inWebo Basic Concepts and High-Level Architecture
Activation: how Emily gets enrolled
If Emily needs MFA credentials to sign in to your applications, a record has to be created for her in your inWebo organization account, by provisioning her account. You can also add a trusted device – an authentication method – to an existing user. Creating a record for a user or a device triggers the issuance of a one-time activation token. When this token is provided to an inWebo authentication device (inWebo Authenticator, Virtual Authenticator / Helium, or inWebo mAccess, see 2FA options), a secure synchronization takes place between that device and the inWebo servers, resulting in the enrollment of Emily and/or of her authentication device. Activation completed!
Authentication: how Mark accesses his online or remote accounts
When Mark – who has already been enrolled – needs to sign in to his account on your application, he will get a request to provide a secure authentication token aka one-time password (OTP). OTPs are issued by any of Mark’s authentication devices, there’s no need to send anything to Mark (such as emails or texts). With inWebo 2FA options, chances are that Mark doesn’t even see OTPs or need a smartphone. Really convenient!
Administration: how Philip makes the magic happen for his organization
When Philip decided to enable inWebo MFA for his organization, he followed a few simple steps that we explain in this section. He created an inWebo organization account and initially tested it and configured it using the web administration console. That was enough to be able to roll out MFA and reach his organization’s security objectives – and make the users happy about a security tool, for once. Later on, he decided that he would customize the enrollment workflow and integrate inWebo with some of the tools that his organization was already using, such as identity management and SIEM. But these were optimizations, not project prerequisites.
Create an organization account in 1 minute
We offer two simple and quick ways to create an MFA account for your organization. Both are free and without commitment. No credit card required.
- A trial account: it comes with 10 user licenses, 1 service, and is valid for 30 days – upon which you can request a discretionary extension if you haven’t made up your mind. Additional options can be tested by making a request in the account creation form. A trial account can be converted into a regular account.
- A free account: it comes with 10 user licenses, 1 service, no option, and no expiration date. This is an easy way to start using our solution without having to go through a trial. When you need it, or if you need it, you can upgrade the account and add options or user licences.
The person creating the account will immediately receive credentials to access the inWebo console with an admin role, as well as an invitation to create an account on inWebo support portal. He or she will also receive a couple of emails providing high-level configuration guidelines, as well as links to more detailed documentation.
Connectors: adding inWebo MFA to your applications doesn’t require a project
A connector is a generic word for a method enabling inWebo MFA in your applications. There’s no proxy or server to install: only configuration in most cases.
- Network equipment such as VPNs, reverse proxies, and access gateways use Radius as an authentication protocol. To add inWebo 2FA, you only need to configure IP addresses and shared secrets. You can be up and running in 15 minutes, literally.
- Cloud applications such as Salesforce, Slack, G Suite etc., use SAML 2.0 as an authentication protocol. To add inWebo 2FA, you only need to configure a SAML IdP – 3 URLs and a certificate for applications such as G Suite that have made it really simple, a bit more otherwise.
- Identity Access Management (IAM), Single Sign-On (SSO), and Content Management Systems (CMS) all have proprietary ways to connect with authentication providers. Every time such a product provides a documentation and an open API, we have built a ‘plugin’ for that product to enable inWebo MFA. You’ll only have to download and configure that plugin.
- If you’re an ISV or an organization building an application (web, mobile) or a portal, we have client libraries (for OTP generation) and an API (for provisioning and authentication). Unlike the other cases listed above, there’s some integration work. Fortunately, our SDK and API provide you with an abstraction layer and you can quickly add MFA to your application with little or no knowledge in cryptography and credentials management.
Policies: a few clicks to customize authentication methods and recovery options
This part is even easier: your organization account comes with default settings, such as authorized authentication methods, recovery options, and second factor enabled. Customize these settings if they don’t match your requirements, otherwise you’re already all set.
Tokenless MFA option: users will thank you for that
Usually, users needing 2FA to access your applications split into 2 categories: those who are openly upset about it, and those who are ‘okay’ with it. No one has sent you a thank you note for MFA yet, right? It should change with inWebo tokenless MFA – aka browser-based MFA.
When the second factor is a hardware token or an App on a phone, users need that thing for authentication or step-up authentication. Hopefully, you’ve implemented some adaptive authentication to reduce the fatigue, while introducing some risk. But what if the second factor could be a (web) App in the same browser from which users access your applications? This is exactly what inWebo tokenless MFA is about. Activate this option in your sign-in page and users won’t need a token or a phone for MFA.
IWDS and workflows: automate user provisioning and enrollment
With 2FA, users need to define (or receive) some secret, as with password-based authentication. On top of it, they also need to register an authentication method. From an organization perspective, managing passwords is already a problem. Managing authentication methods and trusted devices additionally can therefore turn into a time-consuming activity.
inWebo has ‘reverse-engineered’ the credentials management tasks in large organizations and built automation for them into its solution. As an example, we provide templates for emails to send for user enrollment, a synchronization tool with your Active Directory, a provisioning API for your identity management, self-care and self-recovery options, and a few other ‘tricks’ making your life and your users’ life much easier.