Skip to main content
Skip table of contents

mAccess WEB version 3.10.0

The mAccess Library WEB is a small JavaScript library ("simple-neon-lib.js") that lets you perform simple operations (OTP, Activation, PIN or password operations..) with your TrustBuilder service.
This document explains how to add TrustBuilder MFA to your site.

What's new?

Note that the following updates are between versions 3.8 and 3.10 of mAccess Web. (See “mAccess Web - Release Notes” to get more details)

  • New functions:

    • ‘setBioKey' → adding biometrics for mAccess Web

    • ‘activate’ → activating a browser token as a user’s trusted token

    • 'getOnlineOtp' → generating an OTP

  • Security Fix → the offline operations are no longer available


  • An TrustBuilder service 

  • A valid "Bookmark_Alias" for a secure site for this service, and requested during script initialization

Script elements

Calling mAccess Library (WEB) 

mAccess Library (WEB) JS Library 

<---------------- JS for version 3.10.0 --------->
<script src=" " type="text/javascript"></script>

mAccess Library (WEB) Library SHA256

<---------------- SHA256 for version 3.10.0 --------->

Script initialization

 window.onload =  function() {
        neon = new Neon.Neon('******* Bookmark alias *******', '**** applicationDescription **** ');

        .then(logins => {
  'login list : ', logins);
        .catch(e => {
            console.error('Error during initialization', e);

Initialization parameters:

  • {string} alias The Bookmark ALIAS associated to the webapp / generated in the Secure site tab of the Administration console

  • {string} applicationDescription The description of the application


Allows you to Initialize the Neon library and returns a promise that handles a logins array.
This array contains all the accounts already enrolled and active for this alias in this browser


Since mAccess library (WEB) version 3.4.0, each operations are available for Standard and White label service with PIN or password following your service settings.




Activate a browser as a trusted token (improved version of ‘activateWithPin’)


Activate a browser as a trusted token


Get an activation code for an enrolled user


Generate an OTP (improved version of ‘getOnlineOtpWithPin’)


Generate an OTP


Generate an JWT Access Token


Unlock an enrolled user


Change the pin


Reset the pin


Seal Data


Get a remote OTP by Push


Set Biometric Key

About activation functions

The activate and activateWithPin functions both allow a user to activate a browser as a trusted device. The activate function is an improved version of the activateWithPin function.

  • If you are about to perform a first mAccess Web integration, we recommend that you use the activate function.

  • If you have already integrated mAccess Web, the activateWithPin function is still available.


neon.activate(activationCode, tokenName) → activate a browser as a trusted token

In the TrustBuilderservice parameters, if the authentication mode is set “with pin”, then they will ask either to set the pin activateDisplayDefinePin or to enter the pin activateDisplayAskForPin (depending on the user's status).

See our Sample page below to see the activate function implemented.

                /****************** activate*******************/
    function activate(activationCode, tokenName) {
        console.log('activate', activationCode, tokenName);
        document.getElementById('activationResult').innerHTML = '';
        neon.activate(activationCode, tokenName, activateDisplayAskForPin, activateDisplayDefinePin).then(l => displayActivate(l)).catch(e => displayActivateError(e));
  • {string} activationCode The activation code delivered by TrustBuilderservice

  • {string} tokenName The user's token name

  • {function} askForPin():string : this function is called by the library when a PIN is needed (for authentication)

  • {function} definePin():string : this function is called by the library when a confirmed PIN is needed (for the first activation)

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the login of this account


neon.activateWithPin(activationCode, pin) → activate a browser as a trusted token

    /****************** activateWithPin *******************/
    function activate(activationCode, pin) {
        console.log('activate', activationCode, pin);
        document.getElementById('activationResult').innerHTML = '';
        neon.activateWithPin(activationCode, pin).then(displayActivateWithPin).catch(e => displayActivateWithPinError(e));
  • {string} activationCode The activation code delivered by TrustBuilderservice

  • {string} pin The user's PIN code or password of the account

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the login of this account

Refreshing the Login list after a restore operation

When using the initOnline () function and after a restore operation of a user account (activation with a restore code), it is important to restart the initOnline () operation just after the activation in order to refresh the list of displayed logins.

As defined in the Demo page, in the Activate function on « displayActivationSuccess » you have to launch initNeon() to perform neon,initOnline () again

If this update is not performed, the previous login(token) will remain visible and displayed twice in the list of users.


neon.getActivationCodeWithPin(login, pin, success, error) → generate an activation code for an enrolled user

    /****************** getActivationCode *******************/    
    function getActivationCode(login, pin) {
        console.log('getActivationCode', login, pin);
        neon.getActivationCodeWithPin(login, pin, displayActivationCode, displayActivationCodeError);
  • {string} login The login of the user

  • {string} pin The user's PIN code or password of the account

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the generated Activation code

About getting online OTP functions

The getOnlineOtp and getOnlineOtpWithPin functions both allow to generate an OTP. The getOnlineOtp function is an improved version of the getOnlineOtpWithPin function.

  • If you are about to perform a first mAccess Web integration, we recommend that you use the getOnlineOtp function.

  • If you have already integrated mAccess Web, the getOnlineOtpWithPin function is still available.


neon.getOnlineOtp(login) → Generate an OTP

See our Sample page below to see the getOnlineOtp function implemented.

   /****************** getOnlineOtp *******************/    
    function getOnlineOtp(login) {
        console.log('getOnlineOtp', login);
        neon.getOnlineOtp(login, getOnlineOtpDisplayAskForPin).then(otp => displayGetOnlineOtp(otp)).catch(e => displayGetOnlineError(e));
  • {string} login The login of the user

  • {function} askForPin(biokeyAllowed:boolean):{ value: string, wikType: string } : this function is called by the library when a PIN or BioKey is needed (for authentication)

    • If biokeyAllowed is true, the value returned can be {value : <<THE PIN CODE>>, wiktype:"PASSWORD"} or {value : <<THE VALUE REGISTED DURING setBioKey>>, wiktype:"BIO" }

    • If biokeyAllowed is false, the value returned must be {value : <<THE PIN CODE>>, wiktype:"PASSWORD" }

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the generated OTP


neon.getOnlineOtpWithPin(login, pin) → Generate an OTP

     /****************** getOnlineOtpWithPin *******************/    
    function getOnlineOtp(login, pin) {
        console.log('getOtp', login, pin);
        neon.getOnlineOtpWithPin(login, pin).then(displayOtp).catch(e => displayOtpError(e));
  • {string} login The login of the user

  • {string} pin The user's PIN code or password of the account

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the generated OTP


neon.getAccessTokenWithPin(login, pin, success, error) → Generate a JWT Access Token

    /****************** getAccessToken *******************/    
    function getAccessToken(login, pin) {
        console.log('getAccessToken', login, pin);
        neon.getAccessTokenWithPin(login, pin, displayAccessToken, displayAccessTokenError);
  • {string} login The login of the user

  • {string} pin The user's PIN code or password of the account

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the generated JWT AccessToken


neon.unlockTokenWithPin(login, unlockCode, pin, success, error) → Unlock an enrolled user

      /****************** unlockToken *******************/    
     function unlockToken(login, unlockCode, pin) {
        console.log('unlockToken', login, unlockCode, pin);
        document.getElementById('unlockTokenResult').innerHTML = '';
        neon.unlockTokenWithPin(login, unlockCode, pin, displayUnlockToken, displayUnlockTokenError);
  • {string} login The login of the user

  • {string} unlockCode The unlock code delivered by TrustBuilderservice

  • {string} pin The user's PIN code or password of the account

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise


neon.changePin(login, oldPin, newPin, success, error) → Change the pin

    /****************** changePin *******************/    
    function changePin(login, oldPin, newPin) {
        console.log('changePin', login, oldPin, newPin);
        document.getElementById('changePinResult').innerHTML = '';
        neon.changePin(login, oldPin, newPin).then(displayChangePin).catch(e => displayChangePinError(e));
  • {string} login The login of the user

  • {string} oldPin The OLD user's PIN code or password for this account

  • {string} newPin The NEW user's PIN code or password for this account

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise


neon.resetPin(login, resetCode, newPin, success, error) → Reset the pin

     /****************** resetPin *******************/    
    function resetPin(login, resetCode, newPin) {
        console.log('resetPin', login, resetCode, newPin);
        document.getElementById('resetPinResult').innerHTML = '';
        neon.resetPin(login, resetCode, newPin).then(displayResetPin).catch(e => displayResetPinError(e));
  • {string} login The login of the user

  • {string} resetCode The reset code generated for this user / in the Administration console

  • {string} newPin The NEW user's PIN code or password for this account

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise


neon.sealDataWithPin(login, pin, data, success, error) → Seal Data

     /****************** sealData *******************/    
    function sealData(login, pin, data) {
        console.log('sealData', login, pin, data);
        neon.sealDataWithPin(login, pin, data).then(displaySealData).catch(e => displaySealDataError(e));
  • {string} login The login of the user

  • {string} pin The user's PIN code or password of the account

  • {string} data The data to seal

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the sealed data


neon.getRemoteOtpByPush(login, success, error) → Get a remote OTP by push

	/****************** sendPush *******************/ 
	function sendPush(login) {
		console.log('sendPush', login);
		neon.getRemoteOtpByPush(login).then(otp => displaysendPush(otp)).catch(e => displaysendPushError(e));
  • {string} login The login of the user

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the generated OTP


neon.setBioKey(login) → Set Biometric key

	/****************** setBioKey *******************/ 
	function setBioKey(login) {
		console.log('setBioKey', login);
		document.getElementById('setBioKeyResult').innerHTML = '';
        neon.setBioKey(login, '0123456789', setBioKeyDisplayAskForPin).then(otp => displaySetBioKey()).catch(e => displaySetBioKeyError(e));
  • {string} login The login of the user

  • {function} onSuccess The success callback

  • {function} onError The error callback

  • returns Nothing if onSuccess and onError are defined, or a Promise that handles the generated OTP

Simple integration

Here are details of a simple integration for a demo page using mAccess Library (WEB).

Prerequisite: a TrustBuilder service

Step 1: Creating a secure site

You should create a Secure site for your "mAccess Web" page. This will allow you to get the “Bookmark Alias” that is useful for initialization.

  • In your Administration console, go to the "Secure site" tab.

  • Click on + Add a secure site type... "Web services"

  • In “Authentication page” parameter, indicate the URL address page using mAccess Web JS library

  • Select "Browser Token Activation" to generate a Bookmark Alias.

  • Save the Bookmark Alias to use in your page to initiate mAccess Web JS library

Step 2: Creating a demo page

You will find below a sample page using mAccess Library (WEB). To test it, you should enter your bookmark alias in the initialization script.

In this sample page, the following functions are implemented:

  • activate → activating this browser as a trusted token. You can act as a new user or as an active user. To get the “activation code”, you can go to the Administration console and generate an activation code for the given user. The user will appear in the List of users who currently use this browser as a trusted token.

    • In the TrustBuilderservice parameters, if the authentication mode is set “with pin”, then they will ask either to set the pin or to enter the pin (depending on the user's status)

  • getOnlineOtp → generating an OTP. You should be an active user to generate an OTP. The OTP will appear at the below “Generated OTP”. This OTP with a 20s lifetime should then be sent to the TrustBuilderplatform for authentication through the API/RADIUS... Note that biometric is not functional on the sample page.

Sample page
<html lang="en">
        <meta charset="utf-8"/>
        <link rel="stylesheet" href="" integrity="sha384-ggOyR0iXCbMQv3Xipma34MD+dH/1fQ784/j6cY/iJTQUOhcWr7x9JvoRxT2MZw1T" crossorigin="anonymous">
        <title>mAccess Library (WEB)</title>
        <div id="libError"></div>
        <h1 style="text-align:center">mAccess Library (WEB) - Demo Page</h1>
        <div style="position:flex; margin: auto ; width: 30%">

            <!--************* ACTIVATION PANEL ************ --> 
        <div class="form-group" style="background-color: #F5F5F5; width=420; border=yes; border-style: solid;     border-color: grey; border-width=20; opacity: 0.90; filter: alpha(opacity=85)">
            <table border=0 cellpadding="10">
                    <td colspan="2">
                        <h4>Activating this browser as a trusted token</h4>
                    <th width="40%" align=Left border=0 valign=top>
                        <h6>Activation code:</h6> <br><br>                  
                        <h6>Token name:</h6><br>
                    <th width="200" align=Left>
                        <form action="#">
                            <input class="form-control" type="text" name="code"><br>
                            <input class="form-control" type="text" name="tokenName"><br>
                            <input class="btn btn-primary" type="button" onclick="activate(code.value, tokenName.value)" value="Submit">
                        <form action="#" id="activateAskForPin" style="display:none;"> Code PIN: <input id="activateAskForPinInput" type="text"><br><input id="activateAskForPinButton" type="button" value="Submit"></form>
                        <form action="#" id="activateDefinePin" style="display:none;"> Define PIN Code: <input type="text" id="activateDefinePinInput1"><br> Confirm PIN Code: <input type="text" id="activateDefinePinInput2"><br><input id="activateDefinePinButton" type="button" value="Submit"></form>
                        <div class="toast"><p><div class='error' id='activateError'></div></p></div>
                    <td colspan="2"><h6>List of users who currently use this browser as a trusted token</h6><div id="logins"></div></td> 
                <tr><td><div id="activateResult"></div></td></tr>

            <!--************* OTP PANEL ************ --> 
        <div class="form-group" style="background-color: #F5F5F5; width=420; border=yes; border-style: solid; border-color: grey; border-width=20; opacity: 0.90; filter: alpha(opacity=85)">
            <table border=0 cellpadding="10">
                    <td colspan="2"> 
                        <h4>Generating an OTP</h4>
                    <td width="40%" align=Left valign=top border=0>
                    <th width="200" align=Left>
                        <form action="#">
                            <input class="form-control" type="text" name="login"><br>
                            <input class="btn btn-primary" type="button" onclick="getOnlineOtp(login.value)" value="Submit"><br>                        
                        <form action="#" id="getOnlineOtpAskForPin" style="display:none;">PIN Code: <input id="getOnlineOtpAskForPinInput" type="text"><br><input id="getOnlineOtpAskForPinButton" type="button" value="Submit"></form>
                        <form action="#" id="getOnlineOtpAskForPinWithBio" style="display:none;"><input id="getOnlineOtpAskForPinWithBioButton" type="button" value="Submit using Biokey"></form>
                        <div class="toast"><p><div class='error' id='getOnlineOtpError'></div></p></div>
                    <td colspan="2" width="auto" align=Left border=0><h6>Generated OTP</h6></td>
                    <td><div id="getOnlineOtpResult"></div></td>
        <!-- ********** Call the mAccess Library (WEB) JS Library ********** -->     
        <script src="" type="text/javascript"></script>

        <!-- ********** JS functions ********** -->     
        <script type="text/javascript">   
        var neon;  
             /****************** activate *******************/
            function activate(activationCode, tokenName) {
                console.log('activate', activationCode, tokenName);
                document.getElementById('activateResult').innerHTML = '';
                neon.activate(activationCode, tokenName, activateDisplayAskForPin, activateDisplayDefinePin).then(l => displayActivate(l)).catch(e => displayActivateError(e));

            function activateDisplayAskForPin() {
                return new Promise((resolve, reject) => {
                    document.getElementById('activateAskForPin').style.display = "block";
                    document.getElementById('activateAskForPinButton').onclick = () => {

            function activateDisplayDefinePin() {
                return new Promise((resolve, reject) => {
                    document.getElementById('activateDefinePin').style.display = "block";
                    document.getElementById('activateDefinePinButton').onclick = (pin1, pin2) => {
                        var pin1 = document.getElementById('activateDefinePinInput1').value;
                        var pin2 = document.getElementById('activateDefinePinInput2').value;
                        if (pin1 == pin2) {

            function displayActivate(login) {
                document.getElementById('activateResult').innerHTML = 'Activation success for ' + login;
                document.getElementById('activateAskForPin').style.display = "none";
                document.getElementById('activateDefinePin').style.display = "none";

            function displayActivateError(error) {

            /****************** getOnlineOtp *******************/
            function getOnlineOtp(login) {
                console.log('getOnlineOtp', login);
                neon.getOnlineOtp(login, getOnlineOtpDisplayAskForPin).then(otp => displayGetOnlineOtp(otp)).catch(e => displayGetOnlineError(e));

            function getOnlineOtpDisplayAskForPin(biokeyAllowed) {
                return new Promise((resolve, reject) => {
                    document.getElementById('getOnlineOtpAskForPin').style.display = "block";
                    document.getElementById('getOnlineOtpAskForPinButton').onclick = () => {
                            value: document.getElementById('getOnlineOtpAskForPinInput').value,
                            wikType: "PASSWORD"

                    if (biokeyAllowed) {
                        document.getElementById('getOnlineOtpAskForPinWithBio').style.display = "block";
                        document.getElementById('getOnlineOtpAskForPinWithBioButton').onclick = () => {
                                value: "0123456789",
                                wikType: "BIO"

            function displayGetOnlineOtp(otp) {
                document.getElementById('getOnlineOtpResult').innerHTML = otp;
                document.getElementById('getOnlineOtpAskForPin').style.display = "none";
                document.getElementById('getOnlineOtpAskForPinWithBio').style.display = "none";

            function displayGetOnlineError(error) {

        /****************** Neon Init *******************/
            window.onload =  function() {  
            neon = new Neon.Neon('***********BOOKMARK_ALIAS***********', 'sample IHM');
            .then(logins => {
                document.getElementById('logins').innerHTML = logins;
            .catch(e => {
                console.error('Error during initialization', e);

Error codes

This section refers to the error codes that may be encountered.

Error value



A BioKey already exists for this user.

This error is returned on attempting update a biometric key. The BioKey cannot be update: it should be revoked and then created again.


The biokey is wrong.

This error is returned when a user authenticates with a BioKey that doesn’t match the stored biokey.


The entered code is invalid.

This error is returned on attempting to enter a code (any type of code) that has already been consumed.


The entered code is is not allowed for this token/device.

This error is returned when a user attempts to use a token/device that is not associated with its service macId. This can only happen in a white label multi-service case.


The code type used is not supported.

This error may be returned when an activation code, for example, is used to reset a Secret Code instead of activate a device: the code type is not matching the action.


The token/device is locked.

This error is returned when a user attempts to perform an action with a device/token that has been locked. The device/token can be locked if it has not been used or locked by users themselves.


Dynamic key is invalid.

This error is returned when the dynamic key does not match the key in the TrustBuilderserver: the token/device has been out of synchronization. The token/device should be deleted then enrolled.


The macIdis unknown.

This error is returned when the macId specified in the initialization script does not match the TrustBuilderservice configuration.


The maximum number of devices has been reached for this user.

This error is returned when a user attempts to enroll a new device, while the maximum number of devices set for this service has been reached.


The service is no longer active.

This error is returned when a user attempts to perform an action, while the service has been deleted.


The device is not found.

This error is returned when a user attempts to authenticate with a device that is not stored in the service.


No password for this user.

This error is returned when a user attempts to perform an action but has not defined their PIN/password.


The PIN/password is wrong.

This error is returned when entering the PIN/password if the PIN/password is wrong.


The PIN/password is refused.

This error is returned when defining the PIN/password if the two PIN/passwords entered do not match.


Push alias for this login doesn’t exist

This error is returned when a user attempts to perform an action on a push notification that has already been consumed.


The seal data is invalid.

This error is returned on a sealing operation, when the data does not match the seal data.


The sealing operation is not allowed.

To perform a sealing operation, the Sealing feature has to be activated at the service level.


The static key token does not match the static key that the TrustBuilderserver knows.

This error message may be returned for security reasons, when a user changes its device/token: data stored are cloned in the application but the static key of the new token/device is not the same as the older device/token.


The user account has been blocked by an administrator.

This error is returned when a blocked user attempts to perform an action, such as authentication.


The token/device is blocked.

This error is returned when a user attempt to use a blocked token/device.


The token/device is not blocked.

This error is returned on attempting to unlock a token/device that is not blocked.


The service configuration required a biokey but no biokey is registered.

This error is returned when, in a no pin service with biokey forced, a user has no biokey registered.


The user is not blocked.

This error is returned on attempting to unlock a user.


The user is blocked because he has exceeded the wrong password/PIN entry limit.

This error is returned when a blocked user attempts to perform an action, such as authentication.


The login value does not exist.

This error may be returned when a deleted user attempts to perform an action, such as authentication.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.