Authenticators & One-Time Passwords (OTP)

inWebo user authentication options

App- and client-based MFA – Strong authentication without hardware

inWebo Authenticator is an application available for smartphones, tablets, and computers. It supports

  • a push notification mode: the user is prompted in her App to authorize the transaction or connection that has been initiated from another channel such as a browser, an App, a VPN client, etc.
  • an OTP-display mode: the application is used to display a one-time connection code. This mode is available even if the smartphone, tablet or computer is currently offline.

inWebo Authenticator supports device-based biometry such as TouchID or FaceID.

Browser-based authentication – The only truly frictionless MFA

By adding a simple js to an authentication page, browsers are turned into authenticators. As every other authenticator, the browser authenticator needs to be linked to a profile; this only requires the user consent. Also, since no installation is needed, it works on all browsers, whether or not they support extensions.

The browser authenticator comes with a no-UI option so that you can entirely personalize the MFA experience in your authentication page. It supports both a direct mode where one-time connection codes are silently passed to the authentication page and an OTP-display mode used to copy-paste connection codes into client or App forms.

In-App authentication – Invisible MFA

inWebo provides an SDK to turn your applications into authenticators. This is a no-UI library that your applications use to generate one-time codes. By integrating this library, your application supports the OTP-display mode (connections codes are displayed so they can be copy-pasted into client or App forms), a direct mode where connection codes are used to sign in users to your back-end, and a push notification mode where the user is prompted in your application to authorize a connection or a transaction started from another channel.

Similarly to the browser-based authentication, users do not see the underlying MFA. When prompted, they only need to pass a biometric challenge or to provide a PIN or consent, depending on your specifications and policies.

SMS-OTP – For mobile users who don’t want to install your App

Despite all their flaws, SMS-OTP are still relevant in some situations. A good example is a mobile website since, despite your efforts, you will never get 100% of your users to install your mobile App – for which we propose a much better solution, see in-App authentication above. SMS-OTP are therefore a way to authenticate users accessing your website from their mobile browser.

Note that SMS-OTP can be used in combination with inWebo browser-based authentication (see above) to provide a secure yet installation-free mobile 2FA.

Which authenticator(s) should you propose?

Here’s a simple chart to help you decide. Note that with inWebo, you can authorize multiple types of authenticators to any group of users. Even better, it won’t impact your budget.

 
Cryptographic dynamic keys
Smartphones
Computers
Tablets
Push notifications
OTP-display
Direct mode
Local biometry
Installation-free
No-UI
Customization
Integration effort
inWebo pages ready
(SAML, OIDC)
Windows Logon 2FA
App-based
authentication
✔️
✔️
✔️
✔️
✔️
✔️
 
✔️
 
 
Logo, service name
None
✔️
✔️
✔️
✔️
Browser-based
authentication
✔️
✔️
✔️
✔️
 
✔️
✔️
 
✔️
Option
Full
Low (html code integration)
✔️
✔️
 
 
In-App
authentication
✔️
✔️
✔️
✔️
✔️
✔️
✔️
✔️
 
Always
Full
Medium (SDK integration)
 
✔️
✔️
✔️