fattore di accesso (app di accesso AGOV o chiave di sicurezza) al suo account?
+recovery_questionnaire_loginfactor.question=Ha registrato pi&ugrave; di un fattore di accesso (app AGOV access o chiave di sicurezza) al suo account?
 recovery_questionnaire_loginfactor.yes=Si
 recovery_questionnaire_no_recovery.explanation1=In base alle sue risposte, l'opzione di ripristino AGOV non sembra necessaria al momento.
-recovery_questionnaire_no_recovery.explanation2=Se ha bisogno di ulteriori informazioni, visiti <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> per articoli di supporto.
-recovery_questionnaire_no_recovery.instruction1=Se riscontra problemi di accesso a un'applicazione, visiti <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> e verifichi se pu&ograve; accedere con successo.
-recovery_questionnaire_no_recovery.instruction2=Se ha registrato pi&ugrave; fattori di accesso ma ha perso l'accesso a uno di essi, visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> per rimuovere quello a cui ha perso l'accesso.
+recovery_questionnaire_no_recovery.explanation2=Se ha bisogno di ulteriori informazioni, visiti <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> per articoli di supporto.
+recovery_questionnaire_no_recovery.instruction1=Se riscontra problemi di accesso a un'applicazione, visiti <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> e verifichi se pu&ograve; accedere con successo.
+recovery_questionnaire_no_recovery.instruction2=Se ha registrato pi&ugrave; fattori di accesso ma ha perso l'accesso a uno di essi, visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> per rimuovere quello a cui ha perso l'accesso.
 recovery_questionnaire_reason_selection.answer1=Ho problemi ad accedere, anche se ho la mia app/chiave di sicurezza
-recovery_questionnaire_reason_selection.answer10=Ho perso uno dei miei fattori di accesso (app di accesso AGOV o chiave di sicurezza)
+recovery_questionnaire_reason_selection.answer10=Ho perso uno dei miei fattori di accesso (app AGOV access o chiave di sicurezza)
 recovery_questionnaire_reason_selection.answer2=Non sono riuscito a completare la registrazione
-recovery_questionnaire_reason_selection.answer3=Ho eliminato o reimpostato la mia app di accesso AGOV
+recovery_questionnaire_reason_selection.answer3=Ho eliminato, reinstallato o reimpostato la mia app AGOV access
 recovery_questionnaire_reason_selection.answer4=Ho perso il telefono/la chiave di sicurezza
-recovery_questionnaire_reason_selection.answer5=Ho un nuovo telefono e ho dimenticato di trasferire la mia app di accesso AGOV
-recovery_questionnaire_reason_selection.answer6=Ho dimenticato il PIN dell'app di accesso AGOV
+recovery_questionnaire_reason_selection.answer5=Ho un nuovo telefono e ho dimenticato di trasferire la mia app AGOV access
+recovery_questionnaire_reason_selection.answer6=Ho dimenticato il PIN dell'app AGOV access
 recovery_questionnaire_reason_selection.answer7=Ho i miei token di sicurezza o le mie app, ma ho avuto problemi ad accedere
-recovery_questionnaire_reason_selection.answer8=Ho perso l'accesso a tutte le mie chiavi di sicurezza e alle app di accesso AGOV
+recovery_questionnaire_reason_selection.answer8=Ho perso l'accesso a tutte le mie chiavi di sicurezza e alle app AGOV access
 recovery_questionnaire_reason_selection.answer9=Ho problemi con uno dei miei fattori di accesso (PIN cancellato, reimpostato, dimenticato)
 recovery_questionnaire_reason_selection.banner.error=Si prega di selezionare il motivo.
 recovery_questionnaire_reason_selection.instruction=Si prega di selezionare il motivo per cui sta avviando il processo di recupero:
-recovery_start_info.banner.warning=Non &egrave; possibile utilizzare l&rsquo;account finch&eacute; il processo di ripristino non sar&agrave; concluso. 
-recovery_start_info.instruction=Durante il processo di ripristino sar&agrave; registrato un nuovo fattore di accesso. Se l&rsquo;account contiene informazioni verificate, potrebbe essere necessario avviare un processo di verifica per completare il ripristino. 
+recovery_start_info.banner.warning=Non &egrave; possibile utilizzare l&rsquo;account finch&eacute; il processo di ripristino non sar&agrave; concluso.
+recovery_start_info.instruction=Durante il processo di ripristino sar&agrave; registrato un nuovo fattore di accesso. Se l&rsquo;account contiene informazioni verificate, potrebbe essere necessario avviare un processo di verifica per completare il ripristino.
 recovery_start_info.title=Il processo di ripristino sta per iniziare.
 reject.button.label=Rifiuti
 submit.button.label=Continua
@@ -260,9 +283,9 @@ title.logout.confirmation=Logout
 title.logout.reminder=Logout
 title.oauth.consent=Autorizzazione del client
 title.pwchange.label=Cambiare Password
-title.pwreset=Password Forgotten
+title.pwreset=Password Dimenticata
 title.saml.failed=Error
 title.timeout.page=Logout
 user_input.invalid.email=Inserire un'e-mail valida.
 user_input.invalid.email.required=Campo obbligatorio
-user_input.invalid.email.tooLong=Il testo inserito &egrave; troppo lungo. 
+user_input.invalid.email.tooLong=Il testo inserito &egrave; troppo lungo.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/Recovery_getCredentials.groovy

@@ -1,62 +0,0 @@
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-import groovy.json.JsonSlurper
-import java.time.ZonedDateTime
-import java.time.format.DateTimeFormatter
-import java.time.ZoneId
-import ch.nevis.esauth.auth.engine.AuthResponse
-import groovy.xml.XmlSlurper
-
-IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
-
-String baseUrl = parameters.get('baseUrl')
-String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
-String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
-String endPoint = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId/fido2"
-String endPointFidoUAF = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId/generic-credentials"
-
-def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
-def hasRecoveryRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recovery' }
-if (hasRecoveryRole != null) {
-  String result
-  try {
-     result = idmRestClient.get(endPoint)
-     resultFidoUAF = idmRestClient.get(endPointFidoUAF)
-
-  def json = new JsonSlurper().parseText(result)
-LOG.info('Result fido2: ' + json)
-
-    def login=false
-    json['items'].each {
-     if ("active".equals(it.stateName)) {
-         response.setSessionAttribute('agov.recovery.securityKey', it.userFriendlyName)
-         response.setResult('loginWithFido2')
-         login=true
-         return
-      }
-
-   }
-   if (login) {
-     return
-   }
-   def jsonFidoUAF = new JsonSlurper().parseText(resultFidoUAF)
-   LOG.info('Result fidoUAF: ' + jsonFidoUAF)
-      jsonFidoUAF['items'].each {
-        if ("active".equals(it.stateName)) {
-          response.setSessionAttribute('agov.recovery.accessapp', it.properties.fidouaf_name)
-          response.setResult('loginWithFidoUAF')
-          login=true
-          return
-        }
-     }
-     if (login) {
-       return
-     }
-  } catch(Exception e) {
-    LOG.error(e.toString())
-    response.setResult('failed')
-   return
-  }
-
-}
-response.setResult('ok')

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/SendSamlResponseWithAssertion.groovy

@@ -10,6 +10,20 @@ def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTi
 
 LOG.info("Event='AUTHENTICATION', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
+// BUNDBITBK-4824: Address was missing after bmid verification
+def session = request.getAuthSession(true)
+int loa = session.get('agov.actualRoleLevel') as int
+
+// Best Token Available only if account's AQlevel is high enough
+if ((session.getAttribute('agov.appAddressRequired') == 'true') && (loa < 200)) {
+    LOG.debug("Best Token: Address requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appAddressRequired', 'false')
+}
+if ((session.getAttribute('agov.appSvnrAllowed') == 'true') && (loa < 400)) {
+    LOG.debug("Best Token: SVNr requested but account has to low AQ (${loa})")
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+}
+// BUNDBITBK-4824 END
 
 // delete the login cookie
 def agovLoginCookie = "agovLogin=deleted; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=0; SameSite=Strict; Secure; HttpOnly"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/askMobileNumber.groovy

@@ -0,0 +1,103 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
+import ch.nevis.idm.client.HTTPRequestWrapper
+
+import groovy.json.JsonSlurper
+import groovy.xml.XmlSlurper
+
+def getHeader(String name) {
+    def inctx = request.getLoginContext()
+    // case-insensitive lookup of HTTP headers
+    def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+    map.putAll(inctx)
+    return map['connection.HttpHeader.' + name]
+}
+
+
+// Accounting
+def requester = session['ch.nevis.auth.saml.request.scoping.requesterId'] ?: 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+String mobile = session.get('ch.nevis.idm.User.mobile')
+
+String baseUrl = parameters.get('baseUrl')
+String endPoint = "${baseUrl}/core/v1/${clientExtId}/users/${userExtId}"
+
+
+if (mobile) {
+    LOG.debug("User '${user}' has already registered a mobile number")
+    response.setResult('done')
+    return
+}
+
+def agovSkipAskingMobileCookieValue = 'missing'
+
+if (getHeader('cookie') != null) {
+    def cookies = getHeader('cookie')
+    if (cookies.matches('^.*agovSkipAskingMobile=([^;]+).*$')) {
+        agovSkipAskingMobileCookieValue = cookies.replaceAll('^.*agovSkipAskingMobile=([^;]+).*$', '$1')
+    }
+}
+if (agovSkipAskingMobileCookieValue == 'true') {
+    // Don't aske the user again...
+    LOG.info("Event='SKIPPEDMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+    response.setResult('done')
+    return
+}
+
+
+if (!inargs['submit'] && (!inargs['mobile'] || !inargs['mobile'].isEmpty()) && inargs['language'] && inargs['language'] != session['ch.nevis.session.user.language']) {
+    // language switch, nothing else to do, just display again the GUI
+    response.setStatus(AuthResponse.AUTH_CONTINUE)
+    return
+}
+
+if (inargs['submit'] && (!inargs['mobile'] || inargs['mobile'].isEmpty()) && inargs['skip']) {
+    // no mobile, and user wants to skip it
+
+    LOG.info("Event='NOMOBILENUMBER', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', Persistent='${ inargs['skip'] == 'persistent' ? true : false }'")
+    
+    if (inargs['skip'] == 'persistent') {
+        // persistent cookie for 30d;
+        def agovSkipAskingMobileCookie = "agovSkipAskingMobile=true; Domain=${parameters.get('cookie.domain')}; Path=/; Max-Age=2592000; SameSite=Strict; Secure; HttpOnly"
+        // setHeader doesn't support multiple headers with the same name, so we use
+        // a different one, and rewrite it in the proxy with Lua
+        response.setHeader('Set-Cookie2', agovSkipAskingMobileCookie)
+    }
+
+    response.setResult('done')
+    return
+}
+
+
+
+if (inargs['submit'] && inargs['mobile'] && !inargs['mobile'].isEmpty()) {
+    // IMPORTANT/haburger/2024-DEC-09: the pattern must be the same as ch.adnovum.agov.common.util.InputPatterns.PHONE_NUMBER_PATTERN
+    if (!inargs['mobile'].replaceAll('\\s', '').matches('^(?:\\+[0-9]+)?$')) {
+        LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='User provided invalid number (${inargs['mobile']})'")
+      response.setResult('done')
+      return
+    }
+    String result
+    // mobile is also stored without spaces
+    def patchBdy = "{\"contacts\":{\"mobile\":\"${inargs['mobile'].replaceAll('\\s', '')}\"},\"modificationComment\":\"added mobile number from user during request ${requestId}\"}"
+    try {
+        result = idmRestClient.patch(endPoint, patchBdy)
+    } catch(Exception e) {
+        LOG.warn("Event='MOBILEFAILED', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='failed to save number (${e})'")
+    }
+    response.setResult('done')
+    return
+}
+
+
+// we should ask the user
+response.setStatus(AuthResponse.AUTH_CONTINUE)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/authorization.groovy

@@ -167,7 +167,8 @@ def i2r = [:]
 
 // issuer to ResultCond name
 def i2e = [:]
-i2e.put('https://trustbroker.agov-d.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker.agov-epr-lab.azure.adnovum.net', 'forbidden_0')
+i2e.put('https://trustbroker-idp.agov-epr-lab.azure.adnovum.net', 'forbidden_1')
 
 
 if (!i2r.isEmpty() && !hasAnyRequiredRole(i2r, issuer)) {

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/checkloa.groovy

@@ -2,9 +2,8 @@ import org.codehaus.groovy.runtime.StackTraceUtils
 import groovy.xml.XmlSlurper
 
 def getUserAGOVLoiRoles() {
-  // set attibutes from DTO: -> AGOVaq
-  def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
-  return list.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
+  // we take the roles from actualRoles
+  return request.getActualRoles().findAll { role -> role.startsWith('AGOV-Loi.') }.collect({ role -> role.substring(9) })
 }
 
 def getUserAGOVRecoveryRoles() {
@@ -141,6 +140,11 @@ try {
     LOG.error("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', errorMessage='Account without Profile', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
     session.setAttribute('contextClassRefToSet', 'urn:qa.agov.ch:names:tc:ac:classes:100')
+
+    // if the account has no profile, we must not return address or svnr
+    session.setAttribute('agov.appAddressRequired', 'false')
+    session.setAttribute('agov.appSvnrAllowed', 'false')
+
     response.setResult('ok')
     return
   }
@@ -161,16 +165,14 @@ try {
   if (role.startsWith('level')) {
     def roleLevel = role.substring(5)
     int roleLevelNumber = Integer.parseInt(roleLevel)
-    if (highestRoleLevelNumber == 0) {
-      highestRoleLevelNumber = roleLevelNumber
-    }
+    
     if (highestRoleLevelNumber< roleLevelNumber) { 
       highestRoleLevelNumber=roleLevelNumber 
     } 
   } 
   } 
-  LOG.debug('CheckLoa: Highest role Level' + highestRoleLevelNumber.toString() +' contextclassref' + requestedRoleLevelNumber.toString()) 
-  LOG.debug('CheckLoa: Compare' + (highestRoleLevelNumber>=requestedRoleLevelNumber)) 
+  LOG.debug('CheckLoa: Highest role Level ' + highestRoleLevelNumber.toString() +' contextclassref ' + requestedRoleLevelNumber.toString()) 
+  LOG.debug('CheckLoa: Compare ' + (highestRoleLevelNumber>=requestedRoleLevelNumber))  
 
   //set attribute Actual Role Level
   session.setAttribute('agov.actualRoleLevel', '' + highestRoleLevelNumber)
@@ -185,42 +187,46 @@ try {
   }
 
   // no login for users with a recovery role
-  for (String role : getUserAGOVRecoveryRoles()) {
-    if (role == 'mustRecover') {
-      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
-      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' ) 
+  def recoveryRoleList = getUserAGOVRecoveryRoles()
+  
+  if (recoveryRoleList.contains('mustRecover')) {
+    session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+    session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown' ) 
 
-      def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
+    def origIdVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()) ?: 'None'
+    def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
+    session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
 
-      def idVerification = getUserIdVerificationForRecovery() ?: origIdVerification
-      session.setAttribute('agov.recovery.currentIdVerification', '' + idVerification )
+    // align currentAgovAq with the method selected for idVerification
+    def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
+    session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
 
-      // align currentAgovAq with the method selected for idVerification
-      def currentAgovAqForRecovery = getAqLevelBasedOnIdVerificationForRecovery(idVerification, highestRoleLevelNumber)
-      session.setAttribute('agov.recovery.currentAgovAq', '' + currentAgovAqForRecovery)
+    def validFrom = getUserMustRecoverValidFrom() ?: ''
+    session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom ) 
 
-      def validFrom = getUserMustRecoverValidFrom() ?: ''
-      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + validFrom ) 
+    LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
 
-      LOG.debug("CheckLoa: mustRecover: origIdVerification=${origIdVerification}, idVerification=${idVerification}, currentAgovAqForRecovery=${currentAgovAqForRecovery}")
+    response.setResult('exit.2')
+    return
 
-      response.setResult('exit.2')
-      return
-
-    } else if (role == 'recovery') {
+  } else if (recoveryRoleList.contains('recovery')) {
+    if (recoveryRoleList.contains('recoveryCascade')) {
+      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
+    } else {
       session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
-      session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown') 
-      session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
-      LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
-      def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
-      session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
-      def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
-      session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom) 
+    }
+    session.setAttribute('agov.recovery.authenticatedWith', session.getAttribute('authenticatedWith') ?: 'unknown') 
+    session.setAttribute('agov.recovery.currentAgovAq', session.getAttribute('contextClassRefToSet') ?: 'urn:qa.agov.ch:names:tc:ac:classes:100' )
+    LOG.debug('CheckLoa: idVerification2= '+ getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString()))
+    def idVerification = getUserAGOVLoiIdVerification(highestRoleLevelNumber.toString())
+    session.setAttribute('agov.recovery.currentIdVerification', (idVerification.isEmpty() ? 'None' : idVerification.first()))
+    def validFrom = getUserAGOVLoiValidFrom('level'.concat(highestRoleLevelNumber.toString())) ?: ''
+    session.setAttribute('agov.recovery.currentAgovAqRoleValidFrom', validFrom) 
+
+    response.setResult('exit.2')
+    return
+  } 
 
-      response.setResult('exit.2')
-      return
-    } 
-  }
 
   if (highestRoleLevelNumber>=requestedRoleLevelNumber) { 
 

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/eid_verification_auth.groovy

@@ -0,0 +1,326 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+import ch.nevis.esauth.util.httpclient.api.HttpClient
+import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
+
+def getHeader(String name) {
+	def inctx = request.getLoginContext()
+	// case-insensitive lookup of HTTP headers
+	def map = new TreeMap<>(String.CASE_INSENSITIVE_ORDER)
+	map.putAll(inctx)
+	return map['connection.HttpHeader.' + name]
+}
+
+def verification_request_template = '''
+{ "presentation_definition": {
+    "id": "{{UUID}}",
+    "name": "AGOV Verification",
+    "purpose": "AGOV Login",
+    "format": {
+      "vc+sd-jwt": {
+        "sd-jwt_alg_values": [
+          "ES256"
+        ],
+        "kb-jwt_alg_values": [
+          "ES256"
+        ]
+      }
+    },
+    "input_descriptors": [
+      {
+        "id": "agov-all-attributes",
+        "name": "AGOV Identity Verification",
+        "purpose": "verification and authentication",
+        "format": {
+          "vc+sd-jwt": {
+            "sd-jwt_alg_values": [
+              "ES256"
+            ],
+            "kb-jwt_alg_values": [
+              "ES256"
+            ]
+          }
+        },
+        "constraints": {
+          "fields": [
+            {
+              "path": [
+                "$.family_name"
+              ]
+            },
+            {
+              "path": [
+                "$.given_name"
+              ]
+            },
+            {
+              "path": [
+                "$.birth_date"
+              ]
+            },
+            {
+              "path": [
+                "$.sex"
+              ]
+            },
+            {
+              "path": [
+                "$.place_of_origin"
+              ]
+            },
+            {
+              "path": [
+                "$.birth_place"
+              ]
+            },
+            {
+              "path": [
+                "$.nationality"
+              ]
+            },
+            {
+              "path": [
+                "$.personal_administrative_number"
+              ]
+            },
+            {
+              "path": [
+                "$.document_number"
+              ]
+            },
+            {
+              "path": [
+                "$.issuance_date"
+              ]
+            },
+            {
+              "path": [
+                "$.expiry_date"
+              ]
+            },
+            {
+              "path": [
+                "$.issuing_authority"
+              ]
+            },
+            {
+              "path": [
+                "$.issuing_country"
+              ]
+            }
+          ]
+        }
+      }
+    ]
+  }
+}
+'''
+
+def ERROR_CODE_TO_STATUS_MAPPER = [
+		'CREDENTIAL_INVALID'               : 'FAILED',
+		'JWT_EXPIRED'                      : 'ERROR',
+		'INVALID_FORMAT'                   : 'ERROR',
+		'CREDENTIAL_EXPIRED'               : 'FAILED',
+		'MISSING_NONCE'                    : 'ERROR',
+		'UNSUPPORTED_FORMAT'               : 'ERROR',
+		'CREDENTIAL_REVOKED'               : 'FAILED',
+		'CREDENTIAL_SUSPENDED'             : 'FAILED',
+		'HOLDER_BINDING_MISMATCH'          : 'ERROR',
+		'CREDENTIAL_MISSING_DATA'          : 'FAILED',
+		'UNRESOLVABLE_STATUS_LIST'         : 'ERROR',
+		'PUBLIC_KEY_OF_ISSUER_UNRESOLVABLE': 'ERROR',
+		'CLIENT_REJECTED'                  : 'CANCELED',
+		'ISSUER_NOT_ACCEPTED'              : 'ERROR'
+]
+
+// ---------------
+// check, whether we are still processing the correct AuthnRequest
+if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
+	// wrong request, "force" a timeout
+	LOG.debug('authentication timeout enforced, due to concurrent requests -> return a 408')
+
+	response.setIsDirectResponse(true)
+	response.setContentType('text/html; charset=UTF-8')
+	response.setContent('Timeout')
+	response.setHttpStatusCode(205)
+	response.setHeader('IDP-AUTH', 'Timeout')
+
+	// CONTINUE to keep the other request beeing processed
+	response.setStatus(AuthResponse.AUTH_CONTINUE)
+	return
+}
+
+if (inargs['oid4vp'] == 'ERROR') {
+	response.setResult('error')
+	return
+}
+
+if (inargs['oid4vp'] == 'SUCCEEDED') {
+	response.setResult('ok')
+	return
+}
+
+
+def sess = request.getAuthSession(true)
+
+HttpClient httpClient = HttpClients.create(parameters)
+def spanCtxt = Span.current().getSpanContext()
+def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
+if (!session['agov.eid.verification']) {
+	// Initialize the verification session on the verifier
+	def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications"
+
+	try {
+		def httpResponse = Http.post()
+				.url(endPoint)
+				.header("Accept", "application/json")
+				.header("traceparent", traceparent)
+				.entity(Http.entity()
+						.content(verification_request_template.replaceAll("\\{\\{UUID}}", UUID.randomUUID().toString()))
+						.contentType("application/json")
+						.build())
+				.build()
+				.send(httpClient)
+
+
+		if (httpResponse.code() != 200) {
+			LOG.debug("Result: ${httpResponse}")
+			response.setResult('error')
+			return
+		}
+
+		def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+		LOG.debug("Result: ${json}")
+
+		sess.setAttribute('agov.eid.verification', 'true')
+		sess.setAttribute('agov.eid.verification.id', json.id)
+		sess.setAttribute('agov.eid.verification.link', json.verification_url)
+
+		if (json.state != 'PENDING') {
+			response.setResult('error')
+			return
+		}
+	}
+	catch (Exception e) {
+		LOG.error("Eid verification failed: $e")
+		response.setResult('error')
+		return
+	}
+}
+
+if (getHeader('Content-Type') == 'application/json' && inargs.containsKey('o.id.v')) {
+	// request for a status update from the verifier
+	def result
+
+	// TODO/haburger/2025-03-24: we should make sure, that we have an actual session on the verifier with id.v
+	// and that authRequestId is correct
+	def idvalue = (!inargs['o.id.v'] || inargs['o.id.v'] == 'NEW') ? session['agov.eid.verification.id'] : inargs['o.id.v']
+
+	try {
+		def endPoint = "${parameters.get('eidVerifierBaseUrl')}/api/v1/verifications/${idvalue}"
+
+		def httpResponse = Http.get()
+				.url(endPoint)
+				.header("Accept", "application/json")
+				.header("traceparent", traceparent)
+				.build()
+				.send(httpClient)
+
+		if (httpResponse.code() != 200) {
+			// TODO/haburger/2025-03-25: 404 we should create a new verification request
+			LOG.debug("Result: ${httpResponse}")
+			result = """{
+				"oid4vp": {
+					"status": "ERROR",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "HTTP-ERROR",
+					"error_message": "failed to verify status of verification ${idvalue}, http status: ${httpResponse.code()}"
+				}}"""
+			LOG.warn("<== Response: ${responseCode}")
+		}
+		else {
+
+			def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
+
+			if (json.state == 'SUCCESS') {
+				def claims = json.wallet_response.credential_subject_data
+
+				// TODO/haburger/2025-03-25: format changes to align with IDM read data
+				sess.setAttribute('ch.nevis.idm.User.firstName', claims.given_name)
+				sess.setAttribute('ch.nevis.idm.User.lastName', claims.family_name)
+				sess.setAttribute('ch.nevis.idm.User.birthDate', claims.birth_date)
+				sess.setAttribute('ch.nevis.idm.User.gender', claims.sex)
+				sess.setAttribute('ch.nevis.idm.User.prop.svnr', claims.personal_administrative_number)
+				sess.setAttribute('ch.nevis.idm.User.prop.placeOfBirth', claims.birth_place)
+				sess.setAttribute('ch.nevis.idm.User.prop.eIdNumber', claims.personal_administrative_number)
+				sess.setAttribute('ch.nevis.idm.User.prop.nationality', claims.nationality.toString())
+				sess.setAttribute('ValidFrom', claims.issuance_date)
+				sess.setAttribute('ValidTo', claims.expiry_date)
+				sess.setAttribute('authenticatedWith', "urn:qa.agov.ch:names:tc:authfactor:eid")
+				sess.setAttribute('idVerification', "Eid")
+				sess.setAttribute('contextClassRefToSet', "urn:qa.agov.ch:names:tc:ac:classes:600")
+
+				response.setUserId(claims.personal_administrative_number)
+				response.setLoginId(claims.document_number)
+				response.setAuthLevel("EID")
+
+				result = """{
+				"oid4vp": {
+					"status": "SUCCEEDED",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "NONE"
+				}}"""
+			}
+			else if (json.state == 'FAILED') {
+				// TODO/haburger/2025-03-25: ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] == 'FAILED' we should
+				//  initiate a new verification and return the new id, url together with the message
+
+				LOG
+						.error("Eid verification failed: ${json.wallet_response.error_code} (${json.wallet_response.error_description})")
+				result = """{
+				"oid4vp": {
+					"status": "${ERROR_CODE_TO_STATUS_MAPPER[json.wallet_response.error_code] ?: 'ERROR'}",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "${json.wallet_response.error_code}",
+					"error_message": "${json.wallet_response.error_description}"
+				}}"""
+			}
+			else {
+				result = """{
+				"oid4vp": {
+					"status": "${inargs['o.id.v'] == 'NEW' ? 'INITIATED' : 'PENDING'}",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "NONE"
+				}}"""
+			}
+		}
+
+	}
+	catch (Exception e) {
+		LOG.error("Eid verification failed: ${e}")
+		result = """{
+				"oid4vp": {
+					"status": "ERROR",
+					"verification_url": "${session['agov.eid.verification.link']}",
+					"id": "${idvalue}",
+					"error_code": "HTTP-ERROR",
+					"error_message": "failed to verify status of verification ${idvalue}, http exception"
+				}}"""
+	}
+
+	response.setContent(result.toString())
+	response.setContentType('application/json')
+	response.setHttpStatusCode(200)
+	response.setIsDirectResponse(true)
+	response.setStatus(AuthResponse.AUTH_CONTINUE)
+	return
+}
+
+// if we reach this place, display GUI
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureAccountState.groovy

@@ -26,7 +26,7 @@ String level100RoleExtid = parameters.get('level100.roleExtid')
 
 String baseUrl = "${parameters.get('idm.baseUrl')}/core/v1/$clientExtId"
 boolean audited = false
-String agovAq100AuthEndpoint = null
+String aq100AuthRestURL = null
 String endpoint = null
 
 // 1) create the profile if needed
@@ -79,14 +79,14 @@ if (!Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-Loi.
 		LOG.warn("Event='DATAERROR', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='created missing AGOVaq 100 role'")
 		audited = true
 	}
-	agovAq100AuthEndpoint = result.getLocation()
+	aq100AuthRestURL = result.getLocation()
 }
 
 
 // 3) set the AQ level 100 verification to None
 if (!session['ch.adnovum.nevisidm.userDto'].contains("<properties><name>idVerification</name><value>None</value><scopeName>AGOV-Loi,level100</scopeName></properties>")) {
 
-	if (agovAq100AuthEndpoint == null) {
+	if (aq100AuthRestURL == null) {
 		endpoint = "${baseUrl}/profiles/${profileExtId}/authorizations"
 
 		def result = idmRestClient.get(endpoint)
@@ -94,12 +94,13 @@ if (!session['ch.adnovum.nevisidm.userDto'].contains("<properties><name>idVerifi
 
 		json['items'].eachWithIndex { az, i ->
 			if (az.roleExtId == level100RoleExtid) {
-				agovAq100AuthEndpoint = "${endpoint}/${az.extId}"
+				aq100AuthRestURL = "${endpoint}/${az.extId}"
 			}
 		}
 	}
 
-	endpoint = "${agovAq100AuthEndpoint}/properties"
+
+    endpoint = "${aq100AuthRestURL}/properties"
 
 	def patchRequest = new HTTPRequestWrapper()
 	patchRequest.addToHeaders('Content-Type',  ['application/json'])

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/ensureRecoveryCode.groovy

@@ -1,7 +1,7 @@
 import ch.nevis.esauth.auth.engine.AuthResponse
-import ch.nevis.idm.client.IdmRestClient
-import ch.nevis.idm.client.IdmRestClientFactory
-import ch.nevis.idm.client.HTTPRequestWrapper
+import ch.nevis.esauth.util.httpclient.api.HttpClient
+
+import io.opentelemetry.api.trace.Span
 
 import groovy.json.JsonSlurper
 import groovy.xml.XmlSlurper
@@ -19,7 +19,9 @@ def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?:
 
 
 
-IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+HttpClient httpClient = HttpClients.create(parameters)
+def spanCtxt = Span.current().getSpanContext()
+def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
 
 String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
 String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
@@ -30,6 +32,13 @@ String endPoint = "${parameters.get('utility-service.baseUrl')}/api/v1/recovery/
 def userDto = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
 def recoveryCredential = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
 
+// Only for aq 100, skip for the rest
+if (Arrays.stream(response.getActualRoles()).filter( r -> r.matches('^.*AGOV-Loi\\.level[2345]00.*$')).findAny().isPresent()) {
+	LOG.debug("Account '${user}' has a higher AQ-level than 100, no need to check code")
+	response.setResult('done')
+	return
+}
+
 // 1a) check if user has a credential
 if ( recoveryCredential != null ) {
 	LOG.debug("Account '${user}' has an active recovery code, no need to create new code")
@@ -44,6 +53,12 @@ if (Arrays.stream(response.getActualRoles()).filter( r -> r.contains('AGOV-Accou
 	return
 }
 
+// 1c) don't do it for mobile phones (BUNDBITBK-4445)
+if (userAgent =~ /(iPhone|Android)/ ) {
+	LOG.debug("User '${user}' used a mobile phone, recovery code creation skipped")
+	response.setResult('done')
+	return
+}
 
 // 2) set cookie for recoveryCode
 if (outargs.containsKey('out.JWTToken')) {
@@ -57,21 +72,26 @@ if (outargs.containsKey('out.JWTToken')) {
 if (!session['agov.new.recovery.code.generated']) {
 	inargs.remove('submit')
 	try {
-		def postRequest = new HTTPRequestWrapper()
-		postRequest.addToHeaders('Content-Type',  ['application/json'])
+		def httpResponse = Http.post()
+			.url(endPoint)
+			.header("Accept", "application/json")
+			.header("traceparent", traceparent)
+			.entity(Http.entity()
+				.content("{\"userExtId\":\"$userExtId\",\"userSessionId\": \"$sessionId\"}")
+				.contentType("application/json")
+				.build())
+			.build()
+			.send(httpClient)
 
-		postRequest.setPayLoad("{\"userExtId\":\"$userExtId\",\"userSessionId\": \"$sessionId\"}".getBytes('UTF-8'))
-		
-        def result = idmRestClient.postWithResponse(endPoint, postRequest)
-		if (result.getStatusCode() != 200) {
-            LOG.debug("Payload: ${new String(postRequest.getPayLoad())}")
-            LOG.debug("Result: ${result}")
-			LOG.warn("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create code (http status code ${result.getStatusCode()})")
+
+		if (httpResponse.code() != 200) {
+            LOG.debug("Result: ${httpResponse}")
+			LOG.warn("Event='RCVRY-CODE', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', reason='Failed to create code (http status code ${httpResponse.code()})")
 			response.setResult('failed')
 			return
 		}
 
-		def json = new JsonSlurper().parseText(new String(result.getPayLoad(), 'UTF-8'))
+		def json = new JsonSlurper().parseText(httpResponse.bodyAsString())
 
 		notes.setProperty('agov.new.recovery.code', json['recoveryCode']['code'].replaceAll('^(....)(....)(.*)$', '$1-$2-$3'))
 		LOG.debug("agov.new.recovery.code: ${notes['agov.new.recovery.code']}")

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/env.conf

@@ -1,8 +1,9 @@
 RTENV_SECURITY_CHECK=no_shell
 
 JAVA_OPTS=(
-    "-Dfile.encoding=UTF-8"
     "-XX:+UseContainerSupport"
+    "-Dfile.encoding=UTF-8"
+    "-Dotel.instrumentation.metro.enabled=false"
     "-XX:MaxRAMPercentage=80.0"
     "-Djava.net.preferIPv4Stack=true"
     "-Djava.net.connectionTimeout=10000"
@@ -12,7 +13,7 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisauth/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.3,service.instance.id=$HOSTNAME"
     "-Djavax.net.ssl.trustStore=/var/opt/keys/trust/auth-default-tls-trust/truststore.p12"
     "-Djavax.net.ssl.trustStorePassword=\${exec:/var/opt/keys/trust/auth-default-tls-trust/keypass}"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_auth.groovy

@@ -98,9 +98,12 @@ if (path == '/nevisfido/fido2/attestation/options') {
     }
     post(connection, json)
     def responseCode = connection.responseCode
+    def responseText = responseCode == 200 ? connection.inputStream.text : '{"allowCredentials":[]}'
+    def jsonResponse = new JsonSlurper().parseText(responseText)
+    def numOfKeys = jsonResponse.allowCredentials ? jsonResponse.allowCredentials.size() : 0
 
-    // non existing account, or account without FIDO2 key case
-    if (responseCode == 404 || responseCode == 400) {
+    // non existing account, account without FIDO2 key , or account with disabled FIDO2 key case
+    if (responseCode == 404 || responseCode == 400 || numOfKeys == 0) {
 
       LOG.debug("Fido2Auth: <== Response: ${responseCode}")
 
@@ -113,36 +116,36 @@ if (path == '/nevisfido/fido2/attestation/options') {
       def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
       def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
       def tAuth = System.currentTimeMillis() - (request.getSession(true).getCreationTime().getEpochSecond() * 1000)
+      def details = "no account (404)"
+      if (responseCode == 400 ) {
+        details = "no fido2 keys for account (400)"    
+      } else if (responseCode == 200) {
+        details = "no active fido2 key for account (200, empty allowCredentials array)"    
+      }
       
-      LOG.info("Event='NOACCOUNT', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${session['ch.nevis.idm.User.email']}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+      LOG.info("Event='NOACCOUNT', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${session['ch.nevis.idm.User.email']}, CredentialType='${credentialType}', tAuth=${tAuth}ms, SourceIp=${sourceIp}, UserAgent='${userAgent}', Details='${details}'")
+
       // returning a fake options structure, which shouldn't leak whether the user account exists or not
       // keyId is unique per environment and email, fido2SessionId and challenge are renewed each time
       def keyId = UUID.nameUUIDFromBytes("${parameters['rpId']}.${session['ch.nevis.idm.User.email']}".getBytes())
-      def responseText = """{"status": "ok",
-                             "errorMessage": "",
-                             "fido2SessionId": "${UUID.randomUUID()}",
-                             "challenge": "${base64url(UUID.randomUUID())}",
-                             "timeout": 300000,
-                             "rpId": "${parameters['rpId']}",
-                             "allowCredentials": [
-                             {
-                                "type": "public-key",
-                                "id": "${base64url(keyId)}",
-                                "transports": []
-                             }
-                                                 ],
-                             "userVerification": "required"}"""
-
-      response.setContent(responseText) // return response from nevisFIDO "as-is"
-      response.setContentType('application/json')
-      response.setHttpStatusCode(200)
-      response.setIsDirectResponse(true)
-      return
+      responseText = """{"status": "ok",
+                         "errorMessage": "",
+                         "fido2SessionId": "${UUID.randomUUID()}",
+                         "challenge": "${base64url(UUID.randomUUID())}",
+                         "timeout": 300000,
+                         "rpId": "${parameters['rpId']}",
+                         "allowCredentials": [
+                           {
+                              "type": "public-key",
+                              "id": "${base64url(keyId)}",
+                              "transports": []
+                           }
+                         ],
+                         "userVerification": "required"}"""
     }
 
-    def responseText = connection.inputStream.text
     LOG.debug("Fido2Auth: <== Response: ${responseCode} : ${responseText}")
-    response.setContent(responseText) // return response from nevisFIDO "as-is"
+    response.setContent(responseText)
     response.setContentType('application/json')
     response.setHttpStatusCode(200)
     response.setIsDirectResponse(true)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptchainfos.groovy

@@ -1,28 +1,29 @@
 import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
 
 def url = parameters.get('url')
+def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
+def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
 
 try {
-  session.remove('agov.fido2.X-ReCAPTCHA-Integration')
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
   def jsonSlurper = new JsonSlurper()
   def httpClient = HttpClients.create(parameters)
-  def httpResponse = Http.get().url(url).build().send(httpClient)
-  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
-  LOG.info('Response Status Code: ' + httpResponse.code())
-  LOG.info('Response: ' + httpResponse.bodyAsString())
+  def httpResponse = Http.get().url(url).header('traceparent', traceparent)
+                         .header(realIpHttpHeaderName, ip).build().send(httpClient)
+
+  LOG.debug('Response Status Code: ' + httpResponse.code())
+  LOG.debug('Response: ' + httpResponse.bodyAsString())
 
   if (httpResponse.code() == 200) {
     def json = jsonSlurper.parseText(httpResponse.bodyAsString())
-    response.setSessionAttribute('agov.fido2.json.accountUrl', json.accountUrl)
-    response.setSessionAttribute('agov.fido2.json.registrationUrl', json.registrationUrl)
-    response.setSessionAttribute('agov.fido2.json.captchaSettings.enabled', String.valueOf(json.captchaSettings.enabled))
-    response.setSessionAttribute('agov.fido2.json.captchaSettings.reCaptchaInvisibleSiteKey', json.captchaSettings.reCaptchaInvisibleSiteKey)
-    response.setSessionAttribute('agov.fido2.json.captchaSettings.reCaptchaVisibleSiteKey', json.captchaSettings.reCaptchaVisibleSiteKey)
-    if (session.get('agov.fido2.X-ReCAPTCHA-Integration') == null) {
-      response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'INVISIBLE')
-    } else {
-      response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'VISIBLE')
-    }
+
+    response.setSessionAttribute('agov.fido2.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
+    response.setSessionAttribute('agov.fido2.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
+    response.setSessionAttribute('agov.fido2.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
+
     response.setResult('ok')
   } else {
     LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/fido2_fetchcaptcharesult.groovy

@@ -1,53 +1,63 @@
+import io.opentelemetry.api.trace.Span
 
 def url = parameters.get('url')
-def email = inargs['email']
+
+def email = inargs['userInputValue_prompt.email']
+def token = inargs['captcha_response']?: 'MISSING'
+def enabled = (session['agov.fido2.captchaSettings.enabled']?:'true').toBoolean()
+
 def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
 def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
 
-def payload = '{ "email": "' + inargs['userInputValue_prompt.email'] + '", "action": "LOGIN", "userIp": "' + ip + '", "userAgent": "' + userAgent + '"}'
+def payload = "{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }"
 
-LOG.info('Token: ' + inargs['recaptcha_response'])
-LOG.info('Integration: ' + session['agov.fido2.X-ReCAPTCHA-Integration'])
-LOG.info('Payload: ' + payload)
+LOG.debug('Token: ' + token)
+LOG.debug('Payload: ' + payload)
 
 try {
 
+  if (!enabled) {
+    LOG.info("FriendlyCAPTCHA is disabled, allowing operation for ${payload}")
+    response.setResult('ok')
+    return
+  }
+
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
   def httpClient = HttpClients.create(parameters)
   def httpResponse = Http.post()
           .url(url)
           .header("Accept", "application/json")
-          .header("X-ReCAPTCHA-Token", inargs['recaptcha_response'])
-          .header("X-ReCAPTCHA-Integration", session['agov.fido2.X-ReCAPTCHA-Integration'])
+          .header("X-FriendlyCAPTCHA-Token", token)
+          .header("traceparent", traceparent)
           .entity(Http.entity()
                   .content(payload)
                   .contentType("application/json")
-               //   .charSet("utf-8")
                   .build())
           .build()
           .send(httpClient)
 
-  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
-  LOG.info('Response Status Code: ' + httpResponse.code())
-  LOG.info('Response: ' + httpResponse.bodyAsString())
+  LOG.debug('Response Status Code: ' + httpResponse.code())
+  LOG.debug('Response: ' + httpResponse.bodyAsString())
 
   if (httpResponse.code() == 200) {
       if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
           response.setResult('ok')
           return
        } else {
-
-       response.setSessionAttribute('agov.fido2.X-ReCAPTCHA-Integration', 'VISIBLE')
+       LOG.warn("Friendly captcha not successful for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
        response.setResult('exit.1')
        return      
      }
   } else {
-    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    LOG.error("Friendly captcha failed with statuscode ${httpResponse.code()} for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
     response.setResult('error')
     response.setError(1, 'Unexpected HTTP reponse')
   }
 } catch (all) {
   // Handle exception and set the transition
-  LOG.error('error: ' + all, all)
+  LOG.error("Friendly captcha failed with a general error '${all}' for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }', service-url: ${url}")
   response.setResult('error')
   response.setError(1, 'Exception during HTTP call')
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/handleRedirectRecovery.groovy

@@ -4,12 +4,12 @@ if(outargs.containsKey('saml.SAMLResponse')) {
      def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
      def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
      def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
-     def credentialType = session['authenticatedWith'] ?: 'unknown'
+     def credentialType = session['agov.recovery.authenticatedWith'] ?: 'unknown'
      def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
      def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
 
-     LOG.info("Event='GOTORECOVERY', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
-
+     LOG.info("Event='GOTORECOVERY', Requester='${requester}', RequestId='${requestId}', RequestedAq=${requestedAq}, User=${user}, CredentialType='${credentialType}', SourceIp=${sourceIp}, UserAgent='${userAgent}', AccountAq='${session['agov.recovery.currentAgovAq']}', AuthCtxClass='${session['agov.recovery.authnContextClassRef']}', RecoveryCodeStatus='${session['agov.recovery.codeStatus']}', RecoveryCodeDetailStatus='${session['agov.recovery.codeDetailStatus']}'")     
+     
      // Redirect
      response.addOutArg('nevis.transfer.destination', parameters.get('agovmedirecturl'))
      response.addOutArg('nevis.transfer.field.SAMLResponse', outargs.getProperty('saml.SAMLResponse').bytes.encodeBase64().toString())

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/idp_dispatcher.groovy

@@ -31,16 +31,33 @@ def redirect(String url) {
  * @return text content of Issuer element converted or null
  */
 String getIssuer(GPathResult xml) {
-    return (xml.depthFirst().find { GPathResult node -> "Issuer".equalsIgnoreCase(node.name()) } as NodeChild)?.text()
+    return xml.depthFirst().find { GPathResult node -> {
+        node.name().endsWith(":Issuer") || node.name().equalsIgnoreCase("Issuer")
+      }
+    }?.text()
 }
 
 String getIssuer(String value) {
+    if (value == null) {
+        return
+    }
+    String text
+    byte[] decoded
     def parser = new XmlSlurper()
-    byte[] decoded = value.decodeBase64()
-    String text = new String(decoded)
+    // if value is raw xml then continue otherwise try to parse the base64 encoding
+    if (value.startsWith("<")) {
+        text = new String(value)
+    }
+    else {
+        decoded = value.decodeBase64()
+        text = new String(decoded)
+        LOG.info("received SAML request $value")
+    }
+
+    // after decoded, if redirect binding, we need to parse string to xml
     if (text.startsWith("<")) {
-        LOG.debug("assuming POST binding")
-        // plain String (POST parameter)
+        LOG.debug("assuming POST/SOAP binding")
+        // plain String (POST/SOAP parameter)
         def xml = parser.parseText(text)
         return getIssuer(xml)
     }
@@ -58,9 +75,18 @@ def dispatchIssuer(i2s, String issuer) {
     if (result == null) {
         LOG.info("No SP found for issuer '$issuer'. Hint: check SAML SP Connector patterns.")
     }
+    
+    // dispatch different idp if artifact binding is enabled
+    if(parameters.get('epdMode') == 'artifact' && result == 'epd'){
+        LOG.debug("EPD: Artifact mode")
+        result = result + "_artifact"
+    }else{
+        LOG.debug("EPD: POST mode")
+    }
     response.setResult(result)
     session.put("saml.inbound.issuer", issuer)
     session.put('saml.idp.result', result) // remember decision for sub-sequent requests without a SAML message
+    
 }
 
 def dispatchMessage(i2s, String message) {
@@ -91,7 +117,8 @@ if (request.getSession(false) == null) {
 def i2s = new TreeMap<String, String>(String.CASE_INSENSITIVE_ORDER)
 
 
-i2s.put('https://trustbroker.agov-d.azure.adnovum.net', 'state0')
+i2s.put(parameters.get('atb'), 'main')
+i2s.put(parameters.get('epd_atb'), 'epd')
 
 if (parameters.get('spInitiated') == 'true' && inargs.containsKey('SAMLRequest')) { // SP-initiated authentication
     LOG.debug("found SAMLRequest parameter for SP-initiated authentication")
@@ -107,6 +134,20 @@ if (inargs.containsKey('SAMLResponse')) { // response to IDP-initiated SAML Logo
     return
 }
 
+if (parameters.get('spInitiated') == 'true' && inargs.containsKey('soapheader')) { // SP-initiated SOAP with soapheader
+    LOG.debug("found soapheader parameter for SP-initiated")
+    String message = inargs.get('soapheader')
+    dispatchMessage(i2s, message)
+    return
+}
+
+if (parameters.get('spInitiated') == 'true' && inargs.containsKey('')) { // SP-initiated SOAP with empty
+    LOG.debug("found empty parameter for SP-initiated SOAP message")
+    String message = inargs.get('')
+    dispatchMessage(i2s, message)
+    return
+}
+
 String issuer = inargs['Issuer'] ?: inargs['issuer']
 if (parameters.get('idpInitiated') == 'true' && issuer != null) { // IDP-initiated authentication
     LOG.debug("found Issuer parameter for IDP-initiated authentication")

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logRecoveryReason.groovy

@@ -0,0 +1,10 @@
+def requester = 'unknown'
+def requestId = session['ch.nevis.auth.saml.request.id'] ?: 'unknown'
+def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
+def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+def reason = session['agov.recovery.reason'] ?: 'unknown'
+
+LOG.info("Event='RECOVERY-REASON', Requester='${requester}', RequestId='${requestId}', User=${user}, SourceIp=${sourceIp}, UserAgent='${userAgent}', Reason='${reason}'")
+
+response.setResult('ok')

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "EsAuthStart"
       level: "INFO"
     - name: "org.apache.catalina.loader.WebappClassLoader"
@@ -22,6 +24,8 @@ Configuration:
       level: "FATAL"
     - name: "AGOV-ACCT"
       level: "DEBUG"
+    - name: "AgovCaptcha"
+      level: "DEBUG"
     - name: "AuthEngine"
       level: "INFO"
     - name: "AuthPerf"
@@ -31,7 +35,7 @@ Configuration:
     - name: "OpTrace"
       level: "DEBUG"
     - name: "Recovery"
-      level: "INFO"
+      level: "DEBUG"
     - name: "Script"
       level: "DEBUG"
     - name: "SessCoord"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/mobile_nless_auth.groovy

@@ -82,8 +82,9 @@ if (inargs['fidoUafDone'] == 'true' ||
 if (inargs['fallback'] == 'fallback') {
     response.setResult('fido2')
 }
-    // dispatch to recovery
-    if (inargs['fallback'] == 'recovery') {
+
+// dispatch to recovery
+if (inargs['fallback'] == 'recovery') {
     response.addOutArg('nevis.transfer.destination', parameters.get('recoveryurl'))
     response.setStatus(ch.nevis.esauth.auth.engine.AuthResponse.AUTH_CONTINUE) 
     response.setIsRedirectTransfer(true)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/nevisauth.yml

@@ -3,6 +3,7 @@ server:
   protocol: "https"
   port: "8991"
   host: "0.0.0.0"
+  max-threads: "200"
   tls:
     keystore: "/var/opt/keys/own/auth-default-identity/keystore.p12"
     keystore-passphrase: "${exec:/var/opt/keys/own/auth-default-identity/keypass}"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/otel.properties

@@ -1,4 +1,4 @@
-otel.service.name=auth
-otel.traces.exporter=none
-otel.metrics.exporter=none
-otel.logs.exporter=none
+otel.service.name = auth
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireLfProcessing.groovy

@@ -0,0 +1,25 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
+  def s = request.getAuthSession(true)
+  s.removeAttribute('agov.recovery.moreThanOneLf')
+
+  response.setResult('doCancel')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'yes') {
+  response.setSessionAttribute('agov.recovery.moreThanOneLf', 'yes')
+  response.setResult('loginFactorYes')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'no') {
+  response.setSessionAttribute('agov.recovery.moreThanOneLf', 'no')
+  response.setResult('loginFactorNo')
+  return
+}
+
+// if we reach this, display the GUI again
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/questionnaireReasonProcessing.groovy

@@ -0,0 +1,28 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+
+if (inargs['reason']) {
+  response.setSessionAttribute('agov.recovery.reason', '' + inargs['reason'])
+}
+
+if (inargs['cancel'] && inargs['cancel'] == 'cancel') {
+  def s = request.getAuthSession(true)
+  s.removeAttribute('agov.recovery.moreThanOneLf')
+  s.removeAttribute('agov.recovery.reason')
+
+  response.setResult('doCancel')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'yes') {
+  response.setResult('validReasons')
+  return
+}
+
+if (inargs['continue'] && inargs['continue'] == 'no') {
+  response.setResult('invalidReasons')
+  return
+}
+
+// if we reach this, display the GUI again
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-prepareRedirect.groovy

@@ -0,0 +1,22 @@
+if (session['agov.recovery.redirectDone']) {
+  // user navigated back from AGOV.me, go again for the code
+
+  // clean up SAML state first, 
+  // IdentityProviderState sets session attributes as follows
+  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
+  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
+      LOG.debug("Deleted session attribute '${key}'")
+      s.removeAttribute(key)
+    }
+  }
+  s.removeAttribute('agov.recovery.redirectDone')
+  response.setResult('back')
+} else {
+  // redirect
+  response.setSessionAttribute('agov.recovery.redirectDone', 'true')
+  response.setResult('redirect')
+}

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery-processing.groovy

@@ -1,5 +1,9 @@
-import org.codehaus.groovy.runtime.StackTraceUtils
+import groovy.json.JsonSlurper
 import groovy.xml.XmlSlurper
+import org.codehaus.groovy.runtime.StackTraceUtils
+
+import ch.nevis.idm.client.IdmRestClient
+import ch.nevis.idm.client.IdmRestClientFactory
 
 
 // AGOVaq conversion
@@ -11,6 +15,9 @@ def maxLoiRoleToCtxClssConvertorMap = [
     "level500": "urn:qa.agov.ch:names:tc:ac:classes:500"
 ]
 
+// https://docs.nevis.net/nevisidm/Developer-Guide/SOAP-Interface/Interface-specification/Value-types#enum-value-types
+def blockingCredentialStates = ['DISABLED', 'EXPIRED', 'LOCKED', 'ARCHIVED', 'RESET_CODE']
+
 def getUserIdVerificationForRecovery(currentLoaRole) {
   // application is AGOV-AccountStatus
   def list = new XmlSlurper().parseText(session.get('ch.adnovum.nevisidm.userDto'))
@@ -74,6 +81,42 @@ def getUserMustRecoverValidFrom() {
   return (authzNode) ? ((authzNode.validFrom && !authzNode.validFrom.text().isEmpty()) ? authzNode.validFrom?.text() : authzNode.ctlCreDat?.text()) : ''
 }
 
+def userHasNewLoginFactor() {
+  IdmRestClient idmRestClient = IdmRestClientFactory.get(parameters)
+
+  String baseUrl = parameters.get('baseUrl')
+  String clientExtId = session.get('ch.adnovum.nevisidm.user.clientExtId')
+  String userExtId = session.get('ch.adnovum.nevisidm.user.extId')
+  String baseEndPoint = "$baseUrl/api/core/v1/$clientExtId/users/$userExtId"
+
+  response.setSessionAttribute('agov.recovery.newLoginFactor', 'NONE')
+
+  try {
+     def credInfoArray = new JsonSlurper().parseText(idmRestClient.get("$baseEndPoint/generic-credentials"))
+
+     def accessApp = credInfoArray['items'].find( it -> it.stateName == "active")
+     if (accessApp) {
+       response.setSessionAttribute('agov.recovery.accessapp', accessApp.properties.fidouaf_name)
+       response.setSessionAttribute('agov.recovery.accessapp.dispatchTargetId', accessApp.identification.replaceAll('dispatch_target_', ''))
+       response.setSessionAttribute('agov.recovery.newLoginFactor', 'ACCESS_APP')
+       return true
+     }
+
+     credInfoArray = new JsonSlurper().parseText(idmRestClient.get("$baseEndPoint/fido2"))
+
+     def fido2Key = credInfoArray['items'].find( it -> it.stateName == "active")
+     if (fido2Key) {
+       response.setSessionAttribute('agov.recovery.securityKey', fido2Key.userFriendlyName)
+       response.setSessionAttribute('agov.recovery.newLoginFactor', 'FIDO2')
+       return true
+     }
+
+  } catch(Exception e) {
+    LOG.error(e.toString())
+  }
+  return false
+}
+
 
 // for autditing
 def user = session['ch.adnovum.nevisidm.user.extId'] ?: 'unknown'
@@ -87,13 +130,19 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
   try {
     def userDto = new XmlSlurper().parseText(session['ch.adnovum.nevisidm.userDto'])
     def userState = userDto.state
+    def recoveryCode = userDto.'**'.find {node -> node.name() == 'credentials' && node.type.text() == 'CONTEXT_PASSWORD' && node.context.text() == 'RECOVERY'}
+
     LOG.debug("Recovery: Dto is '${userDto}")
     LOG.debug("Recovery: state is '${userState}")
-    def session = request.getAuthSession(true)
+    LOG.debug("Recovery: RecoveryCode is '${recoveryCode ? recoveryCode : 'none'}'") 
 
     if (userState == 'ACTIVE') {
 
-      session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+      response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recovery')
+      response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
+      response.setSessionAttribute('agov.recovery.codeStatus', 'notNeeded')
+      response.setSessionAttribute('agov.recovery.codeDetailStatus', 'n/a')
+      response.setSessionAttribute('agov.recovery.newLoginFactor', 'NONE')
 
       def maxLoiList =   userDto.'**'.findAll { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-Loi' }.collect({ node -> node.name.text() })
       maxLoi = (maxLoiList == null || maxLoiList.isEmpty()) ? null : maxLoiList.sort().last()
@@ -101,6 +150,10 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
       def idVerification = null
       def agovAqValidFrom = null
       if (maxLoi) {
+        if (maxLoi != 'level100') {
+          response.setSessionAttribute('agov.recovery.codeDetailStatus', '' + maxLoi)
+        }
+
         idVerification = userDto.'**'.find { node -> node.name() == 'properties' && node.name.text() == 'idVerification' && node.scopeName.text() == 'AGOV-Loi,' + maxLoi}?.value?.text()
         idVerification = idVerification ?: 'None'
         agovAqValidFrom = userDto.'**'.find { node -> node.name() == 'authorizations' && node.role.name.text() == maxLoi}?.validFrom?.text()
@@ -111,16 +164,22 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
 
       def hasRecoveryRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recovery' }
 
+      def hasRecoveryCascadeRole = userDto.'**'.find { node -> node.name() == 'roles' && node.applicationName.text() == 'AGOV-AccountStatus' && node.name.text() == 'recoveryCascade' }
+
+      def hasNewLoginFactor = hasRecoveryRole && userHasNewLoginFactor()
 
       if (mustRecover) {
         // attributes are defined over the mustRecover authorization
-        session.setAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+        response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:mustRecover')
+        response.setSessionAttribute('agov.recovery.codeDetailStatus', 'mustRecover')
 
         idVerification = getUserIdVerificationForRecovery(maxLoi ?: 'level100') ?: idVerification
 
         agovAqValidFrom = getUserMustRecoverValidFrom()
 
         maxLoi = getAqLevelBasedOnIdVerificationForRecovery(idVerification, maxLoi)
+      } else if (hasRecoveryCascadeRole && hasNewLoginFactor) {
+        response.setSessionAttribute('agov.recovery.authnContextClassRef', 'urn:qa.agov.ch:names:tc:ac:classes:recoveryCascade')
       }
 
       LOG.debug("Recovery: MaxLoi is '${maxLoi}'")
@@ -128,6 +187,7 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
       LOG.debug("Recovery: agovAqValidFrom is ${agovAqValidFrom}")
       LOG.debug("Recovery: mustRecover is '${mustRecover}'")
       LOG.debug("Recovery: hasRecoveryRole is '${hasRecoveryRole}'")
+      LOG.debug("Recovery: hasNewLoginFactor is '${hasNewLoginFactor}'")
 
       if (maxLoi != null) {       
         if (maxLoiRoleToCtxClssConvertorMap.containsKey(maxLoi)) {
@@ -136,15 +196,30 @@ if (session['ch.adnovum.nevisidm.userDto'] != null && notes['lasterror'] == null
           response.setSessionAttribute('agov.recovery.currentIdVerification', '' + idVerification)
           response.setSessionAttribute('agov.recovery.currentAgovAqRoleValidFrom', '' + agovAqValidFrom)
 
-          if ((maxLoi == 'level100') && (mustRecover == null)) {
-            // mustRecover role not set, so code needs to be checked
-            LOG.debug("Recovery: emailAndCode")
-            response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:emailAndCode')
-            response.setResult('needCode')
+          if ((maxLoi == 'level100') && (mustRecover == null) && !hasNewLoginFactor) {
+            // AQ100 accounts need to use the recovery code, if they can
+            // check the status of recoveryCode credential
+            if (recoveryCode && !blockingCredentialStates.contains(recoveryCode.state.text())) {
+              LOG.debug("Recovery: emailAndCode")
+              response.setResult('needCode')
+              return
+            } else {
+              LOG.warn("AGOVaq100 recovery: skipped Recovery-Code check '${recoveryCode ? recoveryCode.state.text() : 'MISSING'}'")
+              response.setSessionAttribute('agov.recovery.codeStatus', 'skipped')
+              response.setSessionAttribute('agov.recovery.codeDetailStatus', "unusable (state: ${recoveryCode ? recoveryCode.state.text() : 'MISSING'})")
+              response.setResult('ok')
+              return
+            }
+
+          } else if ((maxLoi == 'level100') && hasNewLoginFactor) {
+            LOG.debug("Recovery: new Login Factor")
+            response.setSessionAttribute('agov.recovery.codeStatus', 'skipped')
+            response.setSessionAttribute('agov.recovery.codeDetailStatus', "new login factor already registered (${session['agov.recovery.newLoginFactor']})")
+            response.setResult('ok')
             return
+
           } else {
             LOG.debug("Recovery: email")
-            response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:email')
             response.setResult('ok')
             return
           }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptchainfos.groovy

@@ -1,29 +1,30 @@
-//import ch.nevis.esauth.util.httpclient.api.HttpClients
-//import ch.nevis.esauth.util.httpclient.api.Http
 import groovy.json.JsonSlurper
+import io.opentelemetry.api.trace.Span
 
 def url = parameters.get('url')
+def realIpHttpHeaderName = parameters.get('realIpHttpHeaderName') ?: 'X-Real-IP'
+def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
 
 try {
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
   def jsonSlurper = new JsonSlurper()
   def httpClient = HttpClients.create(parameters)
-  def httpResponse = Http.get().url(url).build().send(httpClient)
-  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
-  LOG.info('Response Status Code: ' + httpResponse.code())
-  LOG.info('Response: ' + httpResponse.bodyAsString())
+  def httpResponse = Http.get().url(url).header('traceparent', traceparent)
+                         .header(realIpHttpHeaderName, ip).build().send(httpClient)
+
+  LOG.debug('Response Status Code: ' + httpResponse.code())
+  LOG.debug('Response: ' + httpResponse.bodyAsString())
 
   if (httpResponse.code() == 200) {
     def json = jsonSlurper.parseText(httpResponse.bodyAsString())
-    response.setSessionAttribute('agov.recovery.json.accountUrl', json.accountUrl)
-    response.setSessionAttribute('agov.recovery.json.registrationUrl', json.registrationUrl)
-    response.setSessionAttribute('agov.recovery.json.captchaSettings.enabled', String.valueOf(json.captchaSettings.enabled))
-    response.setSessionAttribute('agov.recovery.json.captchaSettings.reCaptchaInvisibleSiteKey', json.captchaSettings.reCaptchaInvisibleSiteKey)
-    response.setSessionAttribute('agov.recovery.json.captchaSettings.reCaptchaVisibleSiteKey', json.captchaSettings.reCaptchaVisibleSiteKey)
-    if (session.get('agov.recovery.X-ReCAPTCHA-Integration') == null) {
-      response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'INVISIBLE')
-    } else {
-      response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'VISIBLE')
-    }
+
+    response.setSessionAttribute('agov.recovery.captchaSettings.enabled', String.valueOf(json.friendlyCaptureClientSettings.enabled))
+    response.setSessionAttribute('agov.recovery.captchaSettings.siteKey', json.friendlyCaptureClientSettings.siteKey)
+    response.setSessionAttribute('agov.recovery.captchaSettings.puzzleUrl', json.friendlyCaptureClientSettings.puzzleUrl)
+
+
     response.setResult('ok')
   } else {
     LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fetchcaptcharesult.groovy

@@ -1,52 +1,63 @@
-//import ch.nevis.esauth.util.httpclient.api.HttpClients
-//import ch.nevis.esauth.util.httpclient.api.Http
+import io.opentelemetry.api.trace.Span
 
 def url = parameters.get('url')
-def email = inargs['email']
-def payload = '{ "email": "' + inargs['email'] + '", "action": "LOGIN", "userIp": "' + session.get('agov.recovery.ip') + '", "userAgent": "' + session.get('agov.recovery.userAgent') + '"}'
 
-LOG.info('Token: ' + inargs['recaptcha_response'])
-LOG.info('Integration: ' + session['agov.recovery.X-ReCAPTCHA-Integration'])
-LOG.info('Payload: ' + payload)
+def email = inargs['email']
+def token = inargs['captcha_response']?: 'MISSING'
+def enabled = (session['agov.recovery.captchaSettings.enabled']?:'true').toBoolean()
+
+def ip = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
+def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
+
+def payload = "{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }"
+
+LOG.debug('Token: ' + token)
+LOG.debug('Payload: ' + payload)
 
 try {
 
+  if (!enabled) {
+    LOG.info("FriendlyCAPTCHA is disabled, allowing operation for ${payload}")
+    response.setResult('ok')
+    return
+  }
+
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
   def httpClient = HttpClients.create(parameters)
   def httpResponse = Http.post()
           .url(url)
           .header("Accept", "application/json")
-          .header("X-ReCAPTCHA-Token", inargs['recaptcha_response'])
-          .header("X-ReCAPTCHA-Integration", session['agov.recovery.X-ReCAPTCHA-Integration'])
+          .header("X-FriendlyCAPTCHA-Token", token)
+          .header("traceparent", traceparent)
           .entity(Http.entity()
                   .content(payload)
                   .contentType("application/json")
-               //   .charSet("utf-8")
                   .build())
           .build()
           .send(httpClient)
 
-  LOG.info('Response Message: ' + httpResponse.reasonPhrase())
-  LOG.info('Response Status Code: ' + httpResponse.code())
-  LOG.info('Response: ' + httpResponse.bodyAsString())
+  LOG.debug('Response Status Code: ' + httpResponse.code())
+  LOG.debug('Response: ' + httpResponse.bodyAsString())
 
   if (httpResponse.code() == 200) {
       if (httpResponse.bodyAsString().contains('SUCCESSFUL')) {
           response.setResult('ok')
           return
        } else {
-
-       response.setSessionAttribute('agov.recovery.X-ReCAPTCHA-Integration', 'VISIBLE')
+       LOG.warn("Friendly captcha not successful for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
        response.setResult('exit.1')
        return      
      }
   } else {
-    LOG.error('Unexcpected HTTP response code: ' + httpResponse.code())
+    LOG.error("Friendly captcha failed with statuscode ${httpResponse.code()} for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }'")
     response.setResult('error')
     response.setError(1, 'Unexpected HTTP reponse')
   }
 } catch (all) {
   // Handle exception and set the transition
-  LOG.error('error: ' + all, all)
+  LOG.error("Friendly captcha failed with a general error '${all}' for '{ \"userIp\": \"${ip}\", \"email\": \"${email}\", \"userAgent\": \"${userAgent}\" }', service-url: ${url}")
   response.setResult('error')
   response.setError(1, 'Exception during HTTP call')
 }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_fido2_auth.groovy

@@ -8,7 +8,6 @@ if (inargs.containsKey('cancel_fido2')) {
 
 def showGui() {
     response.setGuiName('recovery_fidokey_auth') // name is the trigger for including the JS
-    //response.setGuiName('fido2_auth') // name is the trigger for including the JS
     response.setGuiLabel('title.login.fido2')
     response.addInfoGuiField('info', 'info.login.fido2', null)
     response.addHiddenGuiField('authRequestId', 'not used', session['ch.nevis.auth.saml.request.id'])
@@ -18,7 +17,6 @@ def showGui() {
         response.addErrorGuiField('lasterror', notes['lasterrorinfo'], notes['lasterror'])
     }
     if (parameters.containsKey('cancel')) {
-        // TODO koenig 20221021: replace with specific label
         response.addButtonGuiField('cancel_fido2', 'cancel.login.fido2.button.label', 'true')
     }
 }
@@ -42,12 +40,14 @@ def post(connection, json) {
     connection.getOutputStream().write(body.getBytes())
 }
 
-String userExtId = session['ch.adnovum.nevisidm.user.extId'] ?: session['ch.nevis.idm.User.extId'] ?: request.getUserId() ?: notes['userid']
+String userExtId = session['ch.adnovum.nevisidm.user.extId'] ?: session['ch.nevis.idm.User.extId']
 if (userExtId == null) {
     LOG.error("missing extId of nevisIDM user. check your authentication flow.")
+    notes.setProperty('lasterror', '1')
+    notes.setProperty('lasterrorinfo', 'missing extId of nevisIDM user')
+    response.setResult('error')
+    return
 }
-// without the user extId this script won't work and we can fail with a System Error
-Objects.requireNonNull(userExtId)
 
 def path = getPath()
 if (path == null) {
@@ -65,32 +65,17 @@ if (path == '/nevisfido/fido2/attestation/options') {
     }
     post(connection, json)
     def responseCode = connection.responseCode
-// account without FIDO2 case
+
     if (responseCode == 400) {
-      def responseText = '''{"status": "ok",
-	                         "errorMessage": "",
-	                         "fido2SessionId": "270312ae-8d74-4ded-ad89-5310da2d2e6f",
-	                         "challenge": "tKCqUM6URnykri1ZFz-3ww",
-	                         "timeout": 300000,
-	                         "rpId": "agov-d.azure.adnovum.net",
-	                         "allowCredentials": [
-		                     {
-			                    "type": "public-key",
-			                    "id": "WVzzUwxOf-1doTGkrdRHWPDbETTawkULLPsEiwiQwA2AFC4_YgL5OVmJJOT2OulAZSq_tvOfNlMSRKRXyXH2kw",
-			                    "transports": []
-		                     }
-	                                             ],
-	                         "userVerification": "preferred"}'''
-	  LOG.info("<== Response: ${responseCode}")
-      response.setContent(responseText) // return response from nevisFIDO "as-is"
-      response.setContentType('application/json')
-      response.setHttpStatusCode(200)
-      response.setIsDirectResponse(true)
-      return
+        LOG.error("FIDO2 options call failed for '${userExtId}'")
+        notes.setProperty('lasterror', '1')
+        notes.setProperty('lasterrorinfo', 'missing extId of nevisIDM user')
+        response.setResult('error')
+        return
     }
 
     def responseText = connection.inputStream.text
-    LOG.info("<== Response: ${responseCode} : ${responseText}")
+    LOG.debug("<== Response: ${responseCode} : ${responseText}")
     response.setContent(responseText) // return response from nevisFIDO "as-is"
     response.setContentType('application/json')
     response.setHttpStatusCode(200)
@@ -100,21 +85,6 @@ if (path == '/nevisfido/fido2/attestation/options') {
 
 if (path == '/nevisfido/fido2/assertion/result') {
 
-  if (inargs.containsKey('authRequestId') && (inargs['authRequestId'] != session['ch.nevis.auth.saml.request.id'])) {
-    // wrong request, "force" a timeout
-    LOG.info('authentication timeout enforced, due to concurrent requests')
-
-    response.setIsDirectResponse(true)
-    response.setContentType('text/html; charset=UTF-8')
-    response.setContent('Timeout')
-    response.setHttpStatusCode(205)
-    response.setHeader('IDP-AUTH', 'Timeout')
-
-    // CONTINUE to keep the other request beeing processed
-    response.setStatus(AuthResponse.AUTH_CONTINUE)
-    return
-  }
-
     def userHandleValue = userExtId.getBytes().encodeBase64Url().toString()
     LOG.info("encoded userHandle: ${userHandleValue}")
     json {
@@ -132,15 +102,13 @@ if (path == '/nevisfido/fido2/assertion/result') {
     // test if credentials exist
     if (responseCode != 400) {
         def responseText = connection.inputStream.text
-        LOG.info("<== Response: ${responseCode} : ${responseText}")
+        LOG.debug("<== Response: ${responseCode} : ${responseText}")
         if (responseCode == 200 && new JsonSlurper().parseText(responseText).status == 'ok') {
+            response.setSessionAttribute('agov.recovery.authenticatedWith', 'urn:qa.agov.ch:names:tc:authfactor:fido')
             response.setResult('ok')
             return
         }
     }
-    //response.setHttpStatusCode(400)
-    //response.setIsDirectResponse(true)
-    // DEFINE how to handel error
     notes.setProperty('lasterror', '1')
     notes.setProperty('lasterrorinfo', 'FIDO2 authentication failed')
     response.setResult('error')

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_handlecode.groovy

@@ -1,4 +1,5 @@
 import ch.nevis.esauth.auth.engine.AuthResponse
+
 if (inargs['cancel'] == 'cancel') {
       //cleanSession()
       response.setStatus(AuthResponse.AUTH_ERROR)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_ongoing.groovy

@@ -1,4 +1,22 @@
+import ch.nevis.esauth.auth.engine.AuthResponse
+
 if (inargs['recovery'] != null && inargs['recovery'] == 'recovery' ) {
-   response.setResult('ok')
-   return
-}
+  // clean up SAML state, to make sure the redirect will really be processed 
+  // IdentityProviderState sets session attributes as follows
+  //   <IDP-State-Name>-session-participants.<SAML-RP-ISSUER> = <ACS-URL>
+  // State name contains the name of the pattern 'Recovery_redirectAgovMe'
+  def s = request.getAuthSession(true)
+  def sessionKeySet = new HashSet(session.keySet()) 
+  sessionKeySet.each { key -> 
+    if ( key ==~ /.*Recovery_redirectAgovMe-session-participants.*/ ) {
+      LOG.debug("Deleted session attribute '${key}'")
+      s.removeAttribute(key)
+    }
+  }
+  response.setResult('ok')
+  return
+}
+
+// if we reach this, display the GUI again
+response.setStatus(AuthResponse.AUTH_CONTINUE)
+return

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/recovery_sendemail031.groovy

@@ -1,19 +1,19 @@
-//import ch.nevis.esauth.util.httpclient.api.HttpClient;
-//import ch.nevis.esauth.util.httpclient.api.HttpClients;
-//import ch.nevis.esauth.util.httpclient.api.Http;
+import io.opentelemetry.api.trace.Span
 
 def url = parameters.get('url')
-//def payload = parameters.get('json')
-//def url = "https://me.agov-d.azure.adnovum.net:48081/utility/api/v1/email/031"
 def email = inargs['email']
 def language = session['ch.nevis.session.user.language'] ?: 'en'
 def payload = '{ "email": "' + email + '", "language": "' + language + '"}'
 
 try {
+  def spanCtxt = Span.current().getSpanContext()
+  def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
+
   def httpClient = HttpClients.create(parameters)
   def httpResponse = Http.post()
           .url(url)
           .header("Accept", "application/json")
+          .header("traceparent", traceparent)
           .entity(Http.entity()
                   .content(payload)
                   .contentType("application/json")

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/auth/var/opt/nevisauth/default/conf/requestedrolelevel.groovy

@@ -1,8 +1,6 @@
 import groovy.xml.XmlSlurper
 import groovy.json.JsonSlurper
-//import ch.nevis.esauth.util.httpclient.api.HttpClients
-//import ch.nevis.esauth.util.httpclient.api.Http
-
+import io.opentelemetry.api.trace.Span
 
 int getRequestedLevel(String authnContextClassRef, def roleList){
   if (!authnContextClassRef) {
@@ -28,7 +26,7 @@ int getRequestedLevel(String authnContextClassRef, def roleList){
 
 def session = request.getAuthSession(true)
 def context = session.get('ch.nevis.auth.saml.request.authnContextClassRef')
-def roleLevels = [100,200,300,400]
+def roleLevels = [100,200,300,400,500,600]
 def requestedRoleLevelNumber = getRequestedLevel(context, roleLevels)
 
 //set attribute Requested Role Level
@@ -46,23 +44,35 @@ def requestedAq = session['agov.requestedRoleLevel'] ?: 'unknown'
 def sourceIp = request.getLoginContext()['connection.HttpHeader.X-Real-IP'] ?: 'unknown'
 def userAgent = request.getLoginContext()['connection.HttpHeader.user-agent'] ?: request.getLoginContext()['connection.HttpHeader.User-Agent'] ?: 'unknown'
 
-LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, SourceIp=${sourceIp}, UserAgent='${userAgent}'")
+def bestTokenAddressWhitelist = ',' + (parameters.get('bestTokenAddressWhitelist') ?: '').replaceAll('\\s','') + ','
+def appRequiresBestTokenWithAddress = bestTokenAddressWhitelist.contains(','+requester+',')
 
+def bestTokenSvnrWhitelist = ',' + (parameters.get('bestTokenSvnrWhitelist') ?: '').replaceAll('\\s','') + ','
+def appRequiresBestTokenWithSvnr = bestTokenSvnrWhitelist.contains(','+requester+',')
+
+LOG.info("Event='AUTHREQUEST', Requester='${requester}', RequestId='${requestId}', ReplacedRequestId='${replacedRequestId}', RequestedAq=${requestedAq}, BestTokenRequired='svnr: ${appRequiresBestTokenWithSvnr}; address: ${appRequiresBestTokenWithAddress}', SourceIp=${sourceIp}, UserAgent='${userAgent}'")
 
-def appAddressRequiredWhitelist = ',' + (parameters.get('appAddressRequired.whitelist') ?: '').replaceAll('\\s','') + ','
-def appIsOnappAddressRequiredWhitelist = appAddressRequiredWhitelist.contains(','+requester+',')
 
 if (requestedRoleLevelNumber == 0 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == null) {
   response.setResult('error');
   return
 }
 
+// TODO/haburger/2024-03-21: move this later, now here for a simple start
+if (requestedRoleLevelNumber == 600 || session.get('ch.nevis.auth.saml.request.scoping.requesterId') == 'OidcPlaygroundWork') {
+  session.setAttribute('agov.appSvnrAllowed', 'true')
+  response.setResult('exit.1');
+  return
+}
+
 try {
+      def spanCtxt = Span.current().getSpanContext()
+      def traceparent = "00-${spanCtxt.getTraceId()}-${spanCtxt.getSpanId()}-${spanCtxt.getTraceFlags().asHex()}"
       def jsonSlurper = new JsonSlurper()
       def url = parameters.get('url') + '?entity-id=' + session.get('ch.nevis.auth.saml.request.scoping.requesterId')
       LOG.debug('Request url: ' + url)
       def httpClient = HttpClients.create(parameters)
-      def httpResponse = Http.get().url(url).build().send(httpClient)
+      def httpResponse = Http.get().url(url).header('traceparent', traceparent).build().send(httpClient)
       LOG.debug('Response Message: ' + httpResponse.reasonPhrase())
       LOG.debug('Response Status Code: ' + httpResponse.code())
       LOG.debug('Response: ' + httpResponse.bodyAsString())
@@ -71,16 +81,18 @@ try {
         def json = jsonSlurper.parseText(httpResponse.bodyAsString())
         LOG.debug('AdressRequired: ' + json.addrRequired)
         LOG.debug('SvnrAllowed: ' + json.svnrAllowed)
-        LOG.debug('appAddressRequiredWhitelist applies: ' + appIsOnappAddressRequiredWhitelist)
+        LOG.debug('appRequiresBestTokenWithAddress: ' + appRequiresBestTokenWithAddress)
+        LOG.debug('appRequiresBestTokenWithSvnr: ' + appRequiresBestTokenWithSvnr)
 
         // address will be returned to the application if allowed by connect (json.addrRequired) 
         // and the authRequest was done with at least AGOVaq 200
-        // BITBKAGOVSUP-362: or whitelisted to receive the address
-        session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appIsOnappAddressRequiredWhitelist)))
+        // BUNDBITBK-4307: or best token for address is enabled
+        session.setAttribute('agov.appAddressRequired', '' + (json.addrRequired && ((requestedRoleLevelNumber >= 200) || appRequiresBestTokenWithAddress)))
 
         // address will be returned to the application if allowed by connect (json.svnrAllowed) 
         // and the authRequest was done with at least AGOVaq 300
-        session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && requestedRoleLevelNumber >= 300))
+        // BUNDBITBK-4307: or best token for svnr is enabled
+        session.setAttribute('agov.appSvnrAllowed', '' + (json.svnrAllowed && ((requestedRoleLevelNumber >= 300) || appRequiresBestTokenWithSvnr)))
 
         session.setAttribute('agov.appDisplayNameDE', '' + json.displayNameDe)
         session.setAttribute('agov.appDisplayNameFR', '' + json.displayNameFr)
@@ -93,7 +105,7 @@ try {
         LOG.warn('Unexcpected HTTP response code: ' + httpResponse.code())
 
         if ( requestedRoleLevelNumber == 100) {
-           session.setAttribute('agov.appAddressRequired', '' + appIsOnappAddressRequiredWhitelist)
+           session.setAttribute('agov.appAddressRequired', '' + appRequiresBestTokenWithAddress)
            session.setAttribute('agov.appSvnrAllowed', 'false')
            response.setResult('ok')
         }
@@ -112,7 +124,7 @@ try {
 } catch (Exception e) {
   LOG.error("Failed to fetch connect meta data for relying party '${session.get('ch.nevis.auth.saml.request.scoping.requesterId')}'", e)
   if ( requestedRoleLevelNumber == 100) {
-     session.setAttribute('agov.appAddressRequired', '' + appIsOnappAddressRequiredWhitelist)
+     session.setAttribute('agov.appAddressRequired', '' + appRequiresBestTokenWithAddress)
      session.setAttribute('agov.appSvnrAllowed', 'false')
      response.setResult('ok')
   }

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-fido-uaf-fido-uaf-extended-frontent-truststore-ca92034f995b39fde562293c.yaml

@@ -10,5 +10,3 @@ metadata:
     patternId: "ca92034f995b39fde562293c"
 spec:
   keystores: []
-  extraCerts:
-  - "- Swiss Goverment Root CA II\n-----BEGIN CERTIFICATE-----\nMIIIODCCBiCgAwIBAgIQDp8XmaWxPZzL7Abro/AOaTANBgkqhkiG9w0BAQsFADCB\npzELMAkGA1UEBhMCQ0gxOzA5BgNVBAoTMlRoZSBGZWRlcmFsIEF1dGhvcml0aWVz\nIG9mIHRoZSBTd2lzcyBDb25mZWRlcmF0aW9uMREwDwYDVQQLEwhTZXJ2aWNlczEi\nMCAGA1UECxMZQ2VydGlmaWNhdGlvbiBBdXRob3JpdGllczEkMCIGA1UEAxMbU3dp\nc3MgR292ZXJubWVudCBSb290IENBIElJMB4XDTExMDIxNjA5MDAwMFoXDTM1MDIx\nNjA4NTk1OVowgacxCzAJBgNVBAYTAkNIMTswOQYDVQQKEzJUaGUgRmVkZXJhbCBB\ndXRob3JpdGllcyBvZiB0aGUgU3dpc3MgQ29uZmVkZXJhdGlvbjERMA8GA1UECxMI\nU2VydmljZXMxIjAgBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxJDAi\nBgNVBAMTG1N3aXNzIEdvdmVybm1lbnQgUm9vdCBDQSBJSTCCAiIwDQYJKoZIhvcN\nAQEBBQADggIPADCCAgoCggIBAKksEu2/wCLphugcN4KDm2gFbxbjiKgBD8txnn9H\nkEvMJXfI8NdpLpFoVyGysgchM+5MpDclmEy0RjJO1vlri1GK7yw38pjV9dS0t+cA\nyu/BE16Uq267nL36a4+r+B42Vmk4ZjrQ9DMNADkCqMUcCyG3XCAMYdCtrs6OXtk6\n6d7/R3x4Vw4ccfRgHN3bmhgpr9mAo5+FhGMzke+9dO7dA3rI+uCE5tm9Tn76bk92\n0V0+qOiHRZB5862u9cJdEU0p94gTydWTcwGr3e39r3f7aU7vj1Icz/UsWmzs/oKb\n23w5q3UjfjiQT5SOLWJYnvfncvyUW3JWxZ2jrqu1tsDXdlAAPD9HiJJaYNS/Mhum\nlEANdnnpPM7ksx3HjPXohjG52CtQSoASidcsUIDmZy+2k5ytrAVSIlMgmQ69l8bh\n2nOpHYnyxFnmh+ZWKw6VAhqHxnn+mWrpdOzwEvkUKCCVljovXVe1b/+TvLYoaiyk\nKHhGYa9BJKTz+gSO8YoZopFz4nePtKf5nP9uUey9H5YT6GORXodob+vYfC4QT1AY\nkMe3dO8zwIHfM+MakytVBCx80iu3Ywz+rXu9tjqXuT0DI3RzA6YsWQBs1dXo7K9C\nzNN/cItgYOeyoLaKUkz+CpbLzzqwWAjuHELJhndCbj+0rJAAWEIcQMRuuEXIvDM2\n370nAgMBAAGjggJcMIICWDAPBgNVHRMBAf8EBTADAQH/MIGdBgNVHSAEgZUwgZIw\ngY8GCGCFdAERAxUBMIGCMEQGCCsGAQUFBwIBFjhodHRwOi8vd3d3LnBraS5hZG1p\nbi5jaC9jcHMvQ1BTXzJfMTZfNzU2XzFfMTdfM18yMV8xLnBkZjA6BggrBgEFBQcC\nAjAuGixUaGlzIGlzIHRoZSBTd2lzcyBHb3Zlcm5tZW50IFJvb3QgQ0EgSUkgQ1BT\nLjCBjwYDVR0fBIGHMIGEMIGBoH+gfYZ7bGRhcDovL2FkbWluZGlyLmFkbWluLmNo\nOjM4OS9jbj1Td2lzcyUyMEdvdmVybm1lbnQlMjBSb290JTIwQ0ElMjBJSSxvdT1D\nZXJ0aWZpY2F0aW9uJTIwQXV0aG9yaXRpZXMsb3U9U2VydmljZXMsbz1BZG1pbixj\nPUNIMB0GA1UdDgQWBBTlhG+JaT12ABd/wau9rl/BfbrhYjAOBgNVHQ8BAf8EBAMC\nAQYwgeMGA1UdIwSB2zCB2IAU5YRviWk9dgAXf8Grva5fwX264WKhga2kgaowgacx\nCzAJBgNVBAYTAkNIMTswOQYDVQQKEzJUaGUgRmVkZXJhbCBBdXRob3JpdGllcyBv\nZiB0aGUgU3dpc3MgQ29uZmVkZXJhdGlvbjERMA8GA1UECxMIU2VydmljZXMxIjAg\nBgNVBAsTGUNlcnRpZmljYXRpb24gQXV0aG9yaXRpZXMxJDAiBgNVBAMTG1N3aXNz\nIEdvdmVybm1lbnQgUm9vdCBDQSBJSYIQDp8XmaWxPZzL7Abro/AOaTANBgkqhkiG\n9w0BAQsFAAOCAgEAgzdXdck4UL9BBpZwwtnH17BaAM2jQE/T0vmKh5GyictdpLxv\nTz5U9so8s8RMi8c+9NnEYt3HVZ7R+dJE5x5Pz+juKxyoAfAzB/vhOxTTz1CRXtjq\nQsZ5WIWq+9zbcMqV+fQOYgJwaUQtaE/RcOooUma3cd4l6KGnb7ChJsfXyiBk3MBz\nPBCiFB70rcE+FJA5NmOIbyjgYKWR92Lkms/StXGeXTv2mSztkToInLSEhUnj4bqm\ntmiztrZPS1xTCldsoQeS9mKeqPqK1vNrpw+yK2a9r0JHCE/o13yfhg/6WoO+LW8A\nBLV2hxav3U86lrQ0V7fi/0H/3kIcZsWF68JyH7gcTu4X8mLvCgSsm6uh8u7uokAk\nHEfeQosYtKlXs088YjIcrWxErbzVHGM4Pckzpvu8KDdERuN6YvqASDXinhuIGUyz\nQf3ud+BZgBphHjWkQXqzwY1E6cUhWems00TKdoU2FEYKHhY0psQ0d8OCOEghAv4S\nbNrX6rDs9s0szPObCmOA0/ULfQQthA3C2Uwrl/HVVPePswrivVg8mfKvORuQ+Tvn\nt0XnWmp9wZ8UbzBXmBmgB0Pr7tEIhtdJnBIKADsPp0GxSquQs9S9CeeID54kDiv7\nYT1VmdNY5LjHffQVTWUOGHlBybvpmsFZGEQ0YtXoOHvKhRiYhnnNfbpH25U=\n-----END CERTIFICATE-----\n"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-fido-uaf-instance-ca92034f995b39fde562293c.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisFIDO"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -28,22 +28,30 @@ spec:
     management:
       httpGet:
         path: "/nevisfido/liveness"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
   readinessProbe:
     management:
       httpGet:
         path: "/nevisfido/health"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
+  startupProbe:
+    management:
+      httpGet:
+        path: "/nevisfido/health"
+      periodSeconds: 5
+      timeoutSeconds: 6
+      failureThreshold: 50
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-5560b9df58bc00fcf3fc92f29f5f7840af9dbf26"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf"
     credentials: "git-credentials"
+  database:
+    name: "fido-uaf"
+    requiredVersion: "8.2411.1"
   keystores:
   - "fido-uaf-default-server-identity"
   - "fido-uaf-default-client-identity"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/etc/nevis/k8s-nevisfido-uaf-database-9385d1b33aefe975fb1c5914.yaml

@@ -0,0 +1,26 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisDatabase"
+metadata:
+  name: "fido-uaf"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "fido-uaf"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "9385d1b33aefe975fb1c5914"
+spec:
+  type: "NevisFIDO"
+  databaseType: "MariaDB"
+  version: "8.2411.1"
+  url: "mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat"
+  port: 3306
+  database: "nevisfido_uaf"
+  bootstrap: true
+  migrate: true
+  rootCredentials:
+    name: "root-mariadb-session-store"
+    namespace: "adn-agov-nevisidm-ob-01-uat"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/env.conf

@@ -2,10 +2,10 @@ RUN_ARGS="--config conf/nevisfido.yml --log-config conf/logging.yml"
 
 JAVA_OPTS=(
     "-XX:+UseContainerSupport"
-    "-XX:MaxRAMPercentage=80.0"
     "-Dignore.me"
+    "-XX:MaxRAMPercentage=80.0"
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "ch.nevis.auth.fido.application.Application"
       level: "INFO"
     - name: "ch.nevis.auth.fido.api.uaf"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/metadata/metadata.json

@@ -3,8 +3,16 @@
     "aaid" : "F1D0#0001",
     "description" : "Android NEVIS Mobile Authentication PIN Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -13,12 +21,12 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 1,
     "matcherProtection" : 1,
-    "publicKeyAlgAndEncoding" : 256,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -26,8 +34,16 @@
     "aaid" : "F1D0#0002",
     "description" : "Android NEVIS Mobile Authentication Fingerprint Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -36,12 +52,12 @@
       "userVerification" : 2
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 4,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 256,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -49,8 +65,16 @@
     "aaid" : "F1D0#0003",
     "description" : "Android NEVIS Mobile Authentication Biometric Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -59,12 +83,12 @@
       "userVerification" : 346
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 4,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 256,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -72,8 +96,16 @@
     "aaid" : "F1D0#0004",
     "description" : "Android NEVIS Mobile Authentication Device Passcode Authenticator",
     "assertionScheme" : "UAFV1TLV",
-    "attestationRootCertificates" : [],
-    "attestationTypes" : [ 15880 ],
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
     "upv" : [ {
       "major" : 1,
       "minor" : 1
@@ -82,12 +114,43 @@
       "userVerification" : 132
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 9,
+    "authenticationAlgorithms" : [ 2, 9 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 4,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 259,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
+    "tcDisplay" : 1,
+    "tcDisplayContentType" : "text/plain"
+  },
+  {
+    "aaid" : "F1D0#0005",
+    "description" : "Android NEVIS Mobile Authentication Password Authenticator",
+    "assertionScheme" : "UAFV1TLV",
+    "attestationRootCertificates" : [
+      "MIIFYDCCA0igAwIBAgIJAOj6GWMU0voYMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTYwNTI2MTYyODUyWhcNMjYwNTI0MTYyODUyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaOBpjCBozAdBgNVHQ4EFgQUNmHhAHyIBQlRi0RsR/8aTMnqTxIwHwYDVR0jBBgwFoAUNmHhAHyIBQlRi0RsR/8aTMnqTxIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cHM6Ly9hbmRyb2lkLmdvb2dsZWFwaXMuY29tL2F0dGVzdGF0aW9uL2NybC8wDQYJKoZIhvcNAQELBQADggIBACDIw41L3KlXG0aMiS//cqrG+EShHUGo8HNsw30W1kJtjn6UBwRM6jnmiwfBPb8VA91chb2vssAtX2zbTvqBJ9+LBPGCdw/E53Rbf86qhxKaiAHOjpvAy5Y3m00mqC0w/Zwvju1twb4vhLaJ5NkUJYsUS7rmJKHHBnETLi8GFqiEsqTWpG/6ibYCv7rYDBJDcR9W62BW9jfIoBQcxUCUJouMPH25lLNcDc1ssqvC2v7iUgI9LeoM1sNovqPmQUiG9rHli1vXxzCyaMTjwftkJLkf6724DFhuKug2jITV0QkXvaJWF4nUaHOTNA4uJU9WDvZLI1j83A+/xnAJUucIv/zGJ1AMH2boHqF8CY16LpsYgBt6tKxxWH00XcyDCdW2KlBCeqbQPcsFmWyWugxdcekhYsAWyoSf818NUsZdBWBaR/OukXrNLfkQ79IyZohZbvabO/X+MVT3rriAoKc8oE2Uws6DF+60PV7/WIPjNvXySdqspImSN78mflxDqwLqRBYkA3I75qppLGG9rp7UCdRjxMl8ZDBld+7yvHVgt1cVzJx9xnyGCC23UaicMDSXYrB4I4WHXPGjxhZuCuPBLTdOLU8YRvMYdEvYebWHMpvwGCF6bAx3JBpIeOQ1wDB5y0USicV3YgYGmi+NZfhA4URSh77Yd6uuJOJENRaNVTzk",
+      "MIIFHDCCAwSgAwIBAgIJANUP8luj8tazMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMTkxMTIyMjAzNzU4WhcNMzQxMTE4MjAzNzU4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBOMaBc8oumXb2voc7XCWnuXKhBBK3e2KMGz39t7lA3XXRe2ZLLAkLM5y3J7tURkf5a1SutfdOyXAmeE6SRo83Uh6WszodmMkxK5GM4JGrnt4pBisu5igXEydaW7qq2CdC6DOGjG+mEkN8/TA6p3cnoL/sPyz6evdjLlSeJ8rFBH6xWyIZCbrcpYEJzXaUOEaxxXxgYz5/cTiVKN2M1G2okQBUIYSY6bjEL4aUN5cfo7ogP3UvliEo3Eo0YgwuzR2v0KR6C1cZqZJSTnghIC/vAD32KdNQ+c3N+vl2OTsUVMC1GiWkngNx1OO1+kXW+YTnnTUOtOIswUP/Vqd5SYgAImMAfY8U9/iIgkQj6T2W6FsScy94IN9fFhE1UtzmLoBIuUFsVXJMTz+Jucth+IqoWFua9v1R93/k98p41pjtFX+H8DslVgfP097vju4KDlqN64xV1grw3ZLl4CiOe/A91oeLm2UHOq6wn3esB4r2EIQKb6jTVGu5sYCcdWpXr0AUVqcABPdgL+H7qJguBw09ojm6xNIrw2OocrDKsudk/okr/AwqEyPKw9WnMlQgLIKw1rODG2NvU9oR3GVGdMkUBZutL8VuFkERQGt6vQ2OCw0sV47VMkuYbacK/xyZFiRcrPJPb41zgbQj9XAEyLKCHex0SdDrx+tWUDqG8At2JHA==",
+      "MIIFHDCCAwSgAwIBAgIJAMNrfES5rhgxMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjExMTE3MjMxMDQyWhcNMzYxMTEzMjMxMDQyWjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQBTNNZe5cuf8oiq+jV0itTGzWVhSTjOBEk2FQvh11J3o3lna0o7rd8RFHnN00q4hi6TapFhh4qaw/iG6Xg+xOan63niLWIC5GOPFgPeYXM9+nBb3zZzC8ABypYuCusWCmt6Tn3+Pjbz3MTVhRGXuT/TQH4KGFY4PhvzAyXwdjTOCXID+aHud4RLcSySr0Fq/L+R8TWalvM1wJJPhyRjqRCJerGtfBagiALzvhnmY7U1qFcS0NCnKjoO7oFedKdWlZz0YAfu3aGCJd4KHT0MsGiLZez9WP81xYSrKMNEsDK+zK5fVzw6jA7cxmpXcARTnmAuGUeI7VVDhDzKeVOctf3a0qQLwC+d0+xrETZ4r2fRGNw2YEs2W8Qj6oDcfPvq9JySe7pJ6wcHnl5EZ0lwc4xH7Y4Dx9RA1JlfooLMw3tOdJZH0enxPXaydfAD3YifeZpFaUzicHeLzVJLt9dvGB0bHQLE4+EqKFgOZv2EoP686DQqbVS1u+9k0p2xbMA105TBIk7npraa8VM0fnrRKi7wlZKwdH+aNAyhbXRW9xsnODJ+g8eF452zvbiKKngEKirK5LGieoXBX7tZ9D1GNBH2Ob3bKOwwIWdEFle/YF/h6zWgdeoaNGDqVBrLr2+0DtWoiB1aDEjLWl9FmyIUyUm7mD/vFDkzF+wm7cyWpQpCVQ==",
+      "MIIFHDCCAwSgAwIBAgIJAPHBcqaZ6vUdMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNVBAUTEGY5MjAwOWU4NTNiNmIwNDUwHhcNMjIwMzIwMTgwNzQ4WhcNNDIwMzE1MTgwNzQ4WjAbMRkwFwYDVQQFExBmOTIwMDllODUzYjZiMDQ1MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAr7bHgiuxpwHsK7Qui8xUFmOr75gvMsd/dTEDDJdSSxtf6An7xyqpRR90PL2abxM1dEqlXnf2tqw1Ne4Xwl5jlRfdnJLmN0pTy/4lj4/7tv0Sk3iiKkypnEUtR6WfMgH0QZfKHM1+di+y9TFRtv6y//0rb+T+W8a9nsNL/ggjnar86461qO0rOs2cXjp3kOG1FEJ5MVmFmBGtnrKpa73XpXyTqRxB/M0n1n/W9nGqC4FSYa04T6N5RIZGBN2z2MT5IKGbFlbC8UrW0DxW7AYImQQcHtGl/m00QLVWutHQoVJYnFPlXTcHYvASLu+RhhsbDmxMgJJ0mcDpvsC4PjvB+TxywElgS70vE0XmLD+OJtvsBslHZvPBKCOdT0MS+tgSOIfga+z1Z1g7+DVagf7quvmag8jfPioyKvxnK/EgsTUVi2ghzq8wm27ud/mIM7AY2qEORR8Go3TVB4HzWQgpZrt3i5MIlCaY504LzSRiigHCzAPlHws+W0rB5N+er5/2pJKnfBSDiCiFAVtCLOZ7gLiMm0jhO2B6tUXHI/+MRPjy02i59lINMRRev56GKtcd9qO/0kUJWdZTdA2XoS82ixPvZtXQpUpuL12ab+9EaDK8Z4RHJYYfCT3Q5vNAXaiWQ+8PTWm2QgBR/bkwSWc+NpUFgNPN9PvQi8WEg5UmAGMCAwEAAaNjMGEwHQYDVR0OBBYEFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMB8GA1UdIwQYMBaAFDZh4QB8iAUJUYtEbEf/GkzJ6k8SMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgIEMA0GCSqGSIb3DQEBCwUAA4ICAQB8cMqTllHc8U+qCrOlg3H7174lmaCsbo/bJ0C17JEgMLb4kvrqsXZs01U3mB/qABg/1t5Pd5AORHARs1hhqGICW/nKMav574f9rZN4PC2ZlufGXb7sIdJpGiO9ctRhiLuYuly10JccUZGEHpHSYM2GtkgYbZba6lsCPYAAP83cyDV+1aOkTf1RCp/lM0PKvmxYN10RYsK631jrleGdcdkxoSK//mSQbgcWnmAEZrzHoF1/0gso1HZgIn0YLzVhLSA/iXCX4QT2h3J5z3znluKG1nv8NQdxei2DIIhASWfu804CA96cQKTTlaae2fweqXjdN1/v2nqOhngNyz1361mFmr4XmaKH/ItTwOe72NI9ZcwS1lVaCvsIkTDCEXdm9rCNPAY10iTunIHFXRh+7KPzlHGewCq/8TOohBRn0/NNfh7uRslOSZ/xKbN9tMBtw37Z8d2vvnXq/YWdsm1+JLVwn6yYD/yacNJBlwpddla8eaVMjsF6nBnIgQOf9zKSe06nSTqvgwUHosgOECZJZ1EuzbH4yswbt02tKtKEFhx+v+OTge/06V+jGsqTWLsfrOCNLuA8H++z+pUENmpqnnHovaI47gC+TNpkgYGkkBT6B/m/U01BuOBBTzhIlMEZq9qkDWuM2cA5kW5V3FJUcfHnw1IdYIg2Wxg7yHcQZemFQg==",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrJblQMA0GCSqGSIb3DQEBCwUAMDoxDTALBgNVBAMMBHRlc3QxCzAJBgNVBAYTAkNIMRwwGgYJKoZIhvcNAQkBFg1mYWtlQGFjbWUuY29tMB4XDTI0MDgxOTE0NTg0MFoXDTI1MDgxOTE0NTg0MFowOjENMAsGA1UEAwwEdGVzdDELMAkGA1UEBhMCQ0gxHDAaBgkqhkiG9w0BCQEWDWZha2VAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcWDBNmdq13fYHnhsmLndAW+MfbI6PeU4OenqfbrTtQUxqpyqhP6QccPYKX2SK3JeQo5uuF1jRD/9i9vAXI9NyiMMHSItjt9LjRs7bWnY4lokYGCAcSZooR9fGZX63dBSQo73V7MC8LDFGy5rw6dGDOmh0ktKxFzaT/nav8/Mx8FyG7M9+b5OPIBo2yze5Rd5cdErGJuUYa9No93BBr5tq+JfnmR/gwgCOke97ovhNj+sMu5bt946AxC6t00wNyPNVlJHKi1os0c/pWztTQkoRAx/w0JYKS9Afl0ZnGWQQ5PNLHHecp2GzriBpQAPXq81QTbOh5H7SzvhkaFQ4oxstAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAD8GOaeMDqj2mzMmCqR6Cr3ChkbDAkdsBa5lOAikMKs7/tJyaw8iA5yH0nyobC58Jb61IATuxABPUALhP3RiNsUhnQQF/Dh+6CnCTD/2wsZmr8vUvNqyCLom+xkMT6Wayd9LYW4UONARv1qCLVI4RhiAr5kcomwqZnuj2DRF697lbSQDoz3iuKrCyBYSCBhS+k7UXpqpMyB2D6quRuPqh7JNtMjGSeMiNpMXhx5f4kl1YWb8NU93LDwHFR2kwnGmPA3M272VitcJC4dz3itGRKm9EYGd6d5D7kdC6lqpZPSIopChvXDyVrXjQgckvgtSGKscs6AvYgjthJGsR2z3Eao=",
+      "MIIC8jCCAdqgAwIBAgIGAZFrLh2fMA0GCSqGSIb3DQEBCwUAMDoxDjAMBgNVBAMMBXRlc3R5MQswCQYDVQQGEwJVUzEbMBkGCSqGSIb3DQEJARYMYWJjQGFjbWUuY29tMB4XDTI0MDgxOTE1MDc1MFoXDTI1MDgxOTE1MDc1MFowOjEOMAwGA1UEAwwFdGVzdHkxCzAJBgNVBAYTAlVTMRswGQYJKoZIhvcNAQkBFgxhYmNAYWNtZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDqitlYBzaxbPF389ZT5xkSS9Le1qdIOuc+dLVpBSWP9PEJhVZROgdOHs5f666iAcBedQm73sew3rpl+02J4fSgGmPkIYm1G2vkIrpt0eB9KzSc0AiLZbrPcFZOLHcOLoqVTfoRhnmAksHDC2f8euNKhCyriK8xlJb/xPfAfCn4r58ZGsQPUS7cJL6FLYh7FjrqfYDS10VOrQvGOALrG5NUj1DdqRq0M+klgs+6oJdUZTtY62BKkWh3N+7moNvrqykpv+ydFUJltgezDcb4Br8Nkw/breSPnomRfyHIcAcfATZcOPJlI8pO0zFZDIz8r7ESMnBhAxNaZgsUhR2XbaqbAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGw5XLY6GeFJMP350+djhcVqAw+E4HZqCJu1BMpYC0qS2D85fFi3gNuV0TnqB52abX1WBDDJK1CA0SPdyo/nX+qQzP6Dba1AVRKpRzdcsDsMDN3eMC08tajHgIIf5tNDv+HGE/MT2br4o5oducmQMOfV1NTJO1xhXYVqbsUnyrq3S6kD9WS8zRl6ruY1rT26eCQ4hTLHPaAiVsoXh5TBRXYCvGlAw7o2d9cmsbySforZ2wgdZwmu43B5eHNnt4NlDxZRyz6iEDP0nT877aB2ffsOKHAkJNuTvF5JSfnVzLmiyfa/7NI1ujfzcpA2UUXoWa7WN0wACiZQot8Zmswonjc="
+    ],
+    "attestationTypes" : [ 15879, 15880 ],
+    "upv" : [ {
+      "major" : 1,
+      "minor" : 1
+    } ],
+    "userVerificationDetails" : [ [ {
+      "userVerification" : 4
+    } ] ],
+    "attachmentHint" : 1,
+    "authenticationAlgorithms" : [ 2, 9 ],
+    "authenticatorVersion" : 1,
+    "isSecondFactorOnly" : false,
+    "keyProtection" : 1,
+    "matcherProtection" : 1,
+    "publicKeyAlgAndEncodings" : [ 257, 259 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -105,12 +168,12 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 1,
     "matcherProtection" : 1,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -128,12 +191,12 @@
       "userVerification" : 2
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 6,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -151,12 +214,12 @@
       "userVerification" : 16
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 6,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
   },
@@ -174,13 +237,35 @@
       "userVerification" : 4
     } ] ],
     "attachmentHint" : 1,
-    "authenticationAlgorithm" : 2,
+    "authenticationAlgorithms" : [ 2 ],
     "authenticatorVersion" : 1,
     "isSecondFactorOnly" : false,
     "keyProtection" : 6,
     "matcherProtection" : 2,
-    "publicKeyAlgAndEncoding" : 257,
+    "publicKeyAlgAndEncodings" : [ 257 ],
     "tcDisplay" : 1,
     "tcDisplayContentType" : "text/plain"
-  }
-]
+  },
+  {
+    "aaid" : "F1D0#1005",
+    "description" : "iOS NEVIS Mobile Authentication Password Authenticator",
+    "assertionScheme" : "UAFV1TLV",
+    "attestationRootCertificates" : [],
+    "attestationTypes" : [ 15880 ],
+    "upv" : [ {
+      "major" : 1,
+      "minor" : 1
+    } ],
+    "userVerificationDetails" : [ [ {
+      "userVerification" : 4
+    } ] ],
+    "attachmentHint" : 1,
+    "authenticationAlgorithms" : [ 2 ],
+    "authenticatorVersion" : 1,
+    "isSecondFactorOnly" : false,
+    "keyProtection" : 1,
+    "matcherProtection" : 1,
+    "publicKeyAlgAndEncodings" : [ 257 ],
+    "tcDisplay" : 1,
+    "tcDisplayContentType" : "text/plain"
+  }]

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/nevisfido.yml

@@ -1,116 +1,116 @@
 server:
   port: 9443
-  host: 0.0.0.0
-  protocol: https
+  host: "0.0.0.0"
+  protocol: "https"
   tls:
-    keystore: /var/opt/keys/own/fido-uaf-default-server-identity/keystore.p12
-    keystore-passphrase: ${exec:/var/opt/keys/own/fido-uaf-default-server-identity/keypass}
-    keystore-type: pkcs12
-    truststore: /var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/truststore.p12
-    truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/keypass}
-    truststore-type: pkcs12
-
+    keystore: "/var/opt/keys/own/fido-uaf-default-server-identity/keystore.p12"
+    keystore-type: "pkcs12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/fido-uaf-default-server-identity/keypass}"
+    truststore: "/var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/truststore.p12"
+    truststore-type: "pkcs12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-fido-uaf-extended-frontent-truststore/keypass}"
 management:
   server:
     port: 9089
   healthchecks:
     enabled: true
-
-credential-repository:
-  type: nevisidm
-  rest-url: https://idm:8989/nevisidm
-  administration-url: https://idm:8989/nevisidm/services/v1_46/AdminService
-  keystore: /var/opt/keys/own/fido-uaf-default-client-identity/keystore.p12
-  keystore-passphrase: ${exec:/var/opt/keys/own/fido-uaf-default-client-identity/keypass}
-  keystore-type: pkcs12
-  truststore: /var/opt/keys/trust/fido-uaf-default-server-trust/truststore.p12
-  truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-default-server-trust/keypass}
-  truststore-type: pkcs12
-  admin-service-version: v1_46
-  client-id: cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720
-  user-attribute: extId
-
-session-repository:
-  type: in-memory
-  jdbc-url: 
-  max-connection-lifetime: 
-  user: 
-  password: 
-  schema-user: 
-  schema-user-password: 
-  automatic-db-schema-setup: false
-
 fido-uaf:
   enabled: true
-  app-id: https://auth.agov-w.azure.adnovum.net/nevisfido/uaf/1.1/facets
+  app-id: "https://auth.agov-w.azure.adnovum.net/nevisfido/uaf/1.1/facets"
   facets:
-    - android:apk-key-hash:kb0yJ345nFUmt4nOYK5Li7KvwDDobMKPosY48Uwb0QI
-    - ios:bundle-id:ch.agov.accessapp.t
-    - android:apk-key-hash:msmxrDDoIcxmazyIf9aj8uIvRXdH/wX668OQYaYdXpE
-    - ios:bundle-id:ch.agov.accessapp
-    - android:apk-key-hash:BFZz7gpBpUUk8rLis19LKpR6ZcIZkdxxFPYOwBSKKQk
-    - android:apk-key-hash:xoRd0kamp4TSJcvzfWzNoivuNldp+GKI7fjnwX+VEFg
-  metadata:
-    path: conf/metadata/metadata.json
+  - "android:apk-key-hash:kb0yJ345nFUmt4nOYK5Li7KvwDDobMKPosY48Uwb0QI"
+  - "ios:bundle-id:ch.agov.accessapp.t"
+  - "android:apk-key-hash:msmxrDDoIcxmazyIf9aj8uIvRXdH/wX668OQYaYdXpE"
+  - "ios:bundle-id:ch.agov.accessapp"
+  - "android:apk-key-hash:BFZz7gpBpUUk8rLis19LKpR6ZcIZkdxxFPYOwBSKKQk"
+  - "android:apk-key-hash:xoRd0kamp4TSJcvzfWzNoivuNldp+GKI7fjnwX+VEFg"
   policy:
-    path: conf/policy/
+    path: "conf/policy/"
   timeout:
-    registration: 600s
-    authentication: 600s
-    token-registration: 180s
-    token-authentication: 180s
-    token-deregistration: 600s
+    registration: "300s"
+    authentication: "300s"
+    token-registration: "180s"
+    token-deregistration: "180s"
+    token-authentication: "180s"
+    device-request: "600s"
   transaction-confirmation:
     max-text-length: 2000
+  metadata:
+    path: "conf/metadata/metadata.json"
+  idm-connection-type: "soap"
+  dispatchers:
+  - type: "firebase-cloud-messaging"
+    dry-run: false
+    service-account-json: "inv-res-secret://a78926e06a159811ee15c224-bdd107d2"
+    registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
+    authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
+    deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
+  - type: "png-qr-code"
+    registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
+    authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
+    deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
+  - type: "link"
+    registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
+    authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
+    deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
+    base-url: "ch.agov.access-t://x-callback-url/authenticate"
+  basic-full-attestation:
+    android-verification-level: "default"
   authorization:
     registration:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - loginId
-        - userid
+      - "loginId"
+      - "userid"
     authentication:
-      type: none
+      type: "none"
     deregistration:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - loginId
-        - userid
+      - "loginId"
+      - "userid"
     create-dispatch-target:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - loginId
-        - userid
+      - "loginId"
+      - "userid"
     query-dispatch-target:
-      type: none
+      type: "none"
     delete-dispatch-target:
-      type: sectoken
-      truststore: /var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12
-      truststore-passphrase: ${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}
-      truststore-type: pkcs12
+      type: "sectoken"
+      truststore: "/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/truststore.p12"
+      truststore-type: "pkcs12"
+      truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-internal-idp-auth-signer-trust/keypass}"
       username-attribute-names:
-        - userid
-  dispatchers:
-    - type: "firebase-cloud-messaging"
-      dry-run: false
-      service-account-json: "inv-res-secret://a78926e06a159811ee15c224-bdd107d2"
-      registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
-      authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
-      deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
-    - type: "png-qr-code"
-      registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
-      authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
-      deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
-    - type: "link"
-      registration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/registration"
-      authentication-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/authentication"
-      deregistration-redeem-url: "https://auth.agov-w.azure.adnovum.net/nevisfido/token/redeem/deregistration"
-      base-url: "ch.agov.access-t://x-callback-url/authenticate"
+      - "userid"
+session-repository:
+  type: "sql"
+  jdbc-url: "jdbc:mariadb://mariadb-session-store-service.adn-agov-nevisidm-ob-01-uat:3306/nevisfido_uaf?sslMode=disable&autocommit=true"
+  max-connection-lifetime: "10m"
+  user: "${exec:/var/opt/nevisfido/default/conf/credentials/dbUser}"
+  password: "${exec:/var/opt/nevisfido/default/conf/credentials/dbPassword}"
+  schema-user: ""
+  schema-user-password: ""
+  automatic-db-schema-setup: false
+credential-repository:
+  type: "nevisidm"
+  client-id: "cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720"
+  user-attribute: "extId"
+  administration-url: "https://idm:8989/nevisidm/services/v1_46/AdminService"
+  admin-service-version: "v1_46"
+  rest-url: "https://idm:8989/nevisidm"
+  keystore: "/var/opt/keys/own/fido-uaf-default-client-identity/keystore.p12"
+  keystore-type: "pkcs12"
+  keystore-passphrase: "${exec:/var/opt/keys/own/fido-uaf-default-client-identity/keypass}"
+  truststore: "/var/opt/keys/trust/fido-uaf-default-server-trust/truststore.p12"
+  truststore-type: "pkcs12"
+  truststore-passphrase: "${exec:/var/opt/keys/trust/fido-uaf-default-server-trust/keypass}"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido-uaf/var/opt/nevisfido/default/conf/otel.properties

@@ -1,4 +1,4 @@
-otel.service.name=fido-uaf
-otel.traces.exporter=none
-otel.metrics.exporter=none
-otel.logs.exporter=none
+otel.service.name = fido-uaf
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-fido2-default-signer-trust-087f275433f3973a1421318f.yaml

@@ -1,12 +0,0 @@
-apiVersion: "operator.nevis-security.ch/v1"
-kind: "NevisTrustStore"
-metadata:
-  name: "fido2-default-signer-trust"
-  namespace: "adn-agov-nevisidm-01-uat"
-  labels:
-    deploymentTarget: "fido2"
-  annotations:
-    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
-    patternId: "087f275433f3973a1421318f"
-spec:
-  keystores: []

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/etc/nevis/k8s-nevisfido2-087f275433f3973a1421318f.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisFIDO"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -28,20 +28,25 @@ spec:
     management:
       httpGet:
         path: "/nevisfido/liveness"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
   readinessProbe:
     management:
       httpGet:
         path: "/nevisfido/health"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
+  startupProbe:
+    management:
+      httpGet:
+        path: "/nevisfido/health"
+      periodSeconds: 5
+      timeoutSeconds: 6
+      failureThreshold: 50
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-5560b9df58bc00fcf3fc92f29f5f7840af9dbf26"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2"
     credentials: "git-credentials"
   keystores:
@@ -49,7 +54,6 @@ spec:
   - "fido2-default-client-identity"
   truststores:
   - "fido2-default-tls-client-trust"
-  - "fido2-default-signer-trust"
   - "fido2-default-server-trust"
   podSecurity:
     policy: "baseline"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/env.conf

@@ -6,5 +6,5 @@ JAVA_OPTS=(
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevisfido/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/logging.yml

@@ -12,6 +12,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "ch.nevis.auth.fido.application.Application"
       level: "INFO"
     Root:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/nevisfido.yml

@@ -1,51 +1,50 @@
 server:
   port: 9443
-  protocol: https
+  protocol: "https"
   tls:
-    keystore: /var/opt/keys/own/fido2-default-identity/keystore.p12
-    keystore-passphrase: ${exec:/var/opt/keys/own/fido2-default-identity/keypass}
-    keystore-type: pkcs12
-
+    keystore: "/var/opt/keys/own/fido2-default-identity/keystore.p12"
+    keystore-passphrase: "${exec:/var/opt/keys/own/fido2-default-identity/keypass}"
+    keystore-type: "pkcs12"
+    truststore: "/var/opt/keys/trust/fido2-default-tls-client-trust/truststore.p12"
+    truststore-passphrase: "${exec:/var/opt/keys/trust/fido2-default-tls-client-trust/keypass}"
+    truststore-type: "pkcs12"
 management:
   server:
     port: 9089
   healthchecks:
     enabled: true
-
 credential-repository:
-  type: nevisidm
-  client-id: cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720
-  rest-url: https://idm:8989/nevisidm
-  keystore: /var/opt/keys/own/fido2-default-client-identity/keystore.p12
-  keystore-passphrase: ${exec:/var/opt/keys/own/fido2-default-client-identity/keypass}
-  truststore: /var/opt/keys/trust/fido2-default-server-trust/truststore.p12
-  truststore-passphrase: ${exec:/var/opt/keys/trust/fido2-default-server-trust/keypass}
-  user-attribute: extId
-
-session-repository:
-  type: in-memory
-  jdbc-url: 
-  max-connection-lifetime: 
-  user: 
-  password: 
-  schema-user: 
-  schema-user-password: 
-  automatic-db-schema-setup: true
-
+  type: "nevisidm"
+  client-id: "cfa9c9b9-119f-4dff-9bb8-86d7c0cf2720"
+  rest-url: "https://idm:8989/nevisidm"
+  keystore: "/var/opt/keys/own/fido2-default-client-identity/keystore.p12"
+  keystore-passphrase: "${exec:/var/opt/keys/own/fido2-default-client-identity/keypass}"
+  keystore-type: "pkcs12"
+  truststore: "/var/opt/keys/trust/fido2-default-server-trust/truststore.p12"
+  truststore-passphrase: "${exec:/var/opt/keys/trust/fido2-default-server-trust/keypass}"
+  truststore-type: "pkcs12"
+  user-attribute: "extId"
 fido2:
   enabled: true
-  rp-name: AGOV-RelPartName
-  rp-id: adnovum.net
+  rp-name: "AGOV-RelPartName"
+  rp-id: "adnovum.net"
   origins:
-    - https://me.agov-w.azure.adnovum.net
-    - https://nevisidm.agov-w.azure.adnovum.net
-    - https://auth.agov-w.azure.adnovum.net
+  - "https://ob.agov-w.azure.adnovum.net"
+  - "https://nevisidm.agov-w.azure.adnovum.net"
+  - "https://auth.agov-w.azure.adnovum.net"
   signature-algorithms:
-    - RS1
-    - RS256
-    - RS384
-    - RS512
-    - ES256
-    - ES384
-    - ES512
-  display-name-source: email
+  - "RS1"
+  - "RS256"
+  - "RS384"
+  - "RS512"
+  - "ES256"
+  - "ES384"
+  - "ES512"
+  display-name-source: "email"
+  metadata:
+    allow-listing-enabled: false
+  timeout:
+    user-verification: "300s"
+    no-user-verification: "120s"
+session-repository:
+  type: "in-memory"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/fido2/var/opt/nevisfido/default/conf/otel.properties

@@ -1,4 +1,4 @@
-otel.service.name=fido2
-otel.traces.exporter=none
-otel.metrics.exporter=none
-otel.logs.exporter=none
+otel.service.name = fido2
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/etc/nevis/k8s-idm-db-2951ead44a7a9362a4545094.yaml

@@ -0,0 +1,28 @@
+apiVersion: "operator.nevis-security.ch/v1"
+kind: "NevisDatabase"
+metadata:
+  name: "idm"
+  namespace: "adn-agov-nevisidm-01-uat"
+  labels:
+    deploymentTarget: "idm"
+    trustImport: "idm-technical-trust-store-1058498828"
+  annotations:
+    projectKey: "DEFAULT-ADN-AGOV-PROJECT"
+    patternId: "2951ead44a7a9362a4545094"
+spec:
+  type: "NevisIDM"
+  databaseType: "MariaDB"
+  version: "8.2411.1"
+  url: "mariadb-agov-uat.mariadb.database.azure.com"
+  port: 3306
+  ssl: true
+  database: "nevisidm_uat"
+  bootstrap: true
+  migrate: true
+  rootCredentials:
+    name: "root-adn-agov-nevisidm-admin-01-uat-idm"
+    namespace: "adn-agov-nevisidm-admin-01-uat"
+  podSecurity:
+    policy: "baseline"
+    automountServiceAccountToken: false
+  timeZone: "Europe/Zurich"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/etc/nevis/k8s-idm-idp-idm-sectoken-signer-trust-b8a36646f81c3247cdb5d90b.yaml

@@ -1,7 +1,7 @@
 apiVersion: "operator.nevis-security.ch/v1"
 kind: "NevisTrustStore"
 metadata:
-  name: "idm-internal-idp-auth-signer-trust"
+  name: "idm-idp-idm-sectoken-signer-trust"
   namespace: "adn-agov-nevisidm-01-uat"
   labels:
     deploymentTarget: "idm"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/etc/nevis/k8s-nevisidm-b8a36646f81c3247cdb5d90b.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisIDM"
   replicas: 1
-  version: "8.2405.1"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -28,27 +28,35 @@ spec:
     management:
       httpGet:
         path: "/liveness"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
   readinessProbe:
     management:
       httpGet:
         path: "/health"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
+  startupProbe:
+    management:
+      httpGet:
+        path: "/health"
+      periodSeconds: 5
+      timeoutSeconds: 6
+      failureThreshold: 50
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-5560b9df58bc00fcf3fc92f29f5f7840af9dbf26"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm"
     credentials: "git-credentials"
+  database:
+    name: "idm"
+    requiredVersion: "8.2411.1"
   keystores:
   - "idm-default-identity"
   truststores:
+  - "idm-idp-idm-sectoken-signer-trust"
   - "idm-technical-trust-store"
-  - "idm-internal-idp-auth-signer-trust"
   podSecurity:
     policy: "baseline"
     automountServiceAccountToken: false
@@ -56,4 +64,3 @@ spec:
   secrets:
     secret:
     - "0eb37a5f44023ef0ad1013b6-89ec31e5"
-    - "a2068eb83a60702322c13949-27ed70d3"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/var/opt/nevisidm/default/conf/env.conf

@@ -1 +1,8 @@
-JAVA_OPTS="-XX:+UseContainerSupport -XX:MaxRAMPercentage=80.0 -javaagent:/opt/agent/opentelemetry-javaagent.jar -Dotel.javaagent.logging=application -Dotel.javaagent.configuration-file=/var/opt/nevisidm/default/conf/otel.properties -Dotel.resource.attributes=service.version=8.2405.1,service.instance.id=$HOSTNAME"
+JAVA_OPTS=(
+    "-XX:+UseContainerSupport"
+    "-XX:MaxRAMPercentage=80.0"
+    "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
+    "-Dotel.javaagent.logging=application"
+    "-Dotel.javaagent.configuration-file=/var/opt/nevisidm/default/conf/otel.properties"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
+)

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/var/opt/nevisidm/default/conf/logging.yml

@@ -20,6 +20,8 @@ Configuration:
         onMismatch: "ACCEPT"
   Loggers:
     Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     - name: "ch.nevis.idm.batch.jobs"
       level: "INFO"
       additivity: "false"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/var/opt/nevisidm/default/conf/nevisidm-prod.properties

@@ -3,9 +3,9 @@ web.gui.languages.default=de
 # source: pattern://2951ead44a7a9362a4545094
 database.connection.url=jdbc:mariadb://mariadb-agov-uat.mariadb.database.azure.com:3306/nevisidm_uat?pinGlobalTxToPhysicalConnection=1&useMysqlMetadata=true&cachePrepStmts=true&prepStmtCacheSize=1000&useSSL=true&trustStore=/var/opt/keys/trust/idm-db-tls-truststore/truststore.jks
 # source: pattern://2951ead44a7a9362a4545094
-database.connection.username=adndbadmin
+database.connection.username=${exec:/var/opt/nevisidm/default/conf/credentials/dbUser}
 # source: pattern://2951ead44a7a9362a4545094
-database.connection.password=secret://a2068eb83a60702322c13949-27ed70d3
+database.connection.password=${exec:/var/opt/nevisidm/default/conf/credentials/dbPassword}
 # source: pattern://b8a36646f81c3247cdb5d90b
 application.mail.smtp.host=greenmail.adn-agov-mail-01-uat.svc
 # source: pattern://b8a36646f81c3247cdb5d90b
@@ -13,6 +13,8 @@ application.mail.smtp.port=3025
 # source: pattern://b8a36646f81c3247cdb5d90b
 application.mail.sender=noreply-agov-uat@adnovum.ch
 # source: pattern://71411a755a625f9b850c6cf5
+application.config.credentialTypesToBeLockedInDatabase=URLTICKET,SAMLFEDERATION,CONTEXTPASSWORD
+# source: pattern://71411a755a625f9b850c6cf5
 application.feature.email.validation.enabled=false
 # source: pattern://71411a755a625f9b850c6cf5, pattern://b8a36646f81c3247cdb5d90b
 application.feature.multiclientmode.enabled=true
@@ -51,7 +53,7 @@ application.modules.event.repeat.count=0
 # source: pattern://71411a755a625f9b850c6cf5
 application.modules.provisioning.enabled=false
 # source: pattern://71411a755a625f9b850c6cf5
-database.connection.pool.size.max=10
+database.connection.pool.size.max=5
 # source: pattern://71411a755a625f9b850c6cf5
 database.connection.pool.size.min=5
 # source: pattern://71411a755a625f9b850c6cf5
@@ -89,6 +91,8 @@ server.host=0.0.0.0
 # source: pattern://b8a36646f81c3247cdb5d90b
 server.tls.enabled=true
 # source: pattern://b8a36646f81c3247cdb5d90b
+server.tls.client-auth=requested
+# source: pattern://b8a36646f81c3247cdb5d90b
 server.tls.keystore=/var/opt/keys/own/idm-default-identity/keystore.p12
 # source: pattern://b8a36646f81c3247cdb5d90b
 server.tls.keystore-passphrase=${exec:/var/opt/keys/own/idm-default-identity/keypass}
@@ -97,7 +101,7 @@ server.tls.truststore=/var/opt/keys/trust/idm-technical-trust-store/truststore.p
 # source: pattern://b8a36646f81c3247cdb5d90b
 server.tls.truststore-passphrase=${exec:/var/opt/keys/trust/idm-technical-trust-store/keypass}
 # source: pattern://b8a36646f81c3247cdb5d90b
-server.auth.ninja.truststore=/var/opt/keys/trust/idm-internal-idp-auth-signer-trust/truststore.jks
+server.auth.ninja.truststore=/var/opt/keys/trust/idm-idp-idm-sectoken-signer-trust/truststore.jks
 # source: pattern://b8a36646f81c3247cdb5d90b
 management.healthchecks.enabled=true
 # source: pattern://b8a36646f81c3247cdb5d90b

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/idm/var/opt/nevisidm/default/conf/otel.properties

@@ -1,4 +1,4 @@
-otel.service.name=idm
-otel.traces.exporter=none
-otel.metrics.exporter=none
-otel.logs.exporter=none
+otel.service.name = idm
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/etc/nevis/k8s-nevislogrend-097929211988398a87bcbb0c.yaml

@@ -11,7 +11,7 @@ metadata:
 spec:
   type: "NevisLogrend"
   replicas: 1
-  version: "8.2405.0"
+  version: "8.2411.2"
   gitInitVersion: "1.3.0"
   runAsNonRoot: true
   ports:
@@ -28,19 +28,23 @@ spec:
     management:
       httpGet:
         path: "/nevislogrend/liveness"
-      initialDelaySeconds: 40
-      periodSeconds: 30
+      periodSeconds: 5
       timeoutSeconds: 6
   readinessProbe:
     server:
       tcpSocket: true
-      initialDelaySeconds: 40
-      periodSeconds: 20
+      periodSeconds: 5
       timeoutSeconds: 4
+  startupProbe:
+    server:
+      tcpSocket: true
+      periodSeconds: 5
+      timeoutSeconds: 4
+      failureThreshold: 50
   podDisruptionBudget:
     maxUnavailable: "50%"
   git:
-    tag: "r-5560b9df58bc00fcf3fc92f29f5f7840af9dbf26"
+    tag: "r-ba39848d1c443859cdedb92e5cb503a09a1feaca"
     dir: "DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend"
     credentials: "git-credentials"
   podSecurity:

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/env.conf

@@ -4,11 +4,11 @@ RTENV_SECURITY_CHECK=no_shell
 LOGREND_DEPLOY_TYPE=standalone
 
 JAVA_OPTS=(
-    "-Dfile.encoding=UTF-8"
     "-XX:+UseContainerSupport"
+    "-Dfile.encoding=UTF-8"
     "-XX:MaxRAMPercentage=80.0"
     "-javaagent:/opt/agent/opentelemetry-javaagent.jar"
     "-Dotel.javaagent.logging=application"
     "-Dotel.javaagent.configuration-file=/var/opt/nevislogrend/default/conf/otel.properties"
-    "-Dotel.resource.attributes=service.version=8.2405.0,service.instance.id=$HOSTNAME"
+    "-Dotel.resource.attributes=service.version=8.2411.2,service.instance.id=$HOSTNAME"
 )

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/logging.yml

@@ -11,7 +11,9 @@ Configuration:
         onMatch: "DENY"
         onMismatch: "ACCEPT"
   Loggers:
-    Logger: []
+    Logger:
+    - name: "ProductAnalytics"
+      level: "INFO"
     Root:
       level: "WARN"
       additivity: "false"

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/logrend.properties

@@ -9,7 +9,7 @@ application.language.cookie.en=LANG:en:.agov-w.azure.adnovum.net
 application.language.cookie.fr=LANG:fr:.agov-w.azure.adnovum.net
 application.language.cookie.it=LANG:it:.agov-w.azure.adnovum.net
 application.loginapp.current=
-application.loginapp.default=Auth_Realm_Recovery
+application.loginapp.default=Auth_Realm_Main_IDP
 application.loginapp.override=header:channel
 application.package.name=nevislogrend
 application.render.content.type=text/html; charset=UTF-8

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/conf/otel.properties

@@ -1,4 +1,4 @@
-otel.service.name=logrend
-otel.traces.exporter=none
-otel.metrics.exporter=none
-otel.logs.exporter=none
+otel.service.name = logrend
+otel.traces.exporter = none
+otel.metrics.exporter = none
+otel.logs.exporter = none

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text.properties

@@ -35,7 +35,7 @@ fido2_auth.instruction2=An authentication window will appear
 fido2_auth.instruction3=Follow the instructions
 fido2_auth.skipInstructions=Skip instructions next time
 fido2_auth.switchLogin=SWITCH TO LOGIN WITH
-footer.link=https://agov.ch/?c=contact&l=en
+footer.link=https://agov.ch
 footer.link.label=Contact
 footer.text=Authentication service of Swiss authorities AGOV - a collaboration between cantons, their municipalities, and the federal administration. -
 general.AGOVAccessApp=AGOV access app
@@ -50,22 +50,31 @@ general.edit=Edit
 general.email=Email
 general.email.address=Email address
 general.entryCode=Code entry
+general.fieldRequired=Field required.
 general.getStarted=Get started
 general.goAGOVHelp=Go to AGOV help
 general.goAccessApp=Login with AGOV access
 general.help=Help
-general.help.link=https://agov.ch/pages/help_en.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Start Security key login
 general.or=OR
 general.otherOptions=OTHER OPTIONS
 general.recovery=Recovery
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Download as PDF
+general.recoveryCode.inputLabel=Recovery code
+general.recoveryCode.repeatCodeError=The code you entered was incorrect. Please ensure you have stored it correctly, then continue to resubmit.
+general.recoveryCode.repeatCodeModal.description=A lost or incorrectly stored recovery code can make it more difficult to recover your account. To ensure you have recorded your code correctly, please repeat it below.
+general.recoveryCode.repeatCodeModal.title=Repeat recovery code
+general.recoveryCode.reveal=Reveal recovery code
 general.recoveryOngoing=Ongoing recovery
 general.register=Register
 general.registerNow=Register now!
 general.registration=Registration
 general.securityKey=Security key
 general.skip.content=Skip to main content
+general.wrongPhoneNumber=Please enter a valid phone number
 generic.auth.error.message=There was a service interruption. We are working on it.
 generic.auth.error.next.steps=Please try again later. Please consult AGOV help if the problem persists.
 generic.auth.error.subtitle=Something went wrong
@@ -78,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -135,6 +144,19 @@ prompt.newpassword=New Password
 prompt.newpassword.confirm=Confirm Password
 prompt.password=Password
 prompt.userid=User-ID
+providePhoneNumber.banner=Phone number must be able to receive SMS.<br>This phone number will not be used to contact you.
+providePhoneNumber.description=AGOV now supports recovery with your phone number. This will allow you to continue with an SMS during recovery if you have lost access to your recovery code.
+providePhoneNumber.errorBanner=Phone numbers do not match. Please try again.
+providePhoneNumber.inputLabel=Phone number (optional)
+providePhoneNumber.laterModal.description1=Without a phone number, a recovery of your account might take up to 4 days if you lose access to your recovery code.
+providePhoneNumber.laterModal.description2=Adding a phone number helps you to recover your account in a matter of minutes.
+providePhoneNumber.laterModal.description3=This phone number will not be used to contact you.
+providePhoneNumber.laterModal.title=Continue without a phone number?
+providePhoneNumber.modal.description=An incorrectly stored phone number can make it more difficult to recover your account. To ensure you have recorded your phone number correctly, please repeat it below.
+providePhoneNumber.modal.inputLabel=Phone number
+providePhoneNumber.modal.title=Repeat phone number
+providePhoneNumber.saveButtonText=Save
+providePhoneNumber.title=Add phone number
 pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
 pwreset.email.sent=If your user ID exists, an email to reset your password has been sent to you.
 pwreset.info.linktext=Password forgotten
@@ -142,6 +164,7 @@ pwreset.noticket=Your password reset link is no longer valid. Please generate a
 recovery_accessapp_auth.accessAppRegistered=AGOV access app already registered
 recovery_accessapp_auth.instruction1=You have already registered a new AGOV access app !!!ACCESS_APP_NAME!!! as part of the recovery process.
 recovery_accessapp_auth.instruction2=Please use !!!ACCESS_APP_NAME!!! to identify you.
+recovery_check_code.banner.lockedError=Too many invalid input attempts. Please try again in a few minutes.
 recovery_check_code.codeIncorrect=Code entered is incorrect. Please try again.
 recovery_check_code.enterRecoveryCode=Enter recovery code
 recovery_check_code.instruction=Please enter below your personal 12-digit recovery code. You will have received the recovery code as a PDF file during registration or in AGOV me.
@@ -151,9 +174,11 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
-recovery_check_noCode.banner.error=Too many attempts or your recovery code has expired.
-recovery_check_noCode.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
-recovery_check_noCode.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_noCode.banner.error=Too many attempts.
+recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
+recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Please reveal your new code to be able to continue.
 recovery_code.instruction=Recovery codes help you gain access to your account in case you lost all of your login factors. Please store the recovery code in a safe place.
 recovery_code.newRecoveryCode=Introducing Recovery Code
@@ -165,10 +190,8 @@ recovery_fidokey_auth.instruction2=Please use !!!SECURITY_KEY_NAME!!! to follow
 recovery_fidokey_auth.keyRegistered=Security key already registered
 recovery_intro_email.banner.error=The link you used has expired. Please enter your email address to receive a new link.
 recovery_intro_email.banner.info=Please enter your email address, so we can send you a link to start the recovery process.
-recovery_intro_email.captchaUnchecked=Please tick the captcha field
 recovery_intro_email.important=Important:
 recovery_intro_email.process=The recovery process should only be used if you have lost access to your login factors (deleted AGOV access app, lost security key, lost phone, etc.).
-recovery_intro_email.siteProtectedWithRecaptcha=This site is protected by reCAPTCHA and the <a class='link' href='https://policies.google.com/privacy' target='_blank'>Google Privacy Policy</a> and <a class='link' href='https://policies.google.com/terms' target='_blank'>Terms of Service</a> apply.
 recovery_intro_email_sent.banner.button=Didn't receive the email?
 recovery_intro_email_sent.banner.success=Thank you! You will receive an email with a recovery link and instructions shortly.
 recovery_on_going.finishRecovery=Finish recovery
@@ -183,13 +206,13 @@ recovery_questionnaire_loginfactor.no=No
 recovery_questionnaire_loginfactor.question=Have you registered more than one login factor (AGOV access app or security key) to your account?
 recovery_questionnaire_loginfactor.yes=Yes
 recovery_questionnaire_no_recovery.explanation1=Based on your answers, the AGOV recovery option does not seem necessary right now.
-recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> for support articles.
-recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> and test if you can log in successfully.
-recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> to remove the one you have lost access to.
+recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> for support articles.
+recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> and test if you can log in successfully.
+recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> to remove the one you have lost access to.
 recovery_questionnaire_reason_selection.answer1=I have trouble logging in, even though I have my app / security key
 recovery_questionnaire_reason_selection.answer10=I lost one of my login factors (AGOV access app or security key)
 recovery_questionnaire_reason_selection.answer2=I was unable to finish my registration
-recovery_questionnaire_reason_selection.answer3=I have deleted or reset my AGOV access app
+recovery_questionnaire_reason_selection.answer3=I have deleted, reinstalled, or reset my AGOV access app
 recovery_questionnaire_reason_selection.answer4=I have lost my phone / security key
 recovery_questionnaire_reason_selection.answer5=I have a new phone and forgot to transfer my AGOV access app
 recovery_questionnaire_reason_selection.answer6=I forgot my PIN for the AGOV access app

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_de.properties

@@ -35,7 +35,7 @@ fido2_auth.instruction2=Ein Authentifizierungsfenster wird erscheinen
 fido2_auth.instruction3=Folgen Sie den Anweisungen
 fido2_auth.skipInstructions=Anweisungen nächstes Mal überspringen
 fido2_auth.switchLogin=WECHSEL ZU LOGIN MIT
-footer.link=https://agov.ch/?c=contact&l=de
+footer.link=https://agov.ch
 footer.link.label=Kontakt
 footer.text=Authentifizierungsdienst der Schweizer Behörden AGOV – eine Zusammenarbeit zwischen den Kantonen, deren Gemeinden und der Bundesverwaltung. -
 general.AGOVAccessApp=AGOV access App
@@ -48,24 +48,33 @@ general.contactSupport=Support kontaktieren
 general.continue=Weiter
 general.edit=Ändern
 general.email=E-Mail
-general.email.address=E-Mailadresse
+general.email.address=E-Mail-Adresse
 general.entryCode=Code-Eingabe
-general.getStarted=Get started
+general.fieldRequired=Erforderliches Feld.
+general.getStarted=Los geht's
 general.goAGOVHelp=Weiter zur AGOV help
 general.goAccessApp=Login mit AGOV access
 general.help=Hilfe
-general.help.link=https://agov.ch/pages/help_de.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Sicherheitsschlüssel-Login starten
 general.or=ODER
 general.otherOptions=WEITERE OPTIONEN
 general.recovery=Wiederherstellung
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Als PDF herunterladen
+general.recoveryCode.inputLabel=Wiederherstellungscode
+general.recoveryCode.repeatCodeError=Der von Ihnen eingegebene Code war nicht korrekt. Bitte vergewissern Sie sich, dass Sie ihn richtig abgespeichert haben, und fahren Sie dann mit der erneuten Eingabe fort.
+general.recoveryCode.repeatCodeModal.description=Ein verlorener oder falsch gespeicherter Wiederherstellungscode kann die Wiederherstellung Ihres Kontos erschweren. Um sicherzustellen, dass Sie Ihren Code richtig gespeichert haben, wiederholen Sie ihn bitte unten.
+general.recoveryCode.repeatCodeModal.title=Wiederherstellungscode wiederholen
+general.recoveryCode.reveal=Wiederherstellungscode enthüllen
 general.recoveryOngoing=Wiederherstellung nicht abgeschlossen
 general.register=Registrieren
 general.registerNow=Jetzt registrieren!
 general.registration=Registrierung
 general.securityKey=Sicherheitsschlüssel
 general.skip.content=Direkt zum Hauptteil
+general.wrongPhoneNumber=Bitte geben Sie eine gültige Telefonnummer ein
 generic.auth.error.message=Es gab eine Service-Unterbrechung. Wir arbeiten daran.
 generic.auth.error.next.steps=Versuchen Sie es bitte später noch einmal. Bitte besuchen Sie die AGOV-Hilfe, wenn das Problem weiterhin besteht.
 generic.auth.error.subtitle=Etwas ist schiefgegangen
@@ -78,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sprache wählen
 loainfo.description.200=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben verifizieren. Der Vorgang kann bis zu 2 - 3 Tage dauern.
 loainfo.description.300=Um auf diese Applikation zuzugreifen, müssen wir Ihre Angaben durch einen von zwei Vorgängen verifizieren. Sie können die bevorzugte Methode im nächsten Schritt auswählen.
-loainfo.description.400=Für den Zugang zu dieser Anwendung müssen Sie Ihre AHV-Nummer angeben.
+loainfo.description.400=Bitte AHV-Nummer angeben, um auf die Applikation zuzugreifen.
 loainfo.helper=Ihre persönlichen Daten müssen überprüft werden!
 loainfo.later=Später
 loainfo.startNow=Möchten Sie den Prozess jetzt starten?
@@ -135,13 +144,27 @@ prompt.newpassword=Neues Passwort
 prompt.newpassword.confirm=Passwort bestätigen
 prompt.password=Passwort
 prompt.userid=Benutzer-ID
+providePhoneNumber.banner=Die Mobilnummer muss f&uuml;r den Empfang von SMS geeignet sein.<br>Diese Mobilnummer wird nicht verwendet, um Sie zu kontaktieren.
+providePhoneNumber.description=AGOV erlaubt nun die Wiederherstellung mittels Mobilnummer. So k&ouml;nnen Sie w&auml;hrend der Wiederherstellung mit einer SMS fortfahren, wenn Sie Ihren Wiederherstellungscode verloren haben.
+providePhoneNumber.errorBanner=Die Mobilnummern stimmen nicht &uuml;berein. Bitte versuchen Sie es erneut.
+providePhoneNumber.inputLabel=Mobilnummer (optional)
+providePhoneNumber.laterModal.description1=Ohne Mobilnummer kann die Wiederherstellung Ihres Kontos bis zu 4 Tage dauern, wenn Sie Ihren Wiederherstellungscode verlieren.
+providePhoneNumber.laterModal.description2=Durch Hinzuf&uuml;gen einer Mobilnummer k&ouml;nnen Sie Ihr Konto in wenigen Minuten wiederherstellen.
+providePhoneNumber.laterModal.description3=Diese Mobilnummer wird nicht verwendet, um Sie zu kontaktieren.
+providePhoneNumber.laterModal.title=Ohne Mobilnummer weiterfahren?
+providePhoneNumber.modal.description=Eine falsch gespeicherte Mobilnummer kann die Wiederherstellung Ihres Kontos erschweren. Um sicherzustellen, dass Sie Ihre Mobilnummer richtig gespeichert haben, wiederholen Sie sie bitte unten.
+providePhoneNumber.modal.inputLabel=Mobilnummer
+providePhoneNumber.modal.title=Mobilnummer wiederholen
+providePhoneNumber.saveButtonText=Speichern
+providePhoneNumber.title=Mobilnummer angeben
 pwreset.done.info=Ihr Passwort wurde erfolgreich ge&auml;ndert. Bitte klicken Sie auf Weiter, um sich einzuloggen.
 pwreset.email.sent=Wenn Ihre Benutzer-ID existiert, haben Sie eine E-Mail erhalten, um Ihr Passwort zurückzusetzen..
 pwreset.info.linktext=Passwort vergessen
 pwreset.noticket=Ihr Link ist nicht mehr g&uuml;ltig. Bitte generieren Sie ein Neuen.
 recovery_accessapp_auth.accessAppRegistered=AGOV access app schon registriert
 recovery_accessapp_auth.instruction1=Sie haben bereits eine neue AGOV access App !!!ACCESS_APP_NAME!!! im Rahmen des Wiederherstellungsprozesses registriert.
-recovery_accessapp_auth.instruction2=Verwenden Sie !!!ACCESS_APP_NAME!!! um Sie zu identifizieren.
+recovery_accessapp_auth.instruction2=Verwenden Sie !!!ACCESS_APP_NAME!!! um sich zu identifizieren.
+recovery_check_code.banner.lockedError=Zu viele Fehlversuche. Bitte versuchen Sie es in ein paar Minuten noch einmal.
 recovery_check_code.codeIncorrect=Der eingegebene Code ist nicht korrekt. Bitte versuchen Sie es erneut.
 recovery_check_code.enterRecoveryCode=Wiederherstellungscode eingeben
 recovery_check_code.instruction=Bitte geben Sie unten Ihren pers&ouml;nlichen 12-stelligen Wiederherstellungscode ein. Sie haben den Wiederherstellungscode in einer PDF-Datei bei der Registrierung oder in AGOV me erhalten.
@@ -151,9 +174,11 @@ recovery_check_code.invalid.code.tooLong=Eingegebener Code ist zu lang
 recovery_check_code.noAccess=Ich kann auf meinen Code nicht zugreifen
 recovery_check_code.noCodeAccess=Sind Sie sicher, dass Sie auf Ihren Wiederherstellungscode nicht zugreifen k&ouml;nnen?
 recovery_check_code.noCodeAccessInstructions=Wenn Sie auf Ihren Wiederherstellungscode nicht mehr zugreifen k&ouml;nnen, gehen Sie bitte zur AGOV-Hilfe, um jemanden vom AGOV-Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
-recovery_check_noCode.banner.error=Zu viele Versuche oder Ihr Wiederherstellungscode ist abgelaufen.
-recovery_check_noCode.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist m&ouml;glicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
-recovery_check_noCode.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
+recovery_check_code.too_many_tries.instruction1=Der von Ihnen eingegebene Wiederherstellungscode ist m&ouml;glicherweise abgelaufen oder Sie haben zu oft versucht, einen Code einzugeben.
+recovery_check_code.too_many_tries.instruction2=Gehen Sie bitte zur AGOV-Hilfe, um jemanden vom Support zu kontaktieren. Die Person wird Sie beim Wiederherstellungsprozess unterst&uuml;tzen.
+recovery_check_noCode.banner.error=Zu viele Versuche.
+recovery_check_noCode.instruction1=M&ouml;glicherweise haben Sie zu oft versucht, den Wiederherstellungscode einzugeben.
+recovery_check_noCode.instruction2=Bitte schliessen Sie den Webbrowser und starten Sie die Kontowiederherstellung in zehn Minuten erneut auf <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Bitte enth&uuml;llen Sie den Code, um fortfahren zu k&ouml;nnen.
 recovery_code.instruction=Der Wiederherstellungscode hilft Ihnen, Zugriff auf Ihr AGOV-Login zu erhalten, falls Sie alle Ihre Login-Faktoren verloren haben. Bitte bewahren Sie den Wiederherstellungscode an einem sicheren Ort auf.
 recovery_code.newRecoveryCode=Einf&uuml;hrung von Wiederherstellungscode
@@ -161,14 +186,12 @@ recovery_code.validUntil=G&uuml;ltig bis:
 recovery_fidokey_auth.button=Schl&uuml;sselauthentifizierung starten
 recovery_fidokey_auth.fidoInstruction=Klicken Sie auf "Schl&uuml;sselauthentifizierung starten"
 recovery_fidokey_auth.instruction1=Sie haben bereits einen neuen Sicherheitsschl&uuml;ssel !!!SECURITY_KEY_NAME!!! im Rahmen des Wiederherstellungsprozesses registriert.
-recovery_fidokey_auth.instruction2=Bitte verwenden Sie !!!SECURITY_KEY_NAME!!! und befolgen Sie die untenstehenden Schritte, um Sie zu identifizieren.
+recovery_fidokey_auth.instruction2=Bitte verwenden Sie !!!SECURITY_KEY_NAME!!! und befolgen Sie die untenstehenden Schritte, um sich zu identifizieren.
 recovery_fidokey_auth.keyRegistered=Sicherheitsschl&uuml;ssel schon registriert
 recovery_intro_email.banner.error=Der von Ihnen verwendete Link ist abgelaufen. Bitte geben Sie Ihre E-Mail-Adresse ein, um einen neuen Link zu erhalten.
 recovery_intro_email.banner.info=Bitte geben Sie Ihre E-Mail-Adresse ein, damit wir Ihnen einen Link schicken k&ouml;nnen, mit dem Sie den Wiederherstellungsprozess starten.
-recovery_intro_email.captchaUnchecked=Bitte kreuzen Sie das Captcha-Feld an
 recovery_intro_email.important=Wichtig:
 recovery_intro_email.process=Der Wiederherstellungsprozess sollte nur verwendet werden, wenn Sie den Zugriff auf Ihre Login-Faktoren verloren haben (gel&ouml;schte AGOV access App, verlorener Sicherheitsschl&uuml;ssel, verlorenes Telefon usw.).
-recovery_intro_email.siteProtectedWithRecaptcha=Diese Seite ist durch reCAPTCHA gesch&uuml;tzt, und es gelten die <a class='link' href='https://policies.google.com/privacy' target='_blank'>Datenschutzerkl&auml;rung</a> sowie die <a class='link' href='https://policies.google.com/terms' target='_blank'>Nutzungsbedingungen</a> von Google.
 recovery_intro_email_sent.banner.button=Keine E-Mail erhalten?
 recovery_intro_email_sent.banner.success=Vielen Dank! Sie werden in K&uuml;rze eine E-Mail mit einem Wiederherstellungslink und Anweisungen erhalten.
 recovery_on_going.finishRecovery=Wiederherstellung abschliessen
@@ -183,13 +206,13 @@ recovery_questionnaire_loginfactor.no=Nein
 recovery_questionnaire_loginfactor.question=Haben Sie mehr als einen Loginfaktor (AGOV Access App oder Sicherheitsschl&uuml;ssel) f&uuml;r Ihren AGOV-Login registriert?
 recovery_questionnaire_loginfactor.yes=Ja
 recovery_questionnaire_no_recovery.explanation1=Ausgehend von Ihren Antworten scheint eine Wiederherstellung Ihres AGOV-Logins im Moment nicht notwendig zu sein.
-recovery_questionnaire_no_recovery.explanation2=Falls Sie weitere Informationen ben&ouml;tigen, besuchen Sie bitte <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> f&uuml;r Support-Artikel.
-recovery_questionnaire_no_recovery.instruction1=Wenn Sie Probleme haben, sich bei einer Anwendung anzumelden, besuchen Sie bitte <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> und testen Sie, ob Sie sich erfolgreich anmelden k&ouml;nnen.
-recovery_questionnaire_no_recovery.instruction2=Wenn Sie mehrere Loginfaktoren registriert haben, aber den Zugriff zu einem von ihnen verloren haben, besuchen Sie bitte <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a>, um den verlorenen Loginfaktor zu entfernen.
+recovery_questionnaire_no_recovery.explanation2=Falls Sie weitere Informationen ben&ouml;tigen, besuchen Sie bitte <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> f&uuml;r Support-Artikel.
+recovery_questionnaire_no_recovery.instruction1=Wenn Sie Probleme haben, sich bei einer Anwendung anzumelden, besuchen Sie bitte <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> und testen Sie, ob Sie sich erfolgreich anmelden k&ouml;nnen.
+recovery_questionnaire_no_recovery.instruction2=Wenn Sie mehrere Loginfaktoren registriert haben, aber den Zugriff zu einem von ihnen verloren haben, besuchen Sie bitte <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a>, um den verlorenen Loginfaktor zu entfernen.
 recovery_questionnaire_reason_selection.answer1=Ich habe Probleme mich anzumelden, obwohl ich meine App / meinen Sicherheitsschl&uuml;ssel habe
 recovery_questionnaire_reason_selection.answer10=Ich habe einen meiner Loginfaktoren verloren (AGOV access App oder Sicherheitsschl&uuml;ssel)
 recovery_questionnaire_reason_selection.answer2=Ich konnte meine Registrierung nicht abschliessen
-recovery_questionnaire_reason_selection.answer3=Ich habe meine AGOV access App gel&ouml;scht oder zur&uuml;ckgesetzt
+recovery_questionnaire_reason_selection.answer3=Ich habe meine AGOV access App gel&ouml;scht, neu installiert oder zur&uuml;ckgesetzt
 recovery_questionnaire_reason_selection.answer4=Ich habe mein Telefon / Sicherheitsschl&uuml;ssel verloren
 recovery_questionnaire_reason_selection.answer5=Ich habe ein neues Telefon und habe vergessen, meine AGOV access App zu &uuml;bertragen
 recovery_questionnaire_reason_selection.answer6=Ich habe die PIN f&uuml;r meine AGOV access App vergessen

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_en.properties

@@ -35,7 +35,7 @@ fido2_auth.instruction2=An authentication window will appear
 fido2_auth.instruction3=Follow the instructions
 fido2_auth.skipInstructions=Skip instructions next time
 fido2_auth.switchLogin=SWITCH TO LOGIN WITH
-footer.link=https://agov.ch/?c=contact&l=en
+footer.link=https://agov.ch
 footer.link.label=Contact
 footer.text=Authentication service of Swiss authorities AGOV - a collaboration between cantons, their municipalities, and the federal administration. -
 general.AGOVAccessApp=AGOV access app
@@ -50,22 +50,31 @@ general.edit=Edit
 general.email=Email
 general.email.address=Email address
 general.entryCode=Code entry
+general.fieldRequired=Field required.
 general.getStarted=Get started
 general.goAGOVHelp=Go to AGOV help
 general.goAccessApp=Login with AGOV access
 general.help=Help
-general.help.link=https://agov.ch/pages/help_en.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Start Security key login
 general.or=OR
 general.otherOptions=OTHER OPTIONS
 general.recovery=Recovery
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Download as PDF
+general.recoveryCode.inputLabel=Recovery code
+general.recoveryCode.repeatCodeError=The code you entered was incorrect. Please ensure you have stored it correctly, then continue to resubmit.
+general.recoveryCode.repeatCodeModal.description=A lost or incorrectly stored recovery code can make it more difficult to recover your account. To ensure you have recorded your code correctly, please repeat it below.
+general.recoveryCode.repeatCodeModal.title=Repeat recovery code
+general.recoveryCode.reveal=Reveal recovery code
 general.recoveryOngoing=Ongoing recovery
 general.register=Register
 general.registerNow=Register now!
 general.registration=Registration
 general.securityKey=Security key
 general.skip.content=Skip to main content
+general.wrongPhoneNumber=Please enter a valid phone number
 generic.auth.error.message=There was a service interruption. We are working on it.
 generic.auth.error.next.steps=Please try again later. Please consult AGOV help if the problem persists.
 generic.auth.error.subtitle=Something went wrong
@@ -78,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Select language
 loainfo.description.200=To access the application, we need to verify your data. The process can take up to 2 - 3 days.
 loainfo.description.300=To access the application we need to verify your data through one of two processes. You can choose your preferred process in the next step.
-loainfo.description.400=To access the application we need you to add your AHV Number (Swiss Social Security number).
+loainfo.description.400=To access the application we need you to add your SSN (AHV) number.
 loainfo.helper=Your data needs to be verified!
 loainfo.later=Later
 loainfo.startNow=Do you want to start the process now?
@@ -135,6 +144,19 @@ prompt.newpassword=New Password
 prompt.newpassword.confirm=Confirm Password
 prompt.password=Password
 prompt.userid=User-ID
+providePhoneNumber.banner=Phone number must be able to receive SMS.<br>This phone number will not be used to contact you.
+providePhoneNumber.description=AGOV now supports recovery with your phone number. This will allow you to continue with an SMS during recovery if you have lost access to your recovery code.
+providePhoneNumber.errorBanner=Phone numbers do not match. Please try again.
+providePhoneNumber.inputLabel=Phone number (optional)
+providePhoneNumber.laterModal.description1=Without a phone number, a recovery of your account might take up to 4 days if you lose access to your recovery code.
+providePhoneNumber.laterModal.description2=Adding a phone number helps you to recover your account in a matter of minutes.
+providePhoneNumber.laterModal.description3=This phone number will not be used to contact you.
+providePhoneNumber.laterModal.title=Continue without a phone number?
+providePhoneNumber.modal.description=An incorrectly stored phone number can make it more difficult to recover your account. To ensure you have recorded your phone number correctly, please repeat it below.
+providePhoneNumber.modal.inputLabel=Phone number
+providePhoneNumber.modal.title=Repeat phone number
+providePhoneNumber.saveButtonText=Save
+providePhoneNumber.title=Add phone number
 pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
 pwreset.email.sent=If your user ID exists, an email to reset your password has been sent to you.
 pwreset.info.linktext=Password forgotten
@@ -142,6 +164,7 @@ pwreset.noticket=Your password reset link is no longer valid. Please generate a
 recovery_accessapp_auth.accessAppRegistered=AGOV access app already registered
 recovery_accessapp_auth.instruction1=You have already registered a new AGOV access app !!!ACCESS_APP_NAME!!! as part of the recovery process.
 recovery_accessapp_auth.instruction2=Please use !!!ACCESS_APP_NAME!!! to identify you.
+recovery_check_code.banner.lockedError=Too many invalid input attempts. Please try again in a few minutes.
 recovery_check_code.codeIncorrect=Code entered is incorrect. Please try again.
 recovery_check_code.enterRecoveryCode=Enter recovery code
 recovery_check_code.instruction=Please enter below your personal 12-digit recovery code. You will have received the recovery code as a PDF file during registration or in AGOV me.
@@ -151,9 +174,11 @@ recovery_check_code.invalid.code.tooLong=The code is too long
 recovery_check_code.noAccess=I do not have access to my code
 recovery_check_code.noCodeAccess=Are you sure you don't have access to your recovery code?
 recovery_check_code.noCodeAccessInstructions=If you have lost access to your recovery code please go to AGOV help in order to contact a AGOV support agent. They will be able to help you with the recovery process.
-recovery_check_noCode.banner.error=Too many attempts or your recovery code has expired.
-recovery_check_noCode.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
-recovery_check_noCode.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_code.too_many_tries.instruction1=The recovery code you have entered might have expired or you might have tried to enter it too many times.
+recovery_check_code.too_many_tries.instruction2=Please go to AGOV help in order to contact a support agent. They will be able to help you with the recovery process.
+recovery_check_noCode.banner.error=Too many attempts.
+recovery_check_noCode.instruction1=You might have tried to enter the recovery code too many times.
+recovery_check_noCode.instruction2=Please close the web browser and start the account recovery again in ten minutes from <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Please reveal your new code to be able to continue.
 recovery_code.instruction=Recovery codes help you gain access to your account in case you lost all of your login factors. Please store the recovery code in a safe place.
 recovery_code.newRecoveryCode=Introducing Recovery Code
@@ -165,10 +190,8 @@ recovery_fidokey_auth.instruction2=Please use !!!SECURITY_KEY_NAME!!! to follow
 recovery_fidokey_auth.keyRegistered=Security key already registered
 recovery_intro_email.banner.error=The link you used has expired. Please enter your email address to receive a new link.
 recovery_intro_email.banner.info=Please enter your email address, so we can send you a link to start the recovery process.
-recovery_intro_email.captchaUnchecked=Please tick the captcha field
 recovery_intro_email.important=Important:
 recovery_intro_email.process=The recovery process should only be used if you have lost access to your login factors (deleted AGOV access app, lost security key, lost phone, etc.).
-recovery_intro_email.siteProtectedWithRecaptcha=This site is protected by reCAPTCHA and the <a class='link' href='https://policies.google.com/privacy' target='_blank'>Google Privacy Policy</a> and <a class='link' href='https://policies.google.com/terms' target='_blank'>Terms of Service</a> apply.
 recovery_intro_email_sent.banner.button=Didn't receive the email?
 recovery_intro_email_sent.banner.success=Thank you! You will receive an email with a recovery link and instructions shortly.
 recovery_on_going.finishRecovery=Finish recovery
@@ -183,13 +206,13 @@ recovery_questionnaire_loginfactor.no=No
 recovery_questionnaire_loginfactor.question=Have you registered more than one login factor (AGOV access app or security key) to your account?
 recovery_questionnaire_loginfactor.yes=Yes
 recovery_questionnaire_no_recovery.explanation1=Based on your answers, the AGOV recovery option does not seem necessary right now.
-recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> for support articles.
-recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> and test if you can log in successfully.
-recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> to remove the one you have lost access to.
+recovery_questionnaire_no_recovery.explanation2=Should you need further information, please visit <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> for support articles.
+recovery_questionnaire_no_recovery.instruction1=If you have issues logging in to an application, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> and test if you can log in successfully.
+recovery_questionnaire_no_recovery.instruction2=If you have several login factors registered but lost access to one of them, please visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> to remove the one you have lost access to.
 recovery_questionnaire_reason_selection.answer1=I have trouble logging in, even though I have my app / security key
 recovery_questionnaire_reason_selection.answer10=I lost one of my login factors (AGOV access app or security key)
 recovery_questionnaire_reason_selection.answer2=I was unable to finish my registration
-recovery_questionnaire_reason_selection.answer3=I have deleted or reset my AGOV access app
+recovery_questionnaire_reason_selection.answer3=I have deleted, reinstalled, or reset my AGOV access app
 recovery_questionnaire_reason_selection.answer4=I have lost my phone / security key
 recovery_questionnaire_reason_selection.answer5=I have a new phone and forgot to transfer my AGOV access app
 recovery_questionnaire_reason_selection.answer6=I forgot my PIN for the AGOV access app

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_fr.properties

@@ -35,7 +35,7 @@ fido2_auth.instruction2=Une fenêtre d'authentification s'affichera
 fido2_auth.instruction3=Suivez les instructions
 fido2_auth.skipInstructions=Passer les instructions la fois suivante
 fido2_auth.switchLogin=S'AUTHENTIFIER AVEC
-footer.link=https://agov.ch/?c=contact&l=fr
+footer.link=https://agov.ch
 footer.link.label=Contact
 footer.text=Service d'authentification des autorités suisses AGOV - une collaboration entre les cantons, leurs communes et l'administration fédérale. -
 general.AGOVAccessApp=Application AGOV access
@@ -50,22 +50,31 @@ general.edit=Editer
 general.email=E-mail
 general.email.address=Adresse e-mail
 general.entryCode=Entrer le code
+general.fieldRequired=Champ requis.
 general.getStarted=Démarrer
 general.goAGOVHelp=Rendez-vous sur AGOV help
 general.goAccessApp=Login avec AGOV access
 general.help=Aide
-general.help.link=https://agov.ch/pages/help_fr.html
+general.help.link=https://agov.ch/help
 general.login=Login
 general.loginSecurityKey=Démarrer la connexion avec la clé de sécurité
 general.or=OU
 general.otherOptions=AUTRES OPTIONS
 general.recovery=Récupération
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Télécharger en format PDF
+general.recoveryCode.inputLabel=Code de récupération
+general.recoveryCode.repeatCodeError=Le code que vous avez saisi est incorrect. Veuillez vous assurer que vous l'avez enregistré correctement, puis essayer de le soumettre à nouveau.
+general.recoveryCode.repeatCodeModal.description=Un code de récupération perdu ou mal enregistré peut rendre la récupération de votre compte plus difficile. Pour vous assurer que vous avez correctement enregistré votre code, veuillez le répéter ci-dessous.
+general.recoveryCode.repeatCodeModal.title=Répéter le code de récupération
+general.recoveryCode.reveal=Révéler le code de récupération
 general.recoveryOngoing=Récupération en cours
 general.register=Créer un compte
 general.registerNow=Enregistrez-vous dès maintenant!
 general.registration=Enregistrement
 general.securityKey=Clé de sécurité
 general.skip.content=Passer au contenu principal
+general.wrongPhoneNumber=Veuillez saisir un numéro de téléphone valable
 generic.auth.error.message=Une interruption de service s’est produite. Nous nous employons à résoudre le problème.
 generic.auth.error.next.steps=Veuillez réessayer plus tard. Veuillez vous rendre sur AGOV help si le problème persiste.
 generic.auth.error.subtitle=Un problème s’est produit
@@ -78,7 +87,7 @@ language.it=Italiano
 languageDropdown.aria.label=Sélectionner la langue
 loainfo.description.200=Pour accéder à l'application, nous devons vérifier vos données. Ce processus peut prendre jusqu'à 2 ou 3 jours.
 loainfo.description.300=Pour accéder à l'application, nous devons vérifier vos données par le biais de l'une des deux procédures suivantes. Vous pouvez choisir la procédure que vous préférez à l'étape suivante.
-loainfo.description.400=Pour accéder à l'application, vous devez ajouter votre numéro AVS.
+loainfo.description.400=Veuillez saisir votre numéro AVS pour accéder à l'application.
 loainfo.helper=Vos données doivent être vérifiées!
 loainfo.later=Plus tard
 loainfo.startNow=Voulez-vous commencer le processus maintenant?
@@ -135,6 +144,19 @@ prompt.newpassword=Nouveau mot de passe
 prompt.newpassword.confirm=Confirmez le mot de passe
 prompt.password=Mot de passe
 prompt.userid=ID de l'utilisateur
+providePhoneNumber.banner=Ce num&eacute;ro de t&eacute;l&eacute;phone doit pouvoir recevoir des SMS.<br>Ce num&eacute;ro de t&eacute;l&eacute;phone ne sera pas utilis&eacute; pour vous contacter.
+providePhoneNumber.description=AGOV prend d&eacute;sormais en charge la r&eacute;cup&eacute;ration avec votre num&eacute;ro de t&eacute;l&eacute;phone. Cela vous permettra de vous envoyer un SMS pendant la r&eacute;cup&eacute;ration si vous avez perdu l'acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration.
+providePhoneNumber.errorBanner=Les num&eacute;ros de t&eacute;l&eacute;phone fournies ne correspondent pas. Veuillez r&eacute;essayer.
+providePhoneNumber.inputLabel=Num&eacute;ro de t&eacute;l&eacute;phone (facultatif)
+providePhoneNumber.laterModal.description1=Sans num&eacute;ro de t&eacute;l&eacute;phone, la r&eacute;cup&eacute;ration de votre compte peut prendre jusqu'&agrave; 4 jours si vous perdez l'acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration.
+providePhoneNumber.laterModal.description2=Ajouter un num&eacute;ro de t&eacute;l&eacute;phone vous permet de r&eacute;cup&eacute;rer votre compte en quelques minutes.
+providePhoneNumber.laterModal.description3=Ce num&eacute;ro de t&eacute;l&eacute;phone ne sera pas utilis&eacute; pour vous contacter.
+providePhoneNumber.laterModal.title=Continuer sans num&eacute;ro de t&eacute;l&eacute;phone ?
+providePhoneNumber.modal.description=Un num&eacute;ro de t&eacute;l&eacute;phone mal enregistr&eacute; peut rendre plus difficile la r&eacute;cup&eacute;ration de votre compte. Pour vous assurer que vous avez correctement enregistr&eacute; votre num&eacute;ro de t&eacute;l&eacute;phone, veuillez le r&eacute;p&eacute;ter ci-dessous.
+providePhoneNumber.modal.inputLabel=Num&eacute;ro de t&eacute;l&eacute;phone
+providePhoneNumber.modal.title=R&eacute;p&eacute;ter votre num&eacute;ro de t&eacute;l&eacute;phone
+providePhoneNumber.saveButtonText=Sauvegarder
+providePhoneNumber.title=Ajouter le num&eacute;ro de t&eacute;l&eacute;phone
 pwreset.done.info=Votre mot de passe a &eacute;t&eacute; chang&eacute avec succ&egrave;s. Veuillez cliquer sur continuer pour vous connecter.
 pwreset.email.sent=Si votre identifiant n'existe pas, vous avez reçu un courriel pour réinitialiser votre mot de passe.
 pwreset.info.linktext=Mot de passe oublié
@@ -142,6 +164,7 @@ pwreset.noticket=Votre lien n&apos;est plus valide. Veuillez en g&eacute;n&eacut
 recovery_accessapp_auth.accessAppRegistered=L'application AGOV access est d&eacute;j&agrave; enregistr&eacute;e
 recovery_accessapp_auth.instruction1=Vous avez d&eacute;j&agrave; enregistr&eacute; une nouvelle AGOV access app !!!ACCESS_APP_NAME!!! dans le cadre du processus de r&eacute;cup&eacute;ration.
 recovery_accessapp_auth.instruction2=Veuillez utiliser !!!ACCESS_APP_NAME!!! pour vous identifier.
+recovery_check_code.banner.lockedError=Trop de saisies erron&eacute;es. Veuillez r&eacute;essayer dans quelques minutes.
 recovery_check_code.codeIncorrect=Le code saisi est incorrect. Veuillez r&eacute;essayer.
 recovery_check_code.enterRecoveryCode=Saisir le code de r&eacute;cup&eacute;ration
 recovery_check_code.instruction=Veuillez saisir votre code de r&eacute;cup&eacute;ration &agrave; douze chiffres. Lors de votre inscription, vous avez re&ccedil;u le code de r&eacute;cup&eacute;ration sous la forme d&rsquo;un fichier PDF ou dans AGOV me.
@@ -151,9 +174,11 @@ recovery_check_code.invalid.code.tooLong=Le code est trop long
 recovery_check_code.noAccess=Je n&rsquo;ai pas acc&egrave;s &agrave; mon code de r&eacute;cup&eacute;ration
 recovery_check_code.noCodeAccess=&Ecirc;tes-vous s&ucirc;r de ne pas avoir acc&egrave;s &agrave; votre code de r&eacute;cup&eacute;ration ?
 recovery_check_code.noCodeAccessInstructions=En cas de perte de votre code de r&eacute;cup&eacute;ration, veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance AGOV. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
-recovery_check_noCode.banner.error=Trop de tentatives ou expiration de votre code de r&eacute;cup&eacute;ration.
-recovery_check_noCode.instruction1=Le code de r&eacute;cup&eacute;ration que vous avez saisi a peut-&ecirc;tre expir&eacute; ou vous avez peut-&ecirc;tre essay&eacute; de le saisir trop de fois.
-recovery_check_noCode.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
+recovery_check_code.too_many_tries.instruction1=Le code de r&eacute;cup&eacute;ration que vous avez saisi a peut-&ecirc;tre expir&eacute; ou vous avez peut-&ecirc;tre essay&eacute; de le saisir trop de fois.
+recovery_check_code.too_many_tries.instruction2=Veuillez vous rendre sur AGOV help et contacter le service d&rsquo;assistance. Un agent pourra vous aider dans le processus de r&eacute;cup&eacute;ration.
+recovery_check_noCode.banner.error=Trop de tentatives.
+recovery_check_noCode.instruction1=Vous avez peut-&ecirc;tre essay&eacute; de saisir le code de r&eacute;cup&eacute;ration trop de fois.
+recovery_check_noCode.instruction2=Veuillez fermer le navigateur web et recommencer la r&eacute;cup&eacute;ration du compte dans dix minutes &agrave; partir de <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Veuillez indiquer votre nouveau code pour pouvoir continuer.
 recovery_code.instruction=Les codes de r&eacute;cup&eacute;ration vous permettent d'acc&eacute;der &agrave; votre compte au cas o&ugrave; vous auriez perdu tous vos identifiants. Conservez le code de r&eacute;cup&eacute;ration en lieu s&ucirc;r.
 recovery_code.newRecoveryCode=Introduction du code de r&eacute;cup&eacute;ration
@@ -165,10 +190,8 @@ recovery_fidokey_auth.instruction2=Veuillez utiliser !!!SECURITY_KEY_NAME!!! pou
 recovery_fidokey_auth.keyRegistered=Cl&eacute; de s&eacute;curit&eacute; d&eacute;j&agrave; enregistr&eacute;e
 recovery_intro_email.banner.error=Le lien que vous avez utilis&eacute; a expir&eacute;. Veuillez saisir votre adresse e-mail pour recevoir un nouveau lien.
 recovery_intro_email.banner.info=Veuillez saisir votre adresse e-mail. Nous vous enverrons un e-mail vous permettant de d&eacute;marrer le processus de r&eacute;cup&eacute;ration.
-recovery_intro_email.captchaUnchecked=Veuillez cocher la case captcha
 recovery_intro_email.important=Important:
 recovery_intro_email.process=Le processus de r&eacute;cup&eacute;ration ne doit &ecirc;tre utilis&eacute; que si vous avez perdu l'acc&egrave;s &agrave; vos facteurs de connexion (application AGOV access supprim&eacute;e, cl&eacute; de s&eacute;curit&eacute; perdue, t&eacute;l&eacute;phone perdu, etc.).
-recovery_intro_email.siteProtectedWithRecaptcha=Ce site est prot&eacute;g&eacute; par reCAPTCHA: les <a class=&rsquo;link&rsquo; href=&rsquo;https://policies.google.com/privacy&rsquo; target=&rsquo;_blank&rsquo;>r&egrave;gles de confidentialit&eacute;</a> et <a class=&rsquo;link&rsquo; href=&rsquo;https://policies.google.com/terms&rsquo; target=&rsquo;_blank&rsquo;>conditions d&rsquo;utilisation</a> de Google s&rsquo;appliquent.
 recovery_intro_email_sent.banner.button=Vous n&rsquo;avez pas re&ccedil;u l'email?
 recovery_intro_email_sent.banner.success=Merci! Vous recevrez dans un instant un e-mail contenant un lien de r&eacute;cup&eacute;ration et des instructions.
 recovery_on_going.finishRecovery=Terminer la r&eacute;cup&eacute;ration
@@ -183,13 +206,13 @@ recovery_questionnaire_loginfactor.no=Non
 recovery_questionnaire_loginfactor.question=Avez-vous enregistr&eacute; plus d'un facteur d'authentification (application AGOV access ou cl&eacute; de s&eacute;curit&eacute;) sur votre compte ?
 recovery_questionnaire_loginfactor.yes=Oui
 recovery_questionnaire_no_recovery.explanation1=D'apr&egrave;s vos r&eacute;ponses, l'option de r&eacute;cup&eacute;ration d'AGOV ne semble pas n&eacute;cessaire pour l'instant.
-recovery_questionnaire_no_recovery.explanation2=Si vous avez besoin de plus amples informations, veuillez consulter <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> pour obtenir des articles de soutien.
-recovery_questionnaire_no_recovery.instruction1=Si vous rencontrez des difficult&eacute;s pour vous connecter &agrave; une application, visitez <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> et v&eacute;rifiez si vous pouvez vous connecter avec succ&egrave;s.
-recovery_questionnaire_no_recovery.instruction2=Si vous avez enregistr&eacute; plusieurs facteurs de connexion mais que vous avez perdu l'acc&egrave;s &agrave; l'un d'entre eux, veuillez consulter <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> pour supprimer celui auquel vous avez perdu l'acc&egrave;s.
+recovery_questionnaire_no_recovery.explanation2=Si vous avez besoin de plus amples informations, veuillez consulter <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> pour obtenir des articles de soutien.
+recovery_questionnaire_no_recovery.instruction1=Si vous rencontrez des difficult&eacute;s pour vous connecter &agrave; une application, visitez <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> et v&eacute;rifiez si vous pouvez vous connecter avec succ&egrave;s.
+recovery_questionnaire_no_recovery.instruction2=Si vous avez enregistr&eacute; plusieurs facteurs de connexion mais que vous avez perdu l'acc&egrave;s &agrave; l'un d'entre eux, veuillez consulter <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> pour supprimer celui auquel vous avez perdu l'acc&egrave;s.
 recovery_questionnaire_reason_selection.answer1=Je n'arrive pas &agrave; me connecter, m&ecirc;me si j'ai mon application / ma cl&eacute; de s&eacute;curit&eacute;
 recovery_questionnaire_reason_selection.answer10=J'ai perdu l'un de mes facteurs d'authentification (application AGOV access ou cl&eacute; de s&eacute;curit&eacute;)
 recovery_questionnaire_reason_selection.answer2=Je n'ai pas pu terminer mon inscription
-recovery_questionnaire_reason_selection.answer3=J'ai supprim&eacute; ou r&eacute;initialis&eacute; mon application AGOV access
+recovery_questionnaire_reason_selection.answer3=J'ai supprim&eacute;, r&eacute;install&eacute; ou r&eacute;initialis&eacute; mon application d'acc&egrave;s AGOV
 recovery_questionnaire_reason_selection.answer4=J'ai perdu mon t&eacute;l&eacute;phone / cl&eacute; de s&eacute;curit&eacute;
 recovery_questionnaire_reason_selection.answer5=J'ai un nouveau t&eacute;l&eacute;phone et j'ai oubli&eacute; de transf&eacute;rer mon application AGOV access
 recovery_questionnaire_reason_selection.answer6=J'ai oubli&eacute; mon PIN pour l'application AGOV access

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/resources/conf/text_it.properties

@@ -1,41 +1,41 @@
 
 button.submit=Continua
-darkModeSwitch.aria.label=Attivare la modalità scura 
+darkModeSwitch.aria.label=Attivare la modalità scura
 error.policy.failed=La nuova password non è stata accettata. Scegliere una password che sia conforme ai criteri di password.
 error_1=Verificare i dati inseriti.
 error_10=Scegliere l’account utente corretto.
-error_100=Impossibile caricare il certificato. Il certificato esiste già. Contattare l’help desk. 
-error_101=L’e-mail inserita non è valida. 
+error_100=Impossibile caricare il certificato. Il certificato esiste già. Contattare l’help desk.
+error_101=L’e-mail inserita non è valida.
 error_11=Utilizzare un altro certificato o accedere con altre credenziali.
 error_2=Selezionare un altro nome di accesso.
-error_3=Se la prossima autenticazione fallisce, l’account sarà bloccato. 
-error_4=La nuova password non rispetta le norme di sicurezza. Scegliere un’altra password. 
+error_3=Se la prossima autenticazione fallisce, l’account sarà bloccato.
+error_4=La nuova password non rispetta le norme di sicurezza. Scegliere un’altra password.
 error_5=Errore nella conferma della password.
-error_50=La nuova password è troppo corta. 
+error_50=La nuova password è troppo corta.
 error_55=La nuova password deve differire da quelle precedenti.
-error_6=È richiesta la modifica della password. 
-error_7=È richiesta la modifica dell’ID di accesso. 
-error_8=A causa dei ripetuti tentativi di autenticazione falliti, l’account è stato bloccato. 
-error_81=Non è stata trovata alcuna carta di accesso; l’accesso da Internet è negato. 
-error_83=La carta di accesso non è più valida. Per richiedere una nuova carta di accesso, contattare il responsabile. 
+error_6=È richiesta la modifica della password.
+error_7=È richiesta la modifica dell’ID di accesso.
+error_8=A causa dei ripetuti tentativi di autenticazione falliti, l’account è stato bloccato.
+error_81=Non è stata trovata alcuna carta di accesso; l’accesso da Internet è negato.
+error_83=La carta di accesso non è più valida. Per richiedere una nuova carta di accesso, contattare il responsabile.
 error_9=Takeover di sessione fallito.
 error_97=Accesso non autorizzato a questa risorsa.
-error_98=L’account è stato bloccato. 
-error_99=Ci sono problemi di sistema. Riprovare più tardi. 
-error_9901=Per accedere a questa pagina, è necessario un link di registrazione valido. 
-error_9902=L’e-mail utilizzata per l’autenticazione non corrisponde a quella di AGOV operations. Richiedere un nuovo link di registrazione. 
-error_9903=L’IdP utilizzato non ha inviato un’asserzione valida. Assicurarsi di utilizzare l’IdP corretto. Richiedere al supporto un nuovo link di registrazione. 
-error_9904=Il link non è più valido. Assicurarsi di utilizzare il link più recente ricevuto in AGOV operations. Se il problema persiste, richiedere un nuovo link. 
-error_9905=Si è verificato un problema con l’account AGOV operations. Contattare il supporto. 
-error_9909=Si è verificato un errore interno. Richiedere al supporto un nuovo link di registrazione. 
+error_98=L’account è stato bloccato.
+error_99=Ci sono problemi di sistema. Riprovare più tardi.
+error_9901=Per accedere a questa pagina, è necessario un link di registrazione valido.
+error_9902=L’e-mail utilizzata per l’autenticazione non corrisponde a quella di AGOV operations. Richiedere un nuovo link di registrazione.
+error_9903=L’IdP utilizzato non ha inviato un’asserzione valida. Assicurarsi di utilizzare l’IdP corretto. Richiedere al supporto un nuovo link di registrazione.
+error_9904=Il link non è più valido. Assicurarsi di utilizzare il link più recente ricevuto in AGOV operations. Se il problema persiste, richiedere un nuovo link.
+error_9905=Si è verificato un problema con l’account AGOV operations. Contattare il supporto.
+error_9909=Si è verificato un errore interno. Richiedere al supporto un nuovo link di registrazione.
 errors.duplicateValue=Il suo account è già collegato ad un altro accesso operativo.
-fido2_auth.cancel.fido=L'autenticazione con la chiave di sicurezza è stata interrotta. Assicurarsi che la chiave FIDO sia registrata e che l'indirizzo e-mail sia corretto, poi seguire le istruzioni. 
+fido2_auth.cancel.fido=L'autenticazione con la chiave di sicurezza è stata interrotta. Assicurarsi che la chiave FIDO sia registrata e che l'indirizzo e-mail sia corretto, poi seguire le istruzioni.
 fido2_auth.instruction1=Cliccare su "Continua"
-fido2_auth.instruction2=A breve si aprirà una finestra per l'autenticazione. 
+fido2_auth.instruction2=A breve si aprirà una finestra per l'autenticazione.
 fido2_auth.instruction3=Seguire le istruzioni.
 fido2_auth.skipInstructions=Non mostrare più le istruzioni
 fido2_auth.switchLogin=ACCEDERE CON
-footer.link=https://agov.ch/?c=contact&l=it
+footer.link=https://agov.ch
 footer.link.label=Contatto
 footer.text=Servizio di autenticazione delle autorità Svizzere AGOV - una collaborazione tra Cantoni, Comuni e l'Amministrazione federale. -
 general.AGOVAccessApp=App AGOV access
@@ -50,23 +50,32 @@ general.edit=Modificare
 general.email=e-mail
 general.email.address=Indirizzo e-mail
 general.entryCode=Codice
+general.fieldRequired=Campo obbligatorio.
 general.getStarted=Iniziare
 general.goAGOVHelp=Vai ad AGOV help
 general.goAccessApp=Login con AGOV access
 general.help=Aiuto
-general.help.link=https://agov.ch/pages/help_it.html
+general.help.link=https://agov.ch/help
 general.login=Accedere
 general.loginSecurityKey=Iniziare il login con la chiave di sicurezza
 general.or=O
 general.otherOptions=ALTRE OPZIONI
 general.recovery=Ripristino
+general.recovery.help.link=https://help.agov.ch/?c=100recovery
+general.recoveryCode.downloadPdf=Salva come PDF
+general.recoveryCode.inputLabel=Codice di ripristino
+general.recoveryCode.repeatCodeError=Il codice inserito non è corretto. Assicurati di averlo memorizzato correttamente, quindi riprova a inviarlo.
+general.recoveryCode.repeatCodeModal.description=Un codice di ripristino perso o memorizzato in modo errato può rendere più difficile il recupero del tuo account. Per assicurarti di aver registrato correttamente il codice, inseriscilo di nuovo qui sotto.
+general.recoveryCode.repeatCodeModal.title=Ripeti il codice di ripristino
+general.recoveryCode.reveal=Mostra il codice di ripristino
 general.recoveryOngoing=Ripristino in corso
 general.register=Registrarsi
 general.registerNow=Si registri ora!
 general.registration=Registrazione
 general.securityKey=Chiave di sicurezza
 general.skip.content=Vai al contenuto principale
-generic.auth.error.message=Si è verificata un’interruzione. Stiamo lavorando per ripristinare l’esercizio. 
+general.wrongPhoneNumber=Inserire un numero di cellulare valido
+generic.auth.error.message=Si è verificata un’interruzione. Stiamo lavorando per ripristinare l’esercizio.
 generic.auth.error.next.steps=Riprovare più tardi. Se il problema persiste, consultare AGOV help.
 generic.auth.error.subtitle=Qualcosa non ha funzionato.
 generic.auth.error.title=Errore
@@ -76,17 +85,17 @@ language.en=English
 language.fr=Français
 language.it=Italiano
 languageDropdown.aria.label=Selezionare la lingua
-loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi. 
+loainfo.description.200=Per accedere all'app è necessaria una verifica dei dati. La procedura può richiedere fino a 2–3 giorni lavorativi.
 loainfo.description.300=Per accedere all'app dobbiamo verificare i suoi dati tramite uno dei due processi. Al prossimo passaggio, può selezionare la procedura di verifica desiderata.
-loainfo.description.400=Per acceddere all'applicazione deve inserire il numero AVS.
+loainfo.description.400=Per accedere all'applicazione è necessario inserire il numero AVS.
 loainfo.helper=I dati devono essere verificati!
-loainfo.later=Più tardi 
+loainfo.later=Più tardi
 loainfo.startNow=Iniziare la procedura?
 loainfo.startVerification=Iniziare la verifica
 loainfo.title=Verificare i dati.
 mauth_usernameless.EID=Continuare con CH e-ID
-mauth_usernameless.banner.error=Autenticazione interrotta.<br>Riprovare dopo che la pagina si sar&agrave; ricaricata. 
-mauth_usernameless.banner.info=La scansione &egrave; stata eseguita.<br>Continuare nell'app AGOV access. 
+mauth_usernameless.banner.error=Autenticazione interrotta.<br>Riprovare dopo che la pagina si sar&agrave; ricaricata.
+mauth_usernameless.banner.info=La scansione &egrave; stata eseguita.<br>Continuare nell'app AGOV access.
 mauth_usernameless.banner.success=Autenticazione riuscita!<br>Aspettare di essere connessi.
 mauth_usernameless.cannotLogin=Ha perso l'accesso alla sua app/chiave di sicurezza?
 mauth_usernameless.hideQR=Nascondi il codice QR
@@ -102,9 +111,9 @@ op-admin.login.loginid=ID di accesso
 op-admin.login.password=Password
 op-admin.login.title=Accedere
 op-admin.logout=AGOV op admin
-op-admin.logout.message=La sessione &egrave; terminata. 
+op-admin.logout.message=La sessione &egrave; terminata.
 op-admin.logout.title=Disconnessione
-op-admin.pwchange.intro.message=&Egrave; richiesta la modifica della password. 
+op-admin.pwchange.intro.message=&Egrave; richiesta la modifica della password.
 op-admin.pwchange.newpassword=Nuova password
 op-admin.pwchange.newpassword2=Ripetere la nuova password
 op-admin.pwchange.password=Password attuale
@@ -126,7 +135,7 @@ op-onboarding.done.title=FINITO
 op-onboarding.failed.title=ERRORE
 op-onboarding.intro.message1=Per completare la registrazione per l'accesso AGOV operations, &egrave; necessario avere un account AGOV o FED-LOGIN.
 op-onboarding.intro.message2=Dopo aver cliccato su "Continua", si &egrave; reindirizzati al servizio di autenticazione.
-op-onboarding.intro.message3=Se utilizza AGOV e l&rsquo;account non soddisfa ancora il livello richiesto AGOVaq, potr&agrave; avviare la verifica dell&rsquo;identit&agrave; richiesta. 
+op-onboarding.intro.message3=Se utilizza AGOV e l&rsquo;account non soddisfa ancora il livello richiesto AGOVaq, potr&agrave; avviare la verifica dell&rsquo;identit&agrave; richiesta.
 op-onboarding.intro.title=INIZIARE
 op-onboarding.onboarding=Registrazione AGOV op
 op-onboarding.process.message=Qualcosa non ha funzionato. Contattare il supporto AGOV e, se necessario, richiedere un nuovo link di registrazione.
@@ -135,44 +144,58 @@ prompt.newpassword=Nuova Password
 prompt.newpassword.confirm=Conferma password
 prompt.password=Password
 prompt.userid=Nome utente
-pwreset.done.info=Your password was successfully changed. Please click on continue to log in.
+providePhoneNumber.banner=Il numero di telefono deve essere in grado di ricevere SMS.<br>Questo numero di telefono non sar&agrave; utilizzato per contattarti.
+providePhoneNumber.description=AGOV ora supporta il ripristino tramite il tuo numero di telefono. Questo ti permetter&agrave; di continuare con un SMS durante il ripristino se hai perso l'accesso al tuo codice di ripristino.
+providePhoneNumber.errorBanner=Il numero di telefono non corrispondono. Si prega di riprovare.
+providePhoneNumber.inputLabel=Numero di telefono (facoltativo)
+providePhoneNumber.laterModal.description1=Senza un numero di telefono, il recupero del tuo account potrebbe richiedere fino a 4 giorni se perdi l'accesso al codice di ripristino.
+providePhoneNumber.laterModal.description2=Aggiungere un numero di telefono ti aiuta a recuperare il tuo account in pochi minuti.
+providePhoneNumber.laterModal.description3=Questo numero di telefono non sar&agrave; utilizzato per contattarti.
+providePhoneNumber.laterModal.title=Continuare senza un numero di telefono?
+providePhoneNumber.modal.description=Un numero di telefono memorizzato in modo errato pu&ograve; rendere pi&ugrave; difficile il recupero del tuo account. Per assicurarti di aver registrato correttamente il tuo numero di telefono, inseriscilo di nuovo qui sotto.
+providePhoneNumber.modal.inputLabel=Numero di telefono
+providePhoneNumber.modal.title=Ripetere il numero di telefono
+providePhoneNumber.saveButtonText=Salva
+providePhoneNumber.title=Aggiungi numero di telefono
+pwreset.done.info=La password &egrave; stata modificata con successo. Fare clic su continua per accedere.
 pwreset.email.sent=Se il vostro ID utente esiste, vi è stata inviata un'e-mail per reimpostare la password.
-pwreset.info.linktext=Password forgotten
-pwreset.noticket=Your password reset ticket is no longer valid. Please generate a new one.
-recovery_accessapp_auth.accessAppRegistered=App di accesso AGOV gi&agrave; registrata 
-recovery_accessapp_auth.instruction1=Ha gi&agrave; registrato una nuova app di accesso AGOV !!!SECURITY_KEY_NAME!!! come parte del processo di recupero. 
+pwreset.info.linktext=Password dimenticata
+pwreset.noticket=Il biglietto per la reimpostazione della password non &egrave; pi&ugrave; valido. Si prega di generarne uno nuovo.
+recovery_accessapp_auth.accessAppRegistered=App di accesso AGOV gi&agrave; registrata
+recovery_accessapp_auth.instruction1=Ha gi&agrave; registrato una nuova app AGOV access !!!SECURITY_KEY_NAME!!! come parte del processo di recupero.
 recovery_accessapp_auth.instruction2=Si prega di usare !!!ACCESS_APP_NAME!!! per l'identificazione.
-recovery_check_code.codeIncorrect=Il codice inserito non &egrave; corretto. Riprovare. 
+recovery_check_code.banner.lockedError=Troppi tentativi di inserimento non validi. Riprovare tra qualche minuto.
+recovery_check_code.codeIncorrect=Il codice inserito non &egrave; corretto. Riprovare.
 recovery_check_code.enterRecoveryCode=Inserisca il codice di recupero
 recovery_check_code.instruction=Inserire qui sotto il codice di ripristino a 12 caratteri alfanumerici. Ha ricevuto questo codice in un file PDF al momento della registration o in AGOV me.
-recovery_check_code.invalid.code=Il codice non &egrave; valido 
+recovery_check_code.invalid.code=Il codice non &egrave; valido
 recovery_check_code.invalid.code.required=Codice richiesto
-recovery_check_code.invalid.code.tooLong=Il codice &egrave; troppo lungo 
+recovery_check_code.invalid.code.tooLong=Il codice &egrave; troppo lungo
 recovery_check_code.noAccess=Non ho il mio codice.
 recovery_check_code.noCodeAccess=Conferma di non avere il codice di ripristino?
 recovery_check_code.noCodeAccessInstructions=Se non ha pi&ugrave; il codice di ripristino, acceda ad AGOV help per contattare il supporto AGOV, che la assister&agrave; nel processo di ripristino.
-recovery_check_noCode.banner.error=Troppi tentativi o codice di ripristino scaduto
-recovery_check_noCode.instruction1=Il codice di ripristino inserito pu&ograve; essere scaduto o &egrave; stato inserito troppe volte. 
-recovery_check_noCode.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
+recovery_check_code.too_many_tries.instruction1=Il codice di ripristino inserito pu&ograve; essere scaduto o &egrave; stato inserito troppe volte.
+recovery_check_code.too_many_tries.instruction2=Si prega di andare alla guida di AGOV aiuto per contattare un agente dell'assistenza. Saranno in grado di aiutarla con il processo di recupero.
+recovery_check_noCode.banner.error=Troppi tentativi.
+recovery_check_noCode.instruction1=Potresti aver tentato di inserire il codice di ripristino troppe volte.
+recovery_check_noCode.instruction2=Chiudi il browser web e inizia nuovamente il processo di ripristino dell'account tra dieci minuti da <a class='link' href='https://agov.ch/me'>https://agov.ch/me</a>.
 recovery_code.banner.error=Per procedere, inserire il nuovo codice.
 recovery_code.instruction=Il codice di ripristino le aiuta ad accedere al suo conto in caso in cui lei abbia perso le credentiali di accesso. Per favore, conservi il codice di ripristino in un luogo sicuro.
 recovery_code.newRecoveryCode=Introduzione del codice di ripristino
 recovery_code.validUntil=Valido fino a:
 recovery_fidokey_auth.button=Iniziare l'authenticazione della chiave
 recovery_fidokey_auth.fidoInstruction=Cliccare su "Iniziare l'authenticazione della chiave"
-recovery_fidokey_auth.instruction1=Ha gi&agrave; registrato una nuova chiave di sicurezza !!!SECURITY_KEY_NAME!!! come parte del processo di recupero. 
+recovery_fidokey_auth.instruction1=Ha gi&agrave; registrato una nuova chiave di sicurezza !!!SECURITY_KEY_NAME!!! come parte del processo di recupero.
 recovery_fidokey_auth.instruction2=Si prega di usare !!!SECURITY_KEY_NAME!!! per poter seguire i passaggi seguenti per identificarti.
-recovery_fidokey_auth.keyRegistered=Chiave di sicurezza gi&agrave; registrata 
-recovery_intro_email.banner.error=Il link utilizzato &egrave; scaduto. Per ricevere un nuovo link, inserire l&rsquo;indirizzo e-mail. 
-recovery_intro_email.banner.info=Per ricevere il link e avviare il processo di ripristino, inserire l&rsquo;indirizzo e-mail. 
-recovery_intro_email.captchaUnchecked=Per favore selezioni il campo captcha
+recovery_fidokey_auth.keyRegistered=Chiave di sicurezza gi&agrave; registrata
+recovery_intro_email.banner.error=Il link utilizzato &egrave; scaduto. Per ricevere un nuovo link, inserire l&rsquo;indirizzo e-mail.
+recovery_intro_email.banner.info=Per ricevere il link e avviare il processo di ripristino, inserire l&rsquo;indirizzo e-mail.
 recovery_intro_email.important=Importante:
-recovery_intro_email.process=Il processo di ripristino deve essere utilizzato solo se ha perso l'accesso ai suoi fattori di accesso (app di accesso AGOV eliminata, chiave di sicurezza persa, telefono smarrito, ecc.).
-recovery_intro_email.siteProtectedWithRecaptcha=Questo sito &egrave; protetto da reCAPTCHA. Si applicano le <a class='link' href='https://policies.google.com/privacy' target='_blank'>norme sulla privacy</a> e i <a class='link' href='https://policies.google.com/terms' target='_blank'>termini di servizio di Google</a>. 
+recovery_intro_email.process=Il processo di ripristino deve essere utilizzato solo se ha perso l'accesso ai suoi fattori di accesso (app AGOV access eliminata, chiave di sicurezza persa, telefono smarrito, ecc.).
 recovery_intro_email_sent.banner.button=Non avete ricevuto l'e-mail?
-recovery_intro_email_sent.banner.success=Grazie! &Egrave; stata inviata un&rsquo;e-mail contenente il codice di ripristino e le istruzioni. 
+recovery_intro_email_sent.banner.success=Grazie! &Egrave; stata inviata un&rsquo;e-mail contenente il codice di ripristino e le istruzioni.
 recovery_on_going.finishRecovery=Completare il ripristino
-recovery_on_going.instruction=&Egrave; in corso un processo di ripristino. Il processo di ripristino pu&ograve; includere una verifica dell&rsquo;identit&agrave;. Per accedere alle applicazioni con il proprio AGOV-Login, &egrave; necessario completare la verifica dell&rsquo;identit&agrave;. 
+recovery_on_going.instruction=&Egrave; in corso un processo di ripristino. Il processo di ripristino pu&ograve; includere una verifica dell&rsquo;identit&agrave;. Per accedere alle applicazioni con il proprio AGOV-Login, &egrave; necessario completare la verifica dell&rsquo;identit&agrave;.
 recovery_on_going.title=Completare il processo di ripristino.
 recovery_questionnaire_instructions.banner.info=Tenga presente che in alcuni casi &egrave; necessario utilizzare il codice di ripristino per un ripristino riuscito.
 recovery_questionnaire_instructions.explanation=In base alle sue risposte sembra essere necessario un ripristino AGOV-Login. Fare clic su Continua e seguire le istruzioni visualizzate sullo schermo.
@@ -180,31 +203,31 @@ recovery_questionnaire_instructions.instruction1=Si prega di fornire l'indirizzo
 recovery_questionnaire_instructions.instruction2=Si prega di seguire i passaggi per recuperare il suo account (i passaggi varieranno a seconda del livello di verifica dell'account)
 recovery_questionnaire_loginfactor.banner.error=Si prega di selezionare una risposta.
 recovery_questionnaire_loginfactor.no=No
-recovery_questionnaire_loginfactor.question=Ha registrato pi&ugrave; di un fattore di accesso (app di accesso AGOV o chiave di sicurezza) al suo account?
+recovery_questionnaire_loginfactor.question=Ha registrato pi&ugrave; di un fattore di accesso (app AGOV access o chiave di sicurezza) al suo account?
 recovery_questionnaire_loginfactor.yes=Si
 recovery_questionnaire_no_recovery.explanation1=In base alle sue risposte, l'opzione di ripristino AGOV non sembra necessaria al momento.
-recovery_questionnaire_no_recovery.explanation2=Se ha bisogno di ulteriori informazioni, visiti <a class='link' href='www.agov.ch/help' target='_blank'>www.agov.ch/help</a> per articoli di supporto.
-recovery_questionnaire_no_recovery.instruction1=Se riscontra problemi di accesso a un'applicazione, visiti <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> e verifichi se pu&ograve; accedere con successo.
-recovery_questionnaire_no_recovery.instruction2=Se ha registrato pi&ugrave; fattori di accesso ma ha perso l'accesso a uno di essi, visit <a class='link' href='www.agov.ch/me' target='_blank'>www.agov.ch/me</a> per rimuovere quello a cui ha perso l'accesso.
+recovery_questionnaire_no_recovery.explanation2=Se ha bisogno di ulteriori informazioni, visiti <a class='link' href='https://agov.ch/help' target='_blank'>https://agov.ch/help</a> per articoli di supporto.
+recovery_questionnaire_no_recovery.instruction1=Se riscontra problemi di accesso a un'applicazione, visiti <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> e verifichi se pu&ograve; accedere con successo.
+recovery_questionnaire_no_recovery.instruction2=Se ha registrato pi&ugrave; fattori di accesso ma ha perso l'accesso a uno di essi, visit <a class='link' href='https://agov.ch/me' target='_blank'>https://agov.ch/me</a> per rimuovere quello a cui ha perso l'accesso.
 recovery_questionnaire_reason_selection.answer1=Ho problemi ad accedere, anche se ho la mia app/chiave di sicurezza
-recovery_questionnaire_reason_selection.answer10=Ho perso uno dei miei fattori di accesso (app di accesso AGOV o chiave di sicurezza)
+recovery_questionnaire_reason_selection.answer10=Ho perso uno dei miei fattori di accesso (app AGOV access o chiave di sicurezza)
 recovery_questionnaire_reason_selection.answer2=Non sono riuscito a completare la registrazione
-recovery_questionnaire_reason_selection.answer3=Ho eliminato o reimpostato la mia app di accesso AGOV
+recovery_questionnaire_reason_selection.answer3=Ho eliminato, reinstallato o reimpostato la mia app AGOV access
 recovery_questionnaire_reason_selection.answer4=Ho perso il telefono/la chiave di sicurezza
-recovery_questionnaire_reason_selection.answer5=Ho un nuovo telefono e ho dimenticato di trasferire la mia app di accesso AGOV
-recovery_questionnaire_reason_selection.answer6=Ho dimenticato il PIN dell'app di accesso AGOV
+recovery_questionnaire_reason_selection.answer5=Ho un nuovo telefono e ho dimenticato di trasferire la mia app AGOV access
+recovery_questionnaire_reason_selection.answer6=Ho dimenticato il PIN dell'app AGOV access
 recovery_questionnaire_reason_selection.answer7=Ho i miei token di sicurezza o le mie app, ma ho avuto problemi ad accedere
-recovery_questionnaire_reason_selection.answer8=Ho perso l'accesso a tutte le mie chiavi di sicurezza e alle app di accesso AGOV
+recovery_questionnaire_reason_selection.answer8=Ho perso l'accesso a tutte le mie chiavi di sicurezza e alle app AGOV access
 recovery_questionnaire_reason_selection.answer9=Ho problemi con uno dei miei fattori di accesso (PIN cancellato, reimpostato, dimenticato)
 recovery_questionnaire_reason_selection.banner.error=Si prega di selezionare il motivo.
 recovery_questionnaire_reason_selection.instruction=Si prega di selezionare il motivo per cui sta avviando il processo di recupero:
-recovery_start_info.banner.warning=Non &egrave; possibile utilizzare l&rsquo;account finch&eacute; il processo di ripristino non sar&agrave; concluso. 
-recovery_start_info.instruction=Durante il processo di ripristino sar&agrave; registrato un nuovo fattore di accesso. Se l&rsquo;account contiene informazioni verificate, potrebbe essere necessario avviare un processo di verifica per completare il ripristino. 
+recovery_start_info.banner.warning=Non &egrave; possibile utilizzare l&rsquo;account finch&eacute; il processo di ripristino non sar&agrave; concluso.
+recovery_start_info.instruction=Durante il processo di ripristino sar&agrave; registrato un nuovo fattore di accesso. Se l&rsquo;account contiene informazioni verificate, potrebbe essere necessario avviare un processo di verifica per completare il ripristino.
 recovery_start_info.title=Il processo di ripristino sta per iniziare.
 title=NEVIS SSO Portal
 title.login=Login
 title.pwchange.label=Cambiare Password
-title.pwreset=Password Forgotten
+title.pwreset=Password Dimenticata
 user_input.invalid.email=Inserire un'e-mail valida.
 user_input.invalid.email.required=Campo obbligatorio
-user_input.invalid.email.tooLong=Il testo inserito &egrave; troppo lungo. 
+user_input.invalid.email.tooLong=Il testo inserito &egrave; troppo lungo.

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_link_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatchLink() {
 
         document.getElementById("mauth_started").style.display = "block"; // show
@@ -55,9 +61,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -70,21 +74,36 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
@@ -99,20 +118,24 @@
                     addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatchLink();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_onboard.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function renderEnrollment() {
 
         // link is provided by a hidden GuiElem
@@ -52,44 +58,53 @@
     }
 
     function poll() {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+
+        isPolling = true;
 
         // state is held on backend side
         const request = {};
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
 
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
 
                 if (status == 'clientRegistering') {
-
                     // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
 
                     // hide QR-code and information
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
-                }
-                else if (status == 'succeeded') {
-
+                } else if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    console.error("onboarding successful");
+                    console.log("onboarding successful");
 
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("onboarding failed with status: " + status);
 
@@ -98,8 +113,15 @@
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderEnrollment();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_push_qr.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch(id) {
 
         document.getElementById("mauth_devices").style.display = "none"; // hide selection menu
@@ -70,9 +76,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -125,47 +129,64 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
+        isPolling = true;
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        const request = { fidoUafSessionId: sessionId };
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
                     document.getElementById("mauth_qrcode").style.display = 'none';
                     document.getElementById("mauth_qrcode_info").style.display = 'none';
                     document.getElementById("mauth_match_numbers").style.display = 'block';
                     document.getElementById("mauth_loading").style.display = 'block';
                 }
+
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
-                    // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
                     addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     renderDeviceList();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/resources/mauth_usernameless.js

@@ -16,6 +16,12 @@
 
     let statusPolling;
 
+    let isPolling = false;
+    let pollingTimeout = null;
+
+    const POLLING_INTERVAL = 2000;
+    const REQUEST_TIMEOUT = 3000;
+
     function dispatch() {
 
         console.log("initiating usernameless mobile authentication...");
@@ -58,9 +64,7 @@
                     });
                     var sessionId = o.sessionId;
                     console.log("started polling for session ID: " + sessionId);
-                    statusPolling = window.setInterval(function () {
-                        poll(sessionId);
-                    }, 2000);
+                    poll(sessionId);
                 }
                 else {
                     console.log("authentication failed: " + o.dispatchResult);
@@ -73,46 +77,66 @@
     }
 
     function poll(sessionId) {
+        if (isPolling) {
+            return; // Exit if a polling request is already ongoing
+        }
 
-        const request = {};
-        request.fidoUafSessionId = sessionId;
+        isPolling = true;
 
-        // calling nevisFIDO through nevisAuth on current URL using AJAX
-        fetch("", {
+        const request = { fidoUafSessionId: sessionId };
+
+        const fetchRequest = fetch("", {
             method: "POST",
             headers: {
                 'Content-Type': 'application/json'
             },
             body: JSON.stringify(request)
-        }).then(res => {
-            res.json().then(o => {
+        });
+
+        // Set up the timeout for the fetch request
+        const timeoutPromise = new Promise((_, reject) => {
+            pollingTimeout = setTimeout(() => {
+                reject(new Error('Request timed out'));
+            }, REQUEST_TIMEOUT);
+        });
+
+        Promise.race([fetchRequest, timeoutPromise])
+            .then(res => res.json())
+            .then(o => {
+                clearTimeout(pollingTimeout);
                 var status = o.status;
                 console.log("status: " + status);
+
                 if (status == 'clientAuthenticating') {
-                    document.getElementById("mauth_qrcode").style.display = 'none';
+                    // show process icon
                     document.getElementById("mauth_loading").style.display = 'block';
+                    document.getElementById("mauth_qrcode").style.display = 'none';
                 }
                 if (status == 'succeeded') {
                     clearInterval(statusPolling);
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafDone", "true"); // checked by Groovy script
+                    addInput(form, "continue", "true"); // required for custom dispatching in usernameless
                     document.body.appendChild(form);
                     form.submit();
-                }
-                else if (status == 'failed' || status == 'unknown') {
-
+                } else if (status == 'failed' || status == 'unknown') {
                     clearInterval(statusPolling);
                     console.error("authentication failed with status: " + status);
-
                     // as this is the last call we have to do a top-level request instead of AJAX
                     const form = createForm();
-                    addInput(form, "fidoUafSessionId", sessionId); // checked by Groovy script
+                    addInput(form, "fidoUafSessionId", sessionId);
                     document.body.appendChild(form);
                     form.submit();
                 }
+            })
+            .catch((err) => {
+                console.error("error:", err);
+            })
+            .finally(() => {
+                isPolling = false;
+                // Schedule the next poll if needed
+                setTimeout(() => poll(sessionId), POLLING_INTERVAL);
             });
-        }).catch((err) => console.error("error: ", err));
     }
 
     dispatch();

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/static/images/provide-phone-number-dark.svg

@@ -0,0 +1,14 @@
+<svg width="538" height="428" viewBox="0 0 538 428" fill="none" xmlns="http://www.w3.org/2000/svg">
+	<path opacity="0.6" d="M25.5216 12.9464C101.117 -51.0418 123.063 147.074 258.436 68.7657C393.808 -9.54251 434.824 51.0683 434.824 170.197C434.824 289.325 580.948 321.32 525.401 400.285C469.854 479.25 329.899 364.323 239.366 364.887C108.83 365.699 19.072 335.977 37.78 251.204C69.4629 107.637 -50.0735 76.9347 25.5216 12.9464Z" fill="#453F4F"/>
+	<path d="M315.87 194.157L338.759 274.59L372.321 288.431L370.709 312.806L292.056 339.054L295.324 204.15L308.885 192.119C311.253 190.018 315.004 191.112 315.87 194.157Z" fill="#2F2E43"/>
+	<path d="M254.071 99.3203C258.34 75.2985 281.274 59.2858 305.296 63.5551C329.318 67.8243 345.331 90.7588 341.062 114.781C337.599 134.263 321.86 148.474 303.221 150.874L284.936 204.949L248.42 161.61C248.42 161.61 259.776 151.461 267.106 139.043C256.753 129.168 251.38 114.463 254.071 99.3203Z" fill="#F3C6C8"/>
+	<path d="M300.903 178.872L241.344 136.491C241.344 136.491 220.277 131.521 219.729 161.017C219.729 161.017 188.243 180.248 184.505 223.096C180.767 265.943 186.307 388.999 186.307 388.999L331.942 350.72L316.015 197.663C315.11 188.973 309.197 181.619 300.903 178.872Z" fill="#1778D3"/>
+	<path d="M228.184 159.93C228.184 159.93 275.707 179.436 282.199 202.795" stroke="#E6E6E6" stroke-miterlimit="10"/>
+	<path d="M400.576 308.456L313.893 337.777L317.75 304.922L394.424 286.427C397.202 281.312 402.465 277.057 409.186 275.18C420.947 271.895 432.684 277.123 435.402 286.855C438.121 296.588 430.791 307.141 419.03 310.426C412.309 312.303 405.603 311.391 400.576 308.456Z" fill="#F3C6C8"/>
+	<path d="M281.991 290.319L266.001 213.382C266.001 213.382 233.372 151.67 191.579 195.333C191.579 195.333 238.434 350.645 264.171 352.381C289.907 354.117 322.346 336.691 322.346 336.691L326.292 296.448L281.991 290.319Z" fill="#1778D3"/>
+	<path d="M191.582 195.328C191.582 195.328 238.436 350.64 264.173 352.376C289.909 354.112 322.348 336.686 322.348 336.686" stroke="#E6E6E6" stroke-miterlimit="10"/>
+	<path d="M326.295 296.442L281.993 290.313L266.004 213.375" stroke="#E6E6E6" stroke-miterlimit="10"/>
+	<path d="M265.066 137.675C265.066 137.675 265.15 113.706 277.44 105.926C289.703 98.1636 286.701 114.495 286.701 114.495L293.981 114.82C293.981 114.82 296.902 98.938 311.084 99.8077L307.313 78.9529C307.313 78.9529 338.84 94.1981 340.607 91.2217C354.515 67.8019 291.481 27.9758 262.264 61.5896C216.823 113.87 265.066 137.675 265.066 137.675Z" fill="#BE7800"/>
+	<rect x="436.242" y="218.391" width="11.8658" height="54.8795" rx="4" transform="rotate(15.4151 436.242 218.391)" fill="#9268E9"/>
+	<path d="M405.463 303.885L318.78 333.207L322.636 300.352L399.31 281.857C402.089 276.742 407.352 272.487 414.073 270.61C425.833 267.325 437.571 272.552 440.289 282.285C443.007 292.018 435.677 302.57 423.917 305.855C417.195 307.732 410.49 306.82 405.463 303.885Z" fill="#F3C6C8"/>
+</svg>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/static/images/provide-phone-number.svg

@@ -0,0 +1,14 @@
+<svg width="538" height="428" viewBox="0 0 538 428" fill="none" xmlns="http://www.w3.org/2000/svg">
+	<path opacity="0.6" d="M25.5216 12.9464C101.117 -51.0418 123.063 147.074 258.436 68.7657C393.808 -9.54251 434.824 51.0683 434.824 170.197C434.824 289.325 580.948 321.32 525.401 400.285C469.854 479.25 329.899 364.323 239.366 364.887C108.83 365.699 19.072 335.977 37.78 251.204C69.4629 107.637 -50.0735 76.9347 25.5216 12.9464Z" fill="white"/>
+	<path d="M315.87 194.156L338.759 274.589L372.321 288.429L370.709 312.805L292.056 339.053L295.324 204.149L308.885 192.117C311.253 190.016 315.004 191.11 315.87 194.156Z" fill="#2F2E43"/>
+	<path d="M254.069 99.3193C258.338 75.2975 281.272 59.2848 305.294 63.5541C329.316 67.8234 345.329 90.7578 341.06 114.78C337.597 134.262 321.858 148.473 303.219 150.873L284.934 204.948L248.418 161.609C248.418 161.609 259.774 151.46 267.104 139.042C256.751 129.167 251.378 114.462 254.069 99.3193Z" fill="#E29295"/>
+	<path d="M300.903 178.872L241.344 136.492C241.344 136.492 220.277 131.521 219.729 161.017C219.729 161.017 188.243 180.249 184.505 223.096C180.767 265.943 186.307 389 186.307 389L331.942 350.72L316.015 197.663C315.11 188.973 309.197 181.62 300.903 178.872Z" fill="#2F2E43"/>
+	<path d="M228.184 159.928C228.184 159.928 275.707 179.434 282.199 202.793" stroke="#E6E6E6" stroke-miterlimit="10"/>
+	<path d="M400.576 308.455L313.893 337.776L317.75 304.921L394.424 286.427C397.202 281.311 402.465 277.057 409.186 275.179C420.947 271.895 432.684 277.122 435.402 286.855C438.121 296.588 430.791 307.14 419.03 310.425C412.309 312.302 405.603 311.39 400.576 308.455Z" fill="#E29295"/>
+	<path d="M281.991 290.315L266.001 213.378C266.001 213.378 233.372 151.667 191.579 195.329C191.579 195.329 238.434 350.641 264.171 352.377C289.907 354.113 322.346 336.687 322.346 336.687L326.292 296.444L281.991 290.315Z" fill="#2F2E43"/>
+	<path d="M191.582 195.329C191.582 195.329 238.436 350.64 264.173 352.377C289.909 354.113 322.348 336.687 322.348 336.687" stroke="#E6E6E6" stroke-miterlimit="10"/>
+	<path d="M326.295 296.444L281.993 290.315L266.004 213.377" stroke="#E6E6E6" stroke-miterlimit="10"/>
+	<path d="M265.066 137.676C265.066 137.676 265.15 113.707 277.44 105.927C289.703 98.1645 286.701 114.496 286.701 114.496L293.981 114.821C293.981 114.821 296.902 98.939 311.084 99.8087L307.313 78.9539C307.313 78.9539 338.84 94.199 340.607 91.2226C354.515 67.8029 291.481 27.9768 262.264 61.5906C216.823 113.871 265.066 137.676 265.066 137.676Z" fill="#2F2E43"/>
+	<rect x="436.242" y="218.39" width="11.8658" height="54.8795" rx="4" transform="rotate(15.4151 436.242 218.39)" fill="#734BC5"/>
+	<path d="M405.461 303.882L318.778 333.203L322.634 300.348L399.308 281.853C402.087 276.738 407.35 272.484 414.071 270.606C425.831 267.322 437.569 272.549 440.287 282.282C443.005 292.014 435.675 302.567 423.915 305.852C417.194 307.729 410.488 306.817 405.461 303.882Z" fill="#E29295"/>
+</svg>

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/static/js-code/ask_mobile.js

@@ -0,0 +1,149 @@
+class ProvidePhoneNumber {
+	modal;
+	declineModal;
+	providePhoneNumberLaterButton;
+	phoneNumberInput;
+	agovInputPhoneNumberInput;
+	repeatPhoneNumberInput;
+	agovInputRepeatPhoneNumberInput;
+
+	constructor() {
+		this.modal = document.querySelector('#modal');
+		this.declineModal = document.querySelector('#declineModal');
+		this.providePhoneNumberLaterButton = document.querySelector('#providePhoneNumberLaterButton');
+		this.phoneNumberInput = document.querySelector('#phoneNumberInput');
+		this.agovInputPhoneNumberInput = document.querySelector('#agovInputPhoneNumberInput');
+		this.agovInputRepeatPhoneNumberInput = document.querySelector('#agovInputRepeatPhoneNumberInput');
+		this.repeatPhoneNumberInput = document.querySelector('#repeatPhoneNumberInput');
+
+		this.initializePhoneInput(this.phoneNumberInput);
+		this.addPhoneInputEventHandlers(this.phoneNumberInput);
+		this.addPhoneInputEventHandlers(this.repeatPhoneNumberInput);
+
+		document.querySelector('#declineModalBack').addEventListener('click', () => {
+			this.resetValidation(this.agovInputPhoneNumberInput);
+			this.setInvisible(this.declineModal);
+		});
+		document.querySelector('#repeatPhoneNumberModalBack').addEventListener('click', () => {
+			this.initializePhoneInput(this.phoneNumberInput);
+			this.setInvisible(this.modal);
+		});
+		document.querySelector('#repeatPhoneNumberModalContinue').addEventListener('click', () => {
+			if (this.validateInput(this.agovInputRepeatPhoneNumberInput)) {
+				this.evaluatePhoneNumbersAndSubmit();
+				this.initializePhoneInput(this.phoneNumberInput);
+			}
+		});
+		document.querySelector('#providePhoneNumberContinueButton').addEventListener('click', () => {
+			const dialCode = `+${window.phoneNumberUtils.getDialCode()}`;
+			if (this.validateInput(this.agovInputPhoneNumberInput)) {
+				this.repeatPhoneNumberInput.value = '';
+				this.initializePhoneInput(this.repeatPhoneNumberInput);
+				this.resetValidation(this.agovInputRepeatPhoneNumberInput);
+				this.showErrorBanner(false);
+				this.setVisible(this.modal);
+			}
+			else if (this.phoneNumberInput.value.trim() === '' ||
+				this.phoneNumberInput.value.trim() === dialCode) {
+				this.setVisible(this.declineModal);
+			}
+		});
+	}
+
+	addPhoneInputEventHandlers(phoneInputElement) {
+		phoneInputElement.addEventListener('input', () => {
+			this.formatAndEmitPhoneNumberValue(phoneInputElement);
+		});
+		phoneInputElement.addEventListener('countrychange', () => {
+			this.onPhoneNumberCountryChange(phoneInputElement);
+		});
+	}
+
+	async initializePhoneInput(inputElement) {
+		if (inputElement.value) {
+			await window.phoneNumberUtils.initializePhoneNumberField(inputElement, inputElement.value);
+		}
+		else {
+			await window.phoneNumberUtils.initializePhoneNumberField(inputElement);
+		}
+	}
+
+	onPhoneNumberCountryChange(inputElement) {
+		inputElement.value = window.phoneNumberUtils.formatAfterCountryChange();
+	}
+
+	formatAndEmitPhoneNumberValue(inputElement) {
+		inputElement.value = window.phoneNumberUtils.formatUsingInputValue();
+	}
+
+	resetValidation(agovInput) {
+		agovInput.validity = true;
+	}
+
+	validateInput(agovInput) {
+		const innerInput = agovInput.querySelector('input');
+		if (innerInput.value.trim().length === 0) {
+			agovInput.supportingText = 0;
+			agovInput.focus();
+			agovInput.validity = false;
+			return false;
+		}
+		else if (!window.phoneNumberUtils.validatePhoneNumber(false, true)) {
+			agovInput.supportingText = 2;
+			agovInput.focus();
+			agovInput.validity = false;
+			return false;
+		}
+		return true;
+	}
+
+	setInvisible(modalElement) {
+		window.utils.changeDisplay(modalElement, 'hidden', 'block');
+	}
+
+	setVisible(modalElement) {
+		window.utils.changeDisplay(modalElement, 'block', 'hidden');
+		const isMobile = !!/(iPhone|Android)/.test(window.navigator.userAgent);
+		if (isMobile) {
+			modalElement.classList.add('mobileDrawer');
+			document.dispatchEvent(new Event('initDrawerPopup'));
+		}
+	}
+
+	arePhoneNumbersEqual() {
+		const phoneNumber = this.phoneNumberInput.value.trim();
+		const repeatedPhoneNumber = this.repeatPhoneNumberInput.value.trim();
+		return phoneNumber === repeatedPhoneNumber;
+	}
+
+	evaluatePhoneNumbersAndSubmit() {
+		if (this.arePhoneNumbersEqual()) {
+			document.querySelector('#mobile').value = this.repeatPhoneNumberInput.value.trim().replaceAll(' ', '');
+			// Some other 'click' listeners from gsap (used in drawer.js) seem to interfere with the trigger click on
+			// submitPhoneNumber button. It happens only on mobile devices, where the drawer is used. setTimeout seems to help
+			// to avoid the issue (although it is just a workaround).
+			setTimeout(() => {
+				document.querySelector('#submitPhoneNumber').click();
+			}, 100);
+		}
+		else {
+			this.setInvisible(this.modal);
+			this.showErrorBanner(true);
+		}
+	}
+
+	showErrorBanner(visible) {
+		const errorBanner = document.getElementById('errorBanner');
+		if (visible) {
+			window.utils.changeDisplay(errorBanner, 'block', 'hidden');
+		}
+		else {
+			window.utils.changeDisplay(errorBanner, 'hidden', 'block');
+		}
+	}
+}
+
+document.addEventListener('DOMContentLoaded', () => {
+	document.dispatchEvent(new Event('initPhoneNumberUtils'));
+	window.providePhoneNumber = new ProvidePhoneNumber();
+});

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/static/js-code/eid_verification.js

@@ -0,0 +1,4 @@
+document.addEventListener('DOMContentLoaded', function() {
+	document.dispatchEvent(new Event('initEidVerification'));
+	document.dispatchEvent(new Event('initCantonalBranding'));
+});

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/static/js-code/mauth_usernameless.js

@@ -0,0 +1,5 @@
+document.addEventListener('DOMContentLoaded', function() {
+	document.dispatchEvent(new Event('initQRCode'));
+	document.dispatchEvent(new Event('initDrawer'));
+	document.dispatchEvent(new Event('initCantonalBranding'));
+});

DEFAULT-ADN-AGOV-PROJECT/DEFAULT-ADN-AGOV-INV/logrend/var/opt/nevislogrend/default/data/applications/Auth_Realm_Main_IDP/webdata/static/js-code/recovery_intro_email.js

@@ -1,3 +1,4 @@
 document.addEventListener('DOMContentLoaded', function() {
 	document.dispatchEvent(new Event('initEmail'));
+	document.dispatchEvent(new Event('initCaptcha'));
 });