Authenticators & One-Time Passwords (OTP)
inWebo user authentication options
App- and client-based MFA – Strong authentication without hardware
inWebo Authenticator is an application available for smartphones, tablets, and computers. It supports
- a push notification mode: the user is prompted in her App to authorize the transaction or connection that has been initiated from another channel such as a browser, an App, a VPN client, etc.
- an OTP-display mode: the application is used to display a one-time connection code. This mode is available even if the smartphone, tablet or computer is currently offline.
inWebo Authenticator supports device-based biometry such as TouchID or FaceID.
Browser-based authentication – The only truly frictionless MFA
By adding a simple js to an authentication page, browsers are turned into authenticators. As every other authenticator, the browser authenticator needs to be linked to a profile; this only requires the user consent. Also, since no installation is needed, it works on all browsers, whether or not they support extensions.
The browser authenticator comes with a no-UI option so that you can entirely personalize the MFA experience in your authentication page. It supports both a direct mode where one-time connection codes are silently passed to the authentication page and an OTP-display mode used to copy-paste connection codes into client or App forms. inWebo provides 2 browser authenticators with slightly different customization options, inWebo Helium and Virtual Authenticator.
In-App authentication – Invisible MFA
inWebo provides an SDK (inWebo mAccess) to turn your applications – web and native – into authenticators. This is a no-UI library that your applications use to generate one-time codes. By integrating this library, your application supports the OTP-display mode (connections codes are displayed so they can be copy-pasted into client or App forms), a direct mode where connection codes are used to sign in users to your back-end, and a push notification mode where the user is prompted in your application to authorize a connection or a transaction started from another channel.
Similarly to the browser-based authentication, users do not see the underlying MFA. When prompted, they only need to pass a biometric challenge or to provide a PIN or consent, depending on your specifications and policies.
SMS-OTP – For mobile users who don’t want to install your App
Despite all their flaws, SMS-OTP are still relevant in some situations. A good example is a mobile website since, despite your efforts, you will never get 100% of your users to install your mobile App – for which we propose a much better solution, see in-App authentication above. SMS-OTP are therefore a way to authenticate users accessing your website from their mobile browser.
Note that SMS-OTP can be used in combination with inWebo browser-based authentication (see above) to provide a secure yet installation-free mobile 2FA.
Which authenticator(s) should you propose?
Here’s a simple chart to help you decide. Note that with inWebo, you can authorize multiple types of authenticators to any group of users. Even better, it won’t impact your budget.