Authenticators & One-Time Passwords (OTP)

inWebo user authentication options

App- and client-based MFA – Strong authentication without hardware

inWebo Authenticator is an application available for smartphones, tablets, and computers. It supports

  • a push notification mode (aka in-band mode): the user is prompted in her App to authorize the transaction or connection that has been initiated from another channel such as a browser, an App, a VPN client, etc.
  • an OTP-display mode (aka out-of-band mode): the application is used to display a one-time connection code. This mode is available even if the smartphone, tablet or computer is currently offline.

inWebo Authenticator supports device-based biometry such as TouchID or FaceID.

Browser-based authentication – The only truly frictionless MFA

By adding a simple js to the authentication page, browsers are turned into authenticators. As every other authenticator, the browser authenticator needs to be linked to a profile; this only requires the user consent. Also, since no installation is needed, it works on all browsers, whether or not they support extensions.

The browser authenticator comes with a no-UI option so that you can entirely personalize the MFA experience in your authentication page. Finally, it supports both an in-band mode and an out-of-band (OTP-display) mode so that users can copy-paste one-time codes into client or App forms.

In-App authentication – MFA? What MFA?!

inWebo provides an SDK to turn your applications into authenticators. This is a no-UI library that your applications use to generate one-time codes. Your application display the codes so they can be copy-pasted into client or App forms (out-of-band mode) or use them to sign in users to your back-end (in-band mode).

Similarly to the browser-based authentication, users do not see the underlying MFA. When prompted, they only need to pass a biometric challenge or to provide a PIN or consent, depending on your specifications and policies.

SMS-OTP – For mobile users who don’t want to install your App

Despite all their flaws, SMS-OTP are still relevant in some situations. A good example is a mobile website since, despite your efforts, you will never get 100% of your users to install your mobile App – for which we propose a much better solution, see in-App authentication above. SMS-OTP are therefore a way to authenticate users accessing your website from their mobile browser.

Note that SMS-OTP can be used in combination with inWebo browser-based authentication (see above) to provide a secure yet installation-free mobile 2FA.

Which authenticator(s) should you propose?

Here’s a simple chart to help you decide. Note that with inWebo, you can authorize multiple types of authenticators to any group of users. Even better, it won’t impact your budget.

 
Cryptographic dynamic keys
Smartphones
Computers
Tablets
In-band mode
Out-of-band mode
Push notifications
Local biometry
Installation-free
No-UI
Customization
Integration effort
inWebo pages ready
(SAML, OIDC)
Windows Logon 2FA
App-based
authentication
✔️
✔️
✔️
✔️
✔️
✔️
✔️
✔️
 
 
Logo, service name
None
✔️
✔️
✔️
✔️
Browser-based
authentication
✔️
✔️
✔️
✔️
✔️
✔️
 
 
✔️
Option
Full
Low (html code integration)
✔️
✔️
 
 
In-App
authentication
✔️
✔️
✔️
✔️
✔️
✔️
✔️
✔️
 
Always
Full
Medium (SDK integration)
 
✔️
✔️
✔️