News

3 reasons why inWebo is the most secure MFA solution

Posted by | News | No Comments
Security Protection

Multi-factor authentication, or MFA, is widely considered as the best defense against many major cyber attacks like phishing or account takeover. As such, more and more organizations are integrating a MFA solution in the internal or external applications.

It is no surprise, then, that MFA has become the target of specific hacking strategies, a trend recently picked up by the FBI who felt the need to warn US corporations against MFA-targeted attacks. That is were the quality of the MFA solution gets into the picture. Victims of cyberattacks are starting to discover that not all MFA solutions are equals in terms of security and we will now explain why inWebo’s is the strongest and safest MFA solution currently on the market.

A (really) strong MFA solution involves advanced technology, mostly under the hood as the general goal is to keep the customer experience as smooth as possible. inWebo’s MFA solution relies on patented random dynamic keys on the user side and HSMs on the server side to protect user identities. The keys are used to generate one-time passwords (OTPs) on the client side whenever the user wants to connect to a service. These OTPs are analyzed server-side, in the highly secured environment provided by HSMs, to grant access, or not.

Several key features make this general process more secure than other solutions on the market. Here are the three major ones.

1. Zero Lifetime Keys

First and foremost, our solution is secure because even if a hacker breaches the defenses and steals the user’s key, it will be useless. Remember that inWebo’s keys are random and dynamic. It means that they change randomly, each time the user connects to the service. But that is only a first line of defense. A changing key means that the hacker cannot steal it once and use it several times to impersonate the user. But it still means he can use it once, and more often than not, that is all it takes.

Our unique and patented design implies that an inWebo key is randomly and dynamically changed exactly at the same moment as it is used to generate an OTP. Once used, it cannot be reused. In other words the useful lifetime of an inWebo key is exactly 0s. So if a hacker steals it, it will already have been used.

2. Highly Secure Offline Mode

The second unique feature that makes inWebo’s MFA stand out from the competition is the fact that an offline mode is not only possible, but also as secure as the online mode. That is because our technology does not rely solely on cryptographic models. These are used of course to provide an advanced protection against the stealing of keys.

But our design does not rely on cryptography to secure the user identification. Instead it uses a highly advanced mathematical model that allows the server side to stay in sync with the user side even if there is no online connection between the client and the server at the time of the access request.

3. Uncatchable Keys

The third major feature to secure the identification feature is the fact that inWebo’s keys are generated on the user side and are not transferred to the server side. In fact, the whole process is based on the autonomy of the user and the ability of the server to stay in sync without exchanging any information that, if intercepted, could be used to reverse engineer the security and breach the user identity.

Of course, you do not have to take our word for the fact that our solution is proofed against reverse engineering. First, it has been successfully evaluated and certified by the French government body in charge of cybersecurity (ANSSI). But for some of our most demanding customers, mostly banks, that was not enough. inWebo’s MFA solution has been and is regularly audited by financial institutions to test the strength of the solution against the constantly evolving cyberthreats landscape. To this day, our solution has stood up against all the stress tests.

Try it for yourself

Given the high level of security it offers, it is no wonder that inWebo’s MFA solution is used by more than 250 major companies to protect their key assets: customers, employees and partners.

On top of a second-to-none level of security, inWebo provides a seamless experience for the end-user as well as the customer in charge of the implementation. As such, we are in a perfect position to help our customers along the path to a secure and passwordless future.

Best of all, our solution is free to try and experiment with, no strings attached. We do not ask for a credit card or any kind of commercial commitment. Just fill the form and see for yourself.

IdRamp and inWebo partnership

Posted by | News | No Comments

IdRamp partners up with inWebo

San Francisco and Des Moines, October 14th, 2019.

IdRamp and inWebo partner for secure & decentralized Identity and Access Management.

IdRamp and inWebo are pleased to announce the release of a certified integration between IdRamp decentralized Identity Management platform and inWebo MFA (multi-factor authentication) platform. This integration makes it possible for organizations to orchestrate advanced security and authentication policies for access to their applications.

IdRamp combines SSO capabilities with the possibility to leverage multiple IdPs (Identity Providers) such as AAD, Google, Salesforce, IDaaS providers, Self-sovereign and social logins, thus helping organizations navigate the complexity of modern and heterogeneous information systems. Furthermore, the integration with inWebo allows organizations to add and control in a single place customized MFA policies across applications and IdPs, with no additional integration. This gives organizations an unprecedented agility for implementing secure access. Organizations can now deploy new secure applications across heterogeneous, legacy, or segmented directories, without having to manage highly complex directory integration projects.

“inWebo provides a superior approach to multi-factor authentication security and user experience.” said Mike Vesey, IdRamp CEO. “The IdRamp inWebo integration is a powerful solution that is easy to deploy into any identity security strategy. Our partnership with inWebo offers significant value and flexibility for businesses that needs best in class multi-factor authentication and simplified identity orchestration.”

“Strong Authentication (MFA) has become a critical part in modern Identity & Access Management projects”, said Didier Perrot, CEO for inWebo North America. “We’re excited to partner with IdRamp, as their integration of our MFA platform can now be used by organizations with no additional code. It allows them to reduce the time and costs needed to protect their applications, while making that additional security go unnoticed by their users.”

About IdRamp: IdRamp is a decentralized identity service to simplify integration, improve security and continuously innovate your business. With IdRamp you can easily integrate and orchestrate multiple identity silos. Tailor authentication and access control policies according to your business strategy. Add decentralized self-sovereign identity to any business strategy. Through distributed authentication, IdRamp secures the identity threat surface by eliminating the need for public network-facing identity and access management systems. IdRamp provides adaptable digital bridges that interoperate across all generations of identity management.

About inWebo: inWebo is a leading vendor of B2B solutions for multi-factor authentication (MFA) and local access (IWLA). inWebo makes customer, member, and employee access to VPN, IAM, web, Cloud, and IoT applications & devices more secure, but also easier. Our technology seamlessly adds a layer of security during authorization by turning user devices including laptops, cell and smartphones, or tablets into trusted authentication methods. It uniquely combines certified hardware-grade security with extreme ease of use. inWebo protects millions of identities for global organizations. Visit us at inwebo.com.

InWebo’s MFA Solution For Banks Goes East

Posted by | Events, News | No Comments

inWebo MFA for Russian Bank industry

Under the pressure of new regulations (PSD2), technological evolutions and customer demand, banks need to improve their authentication methods, both in terms of security and usability. Russian banks are no exception to this, having been the target of several major online attacks over the recent years.

Ever-increasing cyber threats

Back in 2016, Sberbank, one of Russia’s largest bank, reported a phishing attack aiming to steal user credentials via a fake app. Before the hacker was arrested, they breached in over a million devices, compromising users credentials. It did not stop there: by 2018, Cyber-attacks had multiplied by 10, and are expected in 2021 to cost the Russian financial industry $6T/year.

Protecting the Russian Banking landscape

It’s no surprise then that major Russian banks would be very interested in information on the MFA solution that is one of the best fit for the banking industry. This is how inWebo got invited to come and present its technology to a panel of security managers in Moscow.
inWebo proposed their strong MFA solution to solve the authentication security shortfall. The solution ensures high level of security thanks to randomly generated cryptographic keys while being easy to implement as any devices can be turned into a 2nd-factor authenticator. The user only needs to combine 2 of the 3 following factors:

What is inWebo MFA for banking

In addition, the multiple integration possibilities provide a tailored solution to the Russian bank network and authentication needs, resulting in a combination of high security, compliance to financial regulation (such as PSD2) and seamless user experience.

Joining the movement

The switch to inWebo ultra secure MFA solution has already started in Europe: major banks across the continent have already adopted it to protect their users’ credentials. As inWebo MFA can be tailored to the clients need, various use cases include Société Générale, Credit Agricole or even Orange Bank. With these successful attempts across Europe, inWebo looks forward to be partnering up with the Russian bank network and solve their authentication needs.

Make an appointment with inWebo

If you would like to take this opportunity to learn more about our strong MFA solution or assess your authentication and access security challenges, please fill out the form below. We’ll make our best to accommodate your preferences.

PSD2 SCA: The Clock Is Ticking

Posted by | News | No Comments

The introduction of the revised Payment Service Directive (PSD2) that came into application on January 13, 2018, brings a shift in financial transactions. If in the past SMS codes were the preferred way to confirm an online payment, organisations such as Payment Initiation Service Providers (PISPs) and Account Services Payment Service Providers (ASPSPs) now have deadlines to meet PSD2 requirements:

  • March 14, 2019: ASPSPs’ access interface must be ready for external testing by PISPs as required by the Regulatory Technical Standards (RTS).
  • September 14, 2019: PISPs need to comply with RTS and PSD2 requirement and propose Strong Customer Authentication (SCA) to their customers.

As the clock is ticking by, let’s understand the hows and whys of this regulation.

PSD2 SCA: What and why?

Payment services are evolving, creating new opportunities and new ways to transact beyond borders. As a consequence, the EU has decided to harmonize the different country-specific practices in order to:

  • Contribute to a more integrated and efficient European payments market,
  • Improve the level playing field for payment service providers (including new players),
  • Make payments safer and more secure by reducing fraudulent activities,
  • Protect confidentiality of consumers.

This is the PSD2. When it comes to security, text messages have shown their limits to make online transactions safer. Latest breaches such as Voxox leak exposing millions of SMS messages prove that systems can be easily corrupted when it comes to proving identities. This is why PSD2 has issued new requirements with the aim of creating a secured environment to online buyers.

Welcome to the Strong Customer Authentication (SCA)

A compliant SCA is based on 2 or more authentication factors of different types among the following options:

  • Something you know, such as a password.
  • Something you have, such as a mobile device, a plastic card.
  • Something you are, such as a thumbprint.

As everyone initiating an online transaction will soon have to use SCA, it is important to stress that SCA solutions must provide a high level of security but also an easy customer experience. This is actually a more difficult challenge.

Providing physical tokens to everyone is hardly an option because of the costs to issue and manage such devices at a large scale. Also, customers with multiple banks would need several tokens, resulting in an authentication fatigue that is counter-productive to the objectives of PSD2.

Only software-based solutions provide the flexibility required by banks and third parties and ensure a smooth deployment while keeping costs low. inWebo MFA perfectly matches these requirements since it provides a secured method to validate buyers’ identities without impacting the experience. inWebo is easy to implement, to deploy and to manage. The different authentication methods available from inWebo make it possible for users to have a seamless experience for any payment use case. inWebo Transaction Sealing feature makes the transactions non-disputable. The alignment of its solutions with PSD2 SCA requirements has enabled inWebo to already support leading banks to secure transactions and account access.

PSD2 is just the start. inWebo expects that most of the banks will switch to the 3DS 2.0 worldwide regulation coming into force in 2020. inWebo is already supporting financial institutions and banks in deploying its solution to swap prior authentication methods with SCA compliant ones.

If you’d like to know more about inWebo MFA for financial institutions, you can download our tailored white-paper or request a demo by clicking the relevant option below:

Request White-Paper Request a Demo

inWebo Renews Participation To Forgerock Trust Network

Posted by | News | No Comments

inWebo releases certified 2FA module for ForgerockAM identity platform

San Francisco, CA – December 3, 2018 – ForgeRock, the leading platform provider of digital identity management solutions, today announced a major milestone in advancing its technology partner ecosystem, in welcoming 54 partners to its ForgeRock Trust Network. Program Unites Leaders in Strong Authentication, Risk and Fraud and Related Fields to Extend Value in ForgeRock Identity Platform. The Trust Network was created to unify ForgeRock’s extensive community of technology partners for customers to seamlessly integrate complementary technologies and realize the highest value from their ForgeRock Identity investments.

inWebo was one of the early partners to join Forgerock Trust Network in 2017 and is pleased to announce the release of a certified extension module for ForgerockAM. That module enables Forgerock customers to benefit from inWebo multi-factor authentication, thus enhancing the security of their applications, meeting compliance requirements, and making it easier for their internal and external users to access trusted applications.

Ben Goodman, Vice President, Global Strategy & Innovation, said, “The ForgeRock Trust Network for Technology Partners was built to deliver capabilities beyond our own identity platform, and the reception from our partner community and customers has been overwhelming. The Trust Network is unlike the typical ‘partnership by press release’ program seen in our industry, as our partner directory is loaded with integrated solutions that have been certified, to give customers technical confidence and cost predictability. As the identity ecosystem continues to expand, the ForgeRock Trust Network of partners will continue to deliver unmatched innovation to those who use our platform.”

Jeff Sherwood, Director of Business Development for inWebo North America, said, “Strong Authentication (MFA) has become a critical part of modern Identity & Access Management projects. We are very excited to partner with Forgerock, a global leader in IAM & CIAM, and thus to deliver a certified interoperability between ForgerockAM and inWebo MFA platform. It will greatly help Forgerock customers meet their compliance requirements while reducing the time and costs needed to protect their applications, as well as the pain for internal and external users.”

About inWebo
inWebo is a leading vendor of B2B solutions for multi-factor authentication (MFA) and local access (IWLA). inWebo makes customers, members, and employees access to VPN, IAM, web, Cloud, and IoT applications & devices more secure, but also easier. Our technology seamlessly adds a layer of security during authorization by turning user devices including laptops, cell and smartphones, or tablets into trusted authentication methods. It uniquely combines certified hardware-grade security with extreme ease of use. inWebo protects millions of identities for global organizations. Visit us at inwebo.com.

About ForgeRock
ForgeRock® is the Digital Identity Management company transforming the way organizations build trust and interact securely with customers, employees, devices, and things. Organizations adopt the ForgeRock Identity Platform™ as their digital identity system of record to monetize customer relationships, address stringent regulations for privacy and consent (GDPR, HIPAA, FCC privacy, etc.), and leverage the internet of things. ForgeRock serves hundreds of brands, including Morningstar, Vodafone, GEICO, TomTom, and Pearson, as well as governments such as Norway, New Zealand, and Belgium, among many others. Headquartered in San Francisco, California, ForgeRock has offices in Austin, London, Bristol, Grenoble, Munich, Paris, Oslo, Singapore, Sydney and Vancouver, Washington. ForgeRock is privately held, backed by leading global venture capital firms Accel Partners, Foundation Capital, Meritech Capital and KKR. For more information and free downloads, visit www.forgerock.com

GDPR at inWebo

Posted by | News | No Comments

From Security-by-Design to Privacy-by-Design

In the weeks and days before (and after) May 25th 2018, everyone’s mailbox has been filled with emails such as “GDPR update” or “Update of our Privacy Policy”. You might wonder why you have not seen any of these from inWebo, what we have done about the matter, and how ready we are.

inWebo’s business is identity protection. We design and implement cyber-security techniques to protect our customers’ user identities. PIIs (Personally Identifiable Information) are highly protected in our systems, using strong encryption, crypto-servers, firewalls, etc. GDPR requirements in terms of security are met and exceeded. However, GDPR is much more than that, therefore we had to figure out the journey from our “security-by-design” starting point to a “privacy-by-design” destination.

Here are the various topics we addressed and what our approach is:

  • User consent to data processing purposes: as a B2B provider of authentication solutions, we do not collect data from the end-users of the solution, our customers do. We collect data from administrators when they create their organization account, for the sole purpose of creating that account and giving access to it.
  • Minimal set of data: we only store in our systems the user data that is necessary for our customers to operate and monitor the authentication solutions we provide them, such as a username, an email address, and authentication usage data (time and date, IP address, authentication status). It is our customers’ responsibility to use anonymous aliases instead of usernames and to not store email addresses if they do not use features such as “Reset PIN with email” that need it.
  • Data governance: that was a benefit of GDPR to have us design a data governance and a data retention policy. We have now standardized our data retention durations: by default, authentication and other usage data is kept one year. Also, all organization account data are deleted maximum 6 months after an organization account expiration. Customers who need a longer retention duration e.g. for long-term security analysis can subscribe to an archiving option.
  • Access to data and traceability: since we operate the authentication platform and since we rely on service providers for some aspects of the solution (email service provider and hosting service provider among others), we needed to design and enforce policies for access to data, both for ourselves and for our service providers. Service providers have issued their own GDPR compliance statements and we have analyzed that they are compatible with our goals and practices. For ourselves, by default we never access user data unless a customer requires us to do so, for instance in order to troubleshoot an issue. We have formalized how our operational teams authorize and log such requests.
  • Data protection: critical data such as authentication factors are encrypted with crypto-servers (HSMs) in our platform. Usernames are usually not critical information (if it is, it is our customers’ responsibility to use aliases instead) and they are needed in plain text e.g. to run search queries. Other identifiers such as email addresses or “trusted devices” names are usually not critical information but we have nevertheless decided to encrypt it at rest.
  • Rights (to access, to modify, to be forgotten): we do not know the end-users of our customers and have no way to match a request that we would receive with an actual end-user in our platform, or to verify that such a request is legitimate. Besides, if one of our customers has created an authentication profile for a user in our platform, our responsibility is to not access it, not modify it, and not delete it. Therefore our role is to provide our customers with the tools and processes they need to answer their users’ requests, e.g. an API function to delete user data in the authentication logs in our platform. Nevertheless, we have created an email address for privacy and PII-related requests from end-users. We will limit our role to reply to emails advising the user to send his/her request to his/her organization or service provider.
  • Update of our privacy policy and of our general terms: we have updated our privacy policy and our general terms in January 2018 in order to include the changes resulting from our GDPR compliance.

inWebo launches a new offering for IoT Security

Posted by | News | No Comments

San Francisco and Paris, December 18th, 2017 – inWebo Technologies expands its security portfolio for IoT security by launching a new offering called inWebo Local Authorization.

Service providers in verticals such as Connected Cars, mobility services, Smart Cities, Connected Home, Connected Health, etc., can now benefit from inWebo exhaustive framework for secure access control, both to cloud-based IoT services and to local IoT resources.

« In a first wave of IoT services, service providers have requested access control solutions to protect their cloud-based services. inWebo has met these requests by successfully adapting and implementing its multi-factor authentication solution in connected-car services for instance », said Didier Perrot, CEO at inWebo Technologies. « In a second wave, service providers need new solutions for secure access control to local resources such as vehicles, locks, meters, ticketing systems etc., that are not constantly connected to a central authorization platform via the Internet. These ‘offline’ use cases are becoming mainstream in the IoT and demand a new security approach to protect the IoT resources and businesses, while being extremely easy and intuitive to use. This is what inWebo Local Authorization now enables. We’re now willing to partner with more service providers to make the IoT a secure place. ».

Developing a framework for secure local access control has required a significant R&D effort and has led to a patent application. inWebo Local Authorization (IWLA) is an alternative or a complement to connectivity solutions, such as 3G or low-bandwidth mobile connectivity.

IWLA allows a resource such as a lock or a driverless vehicle to take a local authorization decision to give access to a user based on the verification of a virtual key that includes non-spoofable claims and rights about the resource. A virtual key is carried in a smartphone App for instance. The verification happens instantly without the need for the resource or the smartphone to connect to a central server. The verification doesn’t expose the key itself, thus preventing a wide range of attacks.

inWebo provides an API to issue and manage smart locks and virtual keys, based on an infrastructure that makes extensive use of FIPS-certified hardware security equipment. IWLA is therefore both extremely secure and extremely easy to implement by service providers.

You can read more information on inWebo security framework for the IoT on our website https://www.inwebo.com.

Forgerock Trust Network Technology Partner

Posted by | News | No Comments

Forgerock logo  

Forgerock announced today the extension of its technology partnership program, of which inWebo is now a member. See the full press release and partner directory featuring inWebo.

“For years, Forgerock and inWebo have been sharing a common vision of Identity and Access Management for Web applications, IT applications, and now IoT”, said Didier Perrot, CEO at inWebo. “This renewed partnership and the investment we make in integrating inWebo MFA solution with Forgerock products will allow any organization to take a best-of-breed and future-proofed approach to IAM and security, combining Forgerock’s leading identity platform and inWebo’s innovative MFA and local authorization framework.”.

Strong Authentication – Now!

Posted by | News | No Comments

2fa Jetzt  

inWebo has joined the German Strong Authentication – Now! initiative as a new partner. The initiative’s goals are to educate service providers and end-users about the benefits of strong authentication and to develop its use for Internet services. Find more information here.

“Strong Authentication – Now!” participates to the European Cyber Security Month event that aims at increasing awareness of cyber security threats, at promoting cyber security among citizens and organizations, and at informing about best security practices.

New US Patent

Posted by | News | No Comments

San Francisco, June 15th 2017 – Completing a 4-year procedure, the US Patent Trade Office (US PTO) has granted a patent to inWebo, its second one in the US, thus extending the reach of its prior IP protection. This patent is for an authentication system, and more specifically for a technology known as “Dynamic Random Keys” that inWebo has invented and developed over the past years.

« This technology allows for a secure implementation of multi-factor authentication (MFA) in modern web-browsers, while a hardware secure element was conventionally required to achieve a high security level » said Didier Perrot, Director at inWebo. « It therefore extends the our MFA market to organizations in segments that can’t afford to deploy hardware ‘tokens’ to the users that they need to securely authenticate and are looking for easier yet secure user authentication methods ».

This technology was also the ground foundation for inWebo mobile and in-App authentication library (mAccess) that has been certified by the French governmental IT-Security Agency (ANSSI) in 2012.