in-App MFA

In-App MFA, What Is That?

Posted by | News, Tutorials | No Comments

Various types of authentication factors

Multi-Factor Authentication (MFA) means using a combination of factors of different types to authenticate a user when she signs in to an application. Factor types include knowledge (“what you know”, a secret, a password), possession or ownership (“what you have”, a key-fob, a USB key, a phone, a smartcard…) and inherence (“what you are”, biometry).

The trouble with ownership

The possession / ownership factor is actually not the plastic or the smartcard itself. It’s a secret information (aka seed) stored in a memory chip called a secure element. Because of the need for secure elements to implement MFA, it has long been too expensive and inadequate for many use cases, especially but not only, the consumer facing ones.

The situation has improved in recent years when hardware secure elements have been progressively replaced with software on a smartphone. inWebo, as many other vendors has an MFA App, inWebo Authenticator. Once activated for a user, inWebo Authenticator stores a seed key specific to that user and uses it, possibly combined with other authentication factors, to generate one-time passwords (OTP).

inWebo Authenticator can seamlessly switch between a connected mode, a stand-alone mode (useful for roaming situations, in-flight, no or bad signal…), and a notification-based mode that prompts the user for her confirmation or additional authentication factors (PIN, fingerprint…) and completes the authentication and sign-in without asking the user to copy-paste an OTP. Nice…

We need MFA, but why do we need a token?

A mobile App is definitely more convenient than a key fob to carry around, but it requires that all users have a smartphone and have downloaded the MFA App, then activated it. There are many situations when this is not the case. Actually, when you think about it, it’s almost never the case. How could we remove this constraint?

This question led us to the idea of In-App MFA, as early as 2010. Instead of using a stand-alone ‘token’ (hardware or App) and have the user enter OTP in an authentication interface (a desktop client, a mobile App, a page in a browser), why not generate the OTP directly from that interface? That would alleviate the need for tokens but also for smartphones, MFA Apps, and even short-text codes.

inWebo mAccess (for native clients) and inWebo Virtual Authenticator (for web applications) are the In-App authentication technologies developed for this. They are available and documented on inWebo developer website.

How does it work?

With In-App MFA, the OTP generation is done by a software library instead of a standalone App. That library – inWebo mAccess for native clients – can be integrated in any mobile App or desktop client. That App or client literally becomes an MFA token. inWebo mAccess manages the user’s unique seed key, i.e. the possession / ownership factor.

At sign-in, the user is prompted by the client for her usual credentials (username and password). There’s no experience change compared to a normal, non-MFA sign-in. Then, the client silently makes a call to an inWebo mAccess function to request an OTP. This call is local to the client.

  • In a 2-factor authentication scenario, the password is used as an input argument for the OTP calculation function of the mAccess library. That function also uses the user’s unique seed key attached to the user’s App – hence “2-factor”. The client uses the multi-factor OTP returned by mAccess for authentication to the back-end.

  • In a step-up or 2-step verification scenario, the user’s unique seed key is used to calculate the OTP. The client uses both the user password and the single-factor OTP for authentication to the back-end. It’s also 2-factor but in a different way (for more on that, you can read a blog post about 2FA vs. 2SV)

Secure MFA that users can’t see

The obvious benefit of inWebo mAccess compared to a stand-alone MFA App or ‘token’ is that the user doesn’t copy-paste, interact, or even see one-time passwords.

What are the downsides, if any?

At first, when discovering In-App or in-browser MFA, most people are confused. Since there’s no experience change, they say, what’s the difference with a password-based authentication? Why is that MFA? Here, what you see is not what you get. As explained above, authentication is based on several factors. If someone has hacked the user password but doesn’t have the possession / ownership factor (stored with the client), his authentication attempt fails. 100%.

Ha ha, they say next, but what if the device with the client and the possession / ownership factor is stolen? Well, there’s no difference with stealing a smartcard, a key fob, or a smartphone with an MFA App. If the hacker steals the ownership / possession factor AND somehow manages to guess or phish the user password (which is truly independent because it’s not stored with the client), he will successfully access the user account, whether or not the ownership / possession factor is a library, a key fob, a smartcard, or a smartphone App. There’s no difference.

Mmmm, well, but what if the client is compromised, they say next, hoping that this one is the trump card. If the client is compromised, the hacker will succeed, whatever the authentication method, even the most ‘extreme’ ones such as connected smartcard readers: once the door is open (i.e. the user has logged in), it’s open bar for whoever controls the client.

inWebo mAccess is as secure as the clients used to sign in.

Tokenless secure MFA for any App, native or web

To sum it up, In-App MFA and browser-based MFA bring an optimal security to any mobile App, desktop client, or web application, at no cost in terms of user experience, unlike all other 2nd factor methods such as smartcards, key fobs, MFA Apps, or short-text messages.

As discussed, inWebo mAccess turns any native App or desktop client into a secure ownership / possession factor. inWebo Virtual Authenticator is to web browsers what inWebo mAccess is to native clients: it turns the user’s browser into a secure ownership / possession factor.

For more information, please visit inWebo developer website or contact us to set up a customized demo.

A new Log API

Posted by | News, Tutorials | No Comments

inWebo provides a Log API so that you don’t have to export activity logs manually every day or every week. Logs are automatically made available in your collect and analytics tools.

inWebo Log API gives access to logs for a given service. Authentication to the API requires the same client certificate as the other inWebo APIs. Following log categories are available:

  • Authentication
  • Actions related to authentication devices (activation, online OTP, notification requests)
  • User management
  • Service configuration and Administration

With a call to the Log API, you can specify start and end dates, make page requests, or filter results by log category. Each record in the result is provided as a JSON table containing the following data:

  • Method used (authenticate, loginCreate…)
  • Result (OK, KO…)
  • User login
  • Time and date
  • IP address (when available)
  • Authentication device used
  • Authentication device identifier

Contact inWebo if you would like to activate this option for your authentication service.

Biometry as a second authentication factor

Posted by | News, Tutorials | No Comments

Following Apple’s introduction of a fingerprint sensor on iPhone 5s in 2013, smartphones increasingly come with a biometric sensor. Market research firms expect that 100% of the installed base will have some form of embedded biometrics by 2020 – this is not yet a commodity, but it will come fast. inWebo has therefore upgraded its solutions to support biometry as a second factor. The option is available on request to all customers, existing as well as prospects still evaluating inWebo (free trial).

Upon activation, the biometry option offers 2 alternatives, “biometry enabled” or “biometry forced”. The former applies to services that require users to enter a PIN as a second factor. Users who opt for it replace that PIN with biometrics. The latter mandates biometry as the second factor.

Biometry Settings

inWebo support of biometry as a second factor can be leveraged with

  • inWebo Authenticator version 4.2.0 or higher. The App supports Apple TouchID, as well as fingerprint sensors on Android Marshmallow (6.0+) smartphones.
  • inWebo mAccess version (0.)2.8 or higher. Developers can use mAccess library to support fingerprint biometry in their App but also virtually any kind of biometry (voice, face…), as long as it is implemented with a “match on card” mechanism (i.e. the biometric data is stored and verified locally on the smartphone). The library documentation provides a complete implementation for fingerprint sensors.

Please contact inWebo if you would like to easily add biometry as a second authentication factor for your services or applications.

DACH expansion + IT-SA 2016

Posted by | News | No Comments

Paris and Frankfort, October 3rd 2016 – inWebo is pleased to announce the appointment of Carlos Pinilla as a VP of Sales for the DACH Region: Germany, Austria, and Switzerland.

Mr Pinilla is a seasoned IT-security professional, having been among others a regional sales & marketing director for Utimaco, an Aachen (Germany) based hardware security module (HSM) vendor, and a partner of inWebo.

Based out of Frankfort, Mr Pinilla will spearhead inWebo development by building a channel of selected security partners, software vendors, and system integrators. As one of its first appearances in the Region, inWebo will be present at the IT-SA security show in Nuremberg October 18-21.  –

SailPoint IdentityIQ supports inWebo multi-factor authentication

Posted by | News | No Comments

San Francisco & Paris, June 30, 2016 – Sailpoint ( and inWebo have completed interoperability tests to use inWebo as an Identity Provider (IDP) for IdentityIQ, SailPoint’s popular identity governance suite.

The integration relies on SAML v2 support by IdentityIQ and inWebo. The integration “how to” documentation is available on inWebo developer website.

Customers can now use inWebo robust and convenient multifactor authentication to protect users access to IdentityIQ.

New Shibboleth plugin

Posted by | News | No Comments

Paris and San-Francisco, February 2nd, 2015 – inWebo has just released a plugin for the Shibboleth opensource web SSO and identity federation project. This plugin allows large organizations using Shibboleth to instantly benefit from inWebo secure & convenient authentication methods, where users can sign in easily and safely from their mobile phones, tablets, computers… One of many available authentication options allows a user to sign in securely (2-factor authentication) from their tablets or laptops without installing anything on their personal devices. The plugin consists in a java resource that an organization just adds to their Shibboleth deployment (version 2.4.3 or later).  The plugin will be found on the Shibboleth community resources wiki, as well as on inWebo developer website. It’s already available upon request for immediate deployments, and evaluation projects.

inWebo releases mobile authentication connector for Microsoft ADFS

Posted by | News | No Comments

inWebo releases mobile phone based authentication

for Microsoft Cloud Applications

Paris and Seattle, October 23rd, 2014 – Microsoft and inWebo Technologies, a leading multifactor authentication provider, announce the availability of inWebo built-in connector for Microsoft Windows Server 2012 R2 Active Directory Federation Services (AD FS). Corporate organizations are now able to secure access to their Microsoft cloud applications, such as Office 365 and Sharepoint, while bringing unprecedented convenience.

With the increased deployment of cloud-based applications within organizations, the need for a unified and secure access has become essential. In the recent years, Microsoft has generalized the federation for its cloud-based application portfolio, thus allowing active unified access through Active Directory Federation Server (AD FS). With the release of its AD FS connector, inWebo Technologies now provides stronger and more convenient authentication credentials to AD FS.

“Bringing security and convenience for the access to the leading enterprise applications is our primary mission. As Microsoft has now enabled identity federation on their cloud-based application portfolio, we’re very excited to launch a MFA connector for Windows Server AD FS, and to partner with Microsoft to raise the security and trust of cloud-based applications”, says Bruno Abramatic, CTO at inWebo.

“Beyond a unified and seamless access, multifactor authentication has become a primary requirement from our Enterprise customers to help them protecting user accounts on their Microsoft cloud-based applications. Window Server 2012 R2 AD FS has been designed to support best-of-breed third-party MFA solutions, and we are proud to work with inWebo Technologies. With their AD FS MFA connector, inWebo introduces a new level of security and convenience capabilities for access to the cloud,” says Andrew Conway, Senior Director of Enterprise Mobility Product Marketing, Microsoft.

Adding multifactor authentication capabilities to AD FS had already been demonstrated. However, inWebo brings unprecedented security and convenience.

When a user logs in to a Microsoft cloud application from a non-trusted network (Internet, Mobile), AD FS automatically sends a notification to the user’s mobile phone. He/she confirms the access on the phone and is directly connected. The user identity verification is made much stronger because he/she also owns a registered phone instead of only knowing a password, which may be too weak. Organizations may also allow users not equipped with a phone or not having it with them to securely authenticate based on their registered browser instead. This flexible, contextual, convenient authentication is highly appreciated by the users who previously considered signing in to Cloud applications as a hassle.

The convenience doesn’t come at the price of lowering security, thanks to the exclusive design of inWebo certified mobile authentication in-App “token” and of inWebo HSM*-protected credential validation service.

Last but not least, inWebo comprehensive solution is available through the ADFS built-in connector. Organizations can therefore seamlessly protect their data and comply with local regulations, while maintaining the agility that business demands.

*HSM: Hardware Security Module. inWebo uniquely allows the credential validation service to run safely outside the organization’s protected walled garden.

About inWebo Technologies
inWebo is a leading identity protection platform, delivering seamless Enterprise-grade multi-factor authentication and access security to organizations and online service providers, large and small.
inWebo client-side light SDKs instantly and transparently turn any user device (desktops, tablets, smartphones…) into a security token, enabling in-band or out-of-band multi-factor authentication, as well as multichannel transaction protection. Requirements on users for such additional security are minimal: no hardware to carry, no SMS code to copy-paste, no dedicated App/plugin/certificate to install, thus solving the adoption challenge usually faced by multi-factor authentication.
inWebo APIs leverage leading user repositories, identity management systems, single-sign-on and federation systems, as well as popular SaaS applications, enabling seamless deployments.
Finally, inWebo Password Manager (available on is a multi-factor protected Cloud-based service helping users and organizations to safely manage and share their sensitive credentials such as userids and passwords.
For more information, visit inWebo at, or reach us at

US Patent Granted

Posted by | News | No Comments

San Francisco, June 18th 2014 – After a pretty long procedure, inWebo has finally been granted a US patent by the Patent Trade Office (US PTO), thus extending the reach of its prior IP protection. This patent is for an authentication system, and more specifically for a technology known as “Dynamic Random Keys” that inWebo has invented and developed over the past few years.

This technology allows for a secure software implementation of multi-factor authentication (MFA), while a hardware implementation was conventionally required to achieve a high security level. It therefore extends the market of MFA to providers in segments that can’t afford to deploy hardware ‘tokens’ to the users they need to securely authenticate.

This technology was also the ground foundation for inWebo mobile and in-App authentication library (mAccess) that has been certified by the French National IT-Security Agency (ANSSI) in 2012.