When to merge IAM and MFA

Posted by | inWebo Blog: Exploring Authentication, Identity, Privacy, and Security | No Comments

to merge or not to merge

Identity & Access Management (IAM) is employed by organizations to manage user identities and permissions related to resources, processes, and applications. It’s essential in automating user-related processes (hire, leave, move within the organization, etc.) but also in mitigating risks and maintaining compliance by enforcing the “principle of least privilege”.

Read More

PSD2 SCA: The Clock Is Ticking

Posted by | News | No Comments

The introduction of the revised Payment Service Directive (PSD2) that came into application on January 13, 2018, brings a shift in financial transactions. If in the past SMS codes were the preferred way to confirm an online payment, organisations such as Payment Initiation Service Providers (PISPs) and Account Services Payment Service Providers (ASPSPs) now have deadlines to meet PSD2 requirements:

  • March 14, 2019: ASPSPs’ access interface must be ready for external testing by PISPs as required by the Regulatory Technical Standards (RTS).
  • September 14, 2019: PISPs need to comply with RTS and PSD2 requirement and propose Strong Customer Authentication (SCA) to their customers.

As the clock is ticking by, let’s understand the hows and whys of this regulation.

PSD2 SCA: What and why?

Payment services are evolving, creating new opportunities and new ways to transact beyond borders. As a consequence, the EU has decided to harmonize the different country-specific practices in order to:

  • Contribute to a more integrated and efficient European payments market,
  • Improve the level playing field for payment service providers (including new players),
  • Make payments safer and more secure by reducing fraudulent activities,
  • Protect confidentiality of consumers.

This is the PSD2. When it comes to security, text messages have shown their limits to make online transactions safer. Latest breaches such as Voxox leak exposing millions of SMS messages prove that systems can be easily corrupted when it comes to proving identities. This is why PSD2 has issued new requirements with the aim of creating a secured environment to online buyers.

Welcome to the Strong Customer Authentication (SCA)

A compliant SCA is based on 2 or more authentication factors of different types among the following options:

  • Something you know, such as a password.
  • Something you have, such as a mobile device, a plastic card.
  • Something you are, such as a thumbprint.

As everyone initiating an online transaction will soon have to use SCA, it is important to stress that SCA solutions must provide a high level of security but also an easy customer experience. This is actually a more difficult challenge.

Providing physical tokens to everyone is hardly an option because of the costs to issue and manage such devices at a large scale. Also, customers with multiple banks would need several tokens, resulting in an authentication fatigue that is counter-productive to the objectives of PSD2.

Only software-based solutions provide the flexibility required by banks and third parties and ensure a smooth deployment while keeping costs low. inWebo MFA perfectly matches these requirements since it provides a secured method to validate buyers’ identities without impacting the experience. inWebo is easy to implement, to deploy and to manage. The different authentication methods available from inWebo make it possible for users to have a seamless experience for any payment use case. inWebo Transaction Sealing feature makes the transactions non-disputable. The alignment of its solutions with PSD2 SCA requirements has enabled inWebo to already support leading banks to secure transactions and account access.

PSD2 is just the start. inWebo expects that most of the banks will switch to the 3DS 2.0 worldwide regulation coming into force in 2020. inWebo is already supporting financial institutions and banks in deploying its solution to swap prior authentication methods with SCA compliant ones.

If you’d like to know more about inWebo MFA for financial institutions, you can download our tailored white-paper or request a demo by clicking the relevant option below:

Request White-Paper Request a Demo

inWebo Renews Participation To Forgerock Trust Network

Posted by | News | No Comments

inWebo releases certified 2FA module for ForgerockAM identity platform

San Francisco, CA – December 3, 2018 – ForgeRock, the leading platform provider of digital identity management solutions, today announced a major milestone in advancing its technology partner ecosystem, in welcoming 54 partners to its ForgeRock Trust Network. Program Unites Leaders in Strong Authentication, Risk and Fraud and Related Fields to Extend Value in ForgeRock Identity Platform. The Trust Network was created to unify ForgeRock’s extensive community of technology partners for customers to seamlessly integrate complementary technologies and realize the highest value from their ForgeRock Identity investments.

inWebo was one of the early partners to join Forgerock Trust Network in 2017 and is pleased to announce the release of a certified extension module for ForgerockAM. That module enables Forgerock customers to benefit from inWebo multi-factor authentication, thus enhancing the security of their applications, meeting compliance requirements, and making it easier for their internal and external users to access trusted applications.

Ben Goodman, Vice President, Global Strategy & Innovation, said, “The ForgeRock Trust Network for Technology Partners was built to deliver capabilities beyond our own identity platform, and the reception from our partner community and customers has been overwhelming. The Trust Network is unlike the typical ‘partnership by press release’ program seen in our industry, as our partner directory is loaded with integrated solutions that have been certified, to give customers technical confidence and cost predictability. As the identity ecosystem continues to expand, the ForgeRock Trust Network of partners will continue to deliver unmatched innovation to those who use our platform.”

Jeff Sherwood, Director of Business Development for inWebo North America, said, “Strong Authentication (MFA) has become a critical part of modern Identity & Access Management projects. We are very excited to partner with Forgerock, a global leader in IAM & CIAM, and thus to deliver a certified interoperability between ForgerockAM and inWebo MFA platform. It will greatly help Forgerock customers meet their compliance requirements while reducing the time and costs needed to protect their applications, as well as the pain for internal and external users.”

About inWebo
inWebo is a leading vendor of B2B solutions for multi-factor authentication (MFA) and local access (IWLA). inWebo makes customers, members, and employees access to VPN, IAM, web, Cloud, and IoT applications & devices more secure, but also easier. Our technology seamlessly adds a layer of security during authorization by turning user devices including laptops, cell and smartphones, or tablets into trusted authentication methods. It uniquely combines certified hardware-grade security with extreme ease of use. inWebo protects millions of identities for global organizations. Visit us at

About ForgeRock
ForgeRock® is the Digital Identity Management company transforming the way organizations build trust and interact securely with customers, employees, devices, and things. Organizations adopt the ForgeRock Identity Platform™ as their digital identity system of record to monetize customer relationships, address stringent regulations for privacy and consent (GDPR, HIPAA, FCC privacy, etc.), and leverage the internet of things. ForgeRock serves hundreds of brands, including Morningstar, Vodafone, GEICO, TomTom, and Pearson, as well as governments such as Norway, New Zealand, and Belgium, among many others. Headquartered in San Francisco, California, ForgeRock has offices in Austin, London, Bristol, Grenoble, Munich, Paris, Oslo, Singapore, Sydney and Vancouver, Washington. ForgeRock is privately held, backed by leading global venture capital firms Accel Partners, Foundation Capital, Meritech Capital and KKR. For more information and free downloads, visit

GDPR at inWebo

Posted by | News | No Comments

From Security-by-Design to Privacy-by-Design

In the weeks and days before (and after) May 25th 2018, everyone’s mailbox has been filled with emails such as “GDPR update” or “Update of our Privacy Policy”. You might wonder why you have not seen any of these from inWebo, what we have done about the matter, and how ready we are.

inWebo’s business is identity protection. We design and implement cyber-security techniques to protect our customers’ user identities. PIIs (Personally Identifiable Information) are highly protected in our systems, using strong encryption, crypto-servers, firewalls, etc. GDPR requirements in terms of security are met and exceeded. However, GDPR is much more than that, therefore we had to figure out the journey from our “security-by-design” starting point to a “privacy-by-design” destination.

Here are the various topics we addressed and what our approach is:

  • User consent to data processing purposes: as a B2B provider of authentication solutions, we do not collect data from the end-users of the solution, our customers do. We collect data from administrators when they create their organization account, for the sole purpose of creating that account and giving access to it.
  • Minimal set of data: we only store in our systems the user data that is necessary for our customers to operate and monitor the authentication solutions we provide them, such as a username, an email address, and authentication usage data (time and date, IP address, authentication status). It is our customers’ responsibility to use anonymous aliases instead of usernames and to not store email addresses if they do not use features such as “Reset PIN with email” that need it.
  • Data governance: that was a benefit of GDPR to have us design a data governance and a data retention policy. We have now standardized our data retention durations: by default, authentication and other usage data is kept one year. Also, all organization account data are deleted maximum 6 months after an organization account expiration. Customers who need a longer retention duration e.g. for long-term security analysis can subscribe to an archiving option.
  • Access to data and traceability: since we operate the authentication platform and since we rely on service providers for some aspects of the solution (email service provider and hosting service provider among others), we needed to design and enforce policies for access to data, both for ourselves and for our service providers. Service providers have issued their own GDPR compliance statements and we have analyzed that they are compatible with our goals and practices. For ourselves, by default we never access user data unless a customer requires us to do so, for instance in order to troubleshoot an issue. We have formalized how our operational teams authorize and log such requests.
  • Data protection: critical data such as authentication factors are encrypted with crypto-servers (HSMs) in our platform. Usernames are usually not critical information (if it is, it is our customers’ responsibility to use aliases instead) and they are needed in plain text e.g. to run search queries. Other identifiers such as email addresses or “trusted devices” names are usually not critical information but we have nevertheless decided to encrypt it at rest.
  • Rights (to access, to modify, to be forgotten): we do not know the end-users of our customers and have no way to match a request that we would receive with an actual end-user in our platform, or to verify that such a request is legitimate. Besides, if one of our customers has created an authentication profile for a user in our platform, our responsibility is to not access it, not modify it, and not delete it. Therefore our role is to provide our customers with the tools and processes they need to answer their users’ requests, e.g. an API function to delete user data in the authentication logs in our platform. Nevertheless, we have created an email address for privacy and PII-related requests from end-users. We will limit our role to reply to emails advising the user to send his/her request to his/her organization or service provider.
  • Update of our privacy policy and of our general terms: we have updated our privacy policy and our general terms in January 2018 in order to include the changes resulting from our GDPR compliance.

RSA Conference 2018

Posted by | Events | No Comments

San Francisco, April 2nd, 2018 – For those of you who will travel to RSA in 10 days from now, time will be the most scarce resource. Recognizing that, we propose you a “speed-dating” format with inWebo: let’s connect or catch up during 20 or 40 minutes in the exhibition halls (no wasting of your time by having to leave the conference venue). We’ll propose a longer follow-up call or demo in the following weeks if you’re interested, but at least we’ll have met in person – a must in the security and trust industry, don’t you think?

This year we have a lot of exciting updates. Let me name a few: Authenticator 6 for both smartphones & desktops, support of SCIM and OpenID Connect, AI-based behavioral / adaptive auth, 2FA for Windows Logon, a brand new & exclusive security framework for local sign-in for IoT applications… One more exciting update: I’ll be with Jeff Sherwood who joined inWebo last year as the Director of Business Development for North America.

We’d like to use a little bit of your time to connect or catch up and discuss how we partner with organizations like yours to deliver the best of identity security.

Click here to make an online appointment with us.

We hope to see you soon at RSA Conference 2018!

inWebo launches a new offering for IoT Security

Posted by | News | No Comments

San Francisco and Paris, December 18th, 2017 – inWebo Technologies expands its security portfolio for IoT security by launching a new offering called inWebo Local Authorization.

Service providers in verticals such as Connected Cars, mobility services, Smart Cities, Connected Home, Connected Health, etc., can now benefit from inWebo exhaustive framework for secure access control, both to cloud-based IoT services and to local IoT resources.

« In a first wave of IoT services, service providers have requested access control solutions to protect their cloud-based services. inWebo has met these requests by successfully adapting and implementing its multi-factor authentication solution in connected-car services for instance », said Didier Perrot, CEO at inWebo Technologies. « In a second wave, service providers need new solutions for secure access control to local resources such as vehicles, locks, meters, ticketing systems etc., that are not constantly connected to a central authorization platform via the Internet. These ‘offline’ use cases are becoming mainstream in the IoT and demand a new security approach to protect the IoT resources and businesses, while being extremely easy and intuitive to use. This is what inWebo Local Authorization now enables. We’re now willing to partner with more service providers to make the IoT a secure place. ».

Developing a framework for secure local access control has required a significant R&D effort and has led to a patent application. inWebo Local Authorization (IWLA) is an alternative or a complement to connectivity solutions, such as 3G or low-bandwidth mobile connectivity.

IWLA allows a resource such as a lock or a driverless vehicle to take a local authorization decision to give access to a user based on the verification of a virtual key that includes non-spoofable claims and rights about the resource. A virtual key is carried in a smartphone App for instance. The verification happens instantly without the need for the resource or the smartphone to connect to a central server. The verification doesn’t expose the key itself, thus preventing a wide range of attacks.

inWebo provides an API to issue and manage smart locks and virtual keys, based on an infrastructure that makes extensive use of FIPS-certified hardware security equipment. IWLA is therefore both extremely secure and extremely easy to implement by service providers.

You can read more information on inWebo security framework for the IoT on our website

5 most common challenges about MFA

The 5 Most Common Challenges of MFA – A Simple Guide to Analyzing Solutions

Posted by | inWebo Blog: Exploring Authentication, Identity, Privacy, and Security | No Comments

The selection of the “right” MFA solution can be tricky. First, because there’s a constant flow of innovation in the authentication industry, resulting in numerous and diverse technologies even for solutions supposedly following a standard. Second, because the applications and environments needing MFA are also very different (cloud vs. onprem, legacy vs. web, ldap vs. radius, SAML, or OIDC, etc.). Lastly because not all solutions have the same objectives or protect against the same risks. Read More

Forgerock Trust Network Technology Partner

Posted by | News | No Comments
Forgerock logo  

Forgerock announced today the extension of its technology partnership program, of which inWebo is now a member. See the full press release and partner directory featuring inWebo.

“For years, Forgerock and inWebo have been sharing a common vision of Identity and Access Management for Web applications, IT applications, and now IoT”, said Didier Perrot, CEO at inWebo. “This renewed partnership and the investment we make in integrating inWebo MFA solution with Forgerock products will allow any organization to take a best-of-breed and future-proofed approach to IAM and security, combining Forgerock’s leading identity platform and inWebo’s innovative MFA and local authorization framework.”.

inWebo at it-sa

it-sa 2017, Nuremberg

Posted by | Events | No Comments

it-sa 2017

inWebo will be at it-sa 2017 (InfoSec Germany) in Nuremberg, October 10-12, 2017. Read the program here

If you would like to take this opportunity to schedule a discussion with us and go through your authentication and access security challenges, please fill out the form below. We’ll make our best to accommodate your preferences.

We hope to see you there!

Data Connectors, Austin

Posted by | Events | No Comments

Data Connectors Security Conference in Austin

inWebo is a proud sponsor of the 2017 edition of the Data Connectors conference in Austin, on October 5, 2017. Representatives of inWebo and of our partner The SCE Group will be on our booth.

If you would like to take this opportunity to schedule a discussion with us and go through your authentication and access security challenges, please fill out this form. We’ll make our best to accommodate your preferences. You may also visit our booth without a scheduled appointment and talk to the next available representative.

A complimentary VIP pass to the conference can be found here.

  • Place: TCEA – 3100 Alvin DeVane Blvd. Bldg B – Austin, TX78741 – United States
  • Date: Thursday, October 5th 2017, 8:15am to 4:30pm.