Important
We have released a new version. Documentation for our latest version can be found [here](/products/3ds/).

**Last updated**: 22 April 2025 | [**Change log**](/products/3ds/changelog/)

# Android and iOS SDK

Use our native android SDK to improve issuer challenge display for 3DS2 and increase the chance of a frictionless authentication using mobile device data.

1. [Get started](/products/3ds/v2/android-ios/get-started) with our App SDK
2. Get a JWT to [initialize the SDK](/products/3ds/v2/android-ios/device-data) and perform [device data collection](/products/3ds/v2/android-ios/device-data)
3. Submit order and risk data for [authentication](/products/3ds/v2/android-ios/authentication). The 3DS flow ends here if no challenge is required (frictionless).
4. Show the issuer [challenge display](/products/3ds/v2/android-ios/challenge-verification) using the native SDK and retrieve the authentication details to form part of the payment authorize request.


Note
Native mobile support is a new feature of 3DS2, for responses that are 3DS1 a webview is required for the [challenge](/products/3ds/v2/android-ios/challenge-verification).

Visualize our 3DS API and see the flow of a 3DS authentication.

Android and iOS - 3DS2 Frictionless

```mermaid

sequenceDiagram
    participant Browser
    participant Merchant Frontend
    participant Merchant Backend
    participant Access 3DS
    participant Cardinal/Issuers
    Browser-->>Merchant Frontend: Click Pay
    Merchant Frontend-->>Merchant Backend: Pay 
    Merchant Backend-->>Access 3DS: deviceDataInitialization request
    Access 3DS-->>Merchant Backend: deviceDataInitialization response
    Merchant Backend-->>Merchant Frontend: deviceDataCollection.jwt
    Merchant Frontend-->>Cardinal/Issuers: cardinal.init(jwt)
    Cardinal/Issuers-->>Merchant Frontend: ConsumerSessionId
    Merchant Frontend-->>Merchant Backend: Data for authentication request 
    Note left of Merchant Frontend: If no `dfReferenceId`<br> (collectionReference) is provided or <br>the issuer doesn't support 3DS2, the<br> flow will use 3DS1 from here<br> (always challenge)
    Merchant Backend-->>Access 3DS: Authentication request
    Access 3DS-->>Merchant Backend: Authentication response
    Note left of Merchant Backend: Use in payment authorization:<br>-version<br>-authenticationValue<br>-eci<br>-transactionId
```

Android and iOS - 3DS2 Challenge

```mermaid

sequenceDiagram
    participant Browser
    participant Merchant Frontend
    participant Merchant Backend
    participant Access 3DS
    participant Cardinal/Issuers
    Browser-->>Merchant Frontend: Click Pay
    Merchant Frontend-->>Merchant Backend: Pay 
    Merchant Backend-->>Access 3DS: deviceDataInitialization request
    Access 3DS-->>Merchant Backend: deviceDataInitialization response
    Merchant Backend-->>Merchant Frontend: deviceDataCollection.jwt
    Merchant Frontend-->>Cardinal/Issuers: cardinal.init(jwt)
    Cardinal/Issuers-->>Merchant Frontend: ConsumerSessionId
    Merchant Frontend-->>Merchant Backend: Data for authentication request 
    Note left of Merchant Frontend: If no `dfReferenceId`<br> (collectionReference) is provided or <br>the issuer doesn't support 3DS2, the<br> flow will use 3DS1 from here<br> (always challenge)
    Merchant Backend-->>Access 3DS: Authentication request
    Access 3DS-->>Merchant Backend: Authentication response
    Merchant Backend-->>Merchant Frontend: challenge.payload
    Merchant Frontend-->>Cardinal/Issuers: Cardinal.continue(reference.payload)
    Cardinal/Issuers-->>Merchant Frontend: Response
    Merchant Frontend-->>Merchant Backend: Verification request
    Note left of Merchant Frontend: Once the challenge has been<br> completed you can submit the<br> `challenge.reference` from the<br> authentication response to the<br> verification request
    Merchant Backend-->>Access 3DS: Verification request
    Access 3DS-->>Merchant Backend: Verification response
    Note left of Merchant Backend: Use in payment authorization:<br>-version<br>-authenticationValue<br>-eci<br>-transactionId
```

Android and iOS - 3DS1 Challenge

```mermaid

sequenceDiagram
    participant Browser
    participant Merchant Frontend
    participant Merchant Backend
    participant Access 3DS
    participant Cardinal/Issuers
    Browser-->>Merchant Frontend: Click Pay
    Merchant Frontend-->>Merchant Backend: Pay 
    Merchant Backend-->>Access 3DS: deviceDataInitialization request
    Access 3DS-->>Merchant Backend: deviceDataInitialization response
    Merchant Backend-->>Merchant Frontend: deviceDataCollection.jwt
    Merchant Frontend-->>Cardinal/Issuers: cardinal.init(jwt)
    Cardinal/Issuers-->>Merchant Frontend: ConsumerSessionId
    Merchant Frontend-->>Merchant Backend: Data for authentication request 
    Note left of Merchant Frontend: If no `dfReferenceId`<br> (collectionReference) is provided or <br>the issuer doesn't support 3DS2, the<br> flow will use 3DS1 from here<br> (always challenge)
    Merchant Backend-->>Access 3DS: Authentication request
    Access 3DS-->>Merchant Backend: Authentication response
    Merchant Backend-->>Merchant Frontend: challenge.jwt<br>challenge.url<br>challenge.reference
    Merchant Frontend-->>Cardinal/Issuers: Submit challenge form
    Note left of Merchant Frontend: Challenge Display (webView)<br><iframe><br><form action=challenge.url><br><input hidden JWT="challenge.jwt"><br></form><br></iframe>
    Cardinal/Issuers-->>Merchant Frontend: Return to merchant site (challenge.returnUrl)
    Merchant Frontend-->>Merchant Backend: Verification request
    Note left of Merchant Frontend: Once the challenge has been<br> completed you can submit the<br> `challenge.reference` from the<br> authentication response to the<br> verification request
    Merchant Backend-->>Access 3DS: Verification request
    Access 3DS-->>Merchant Backend: Verification response
    Note left of Merchant Backend: Use in payment authorization:<br>-version<br>-authenticationValue<br>-eci<br>-transactionId
```

**Next steps**

[Get started](/products/3ds/v2/android-ios/get-started)