One-time passwords based on Trusted Devices
User authentication options
SMS OTP (for mobile users who don’t have your App yet, etc.)
SMS OTP have many flaws (it’s not actual 2FA, it doesn’t work in roaming situations, delivery delays vary from very good to very bad). Yet, we recognize that for some use cases SMS OTP are still relevant, therefore we support them in our solutions.
Mobile offline OTP (the old-fashion way)
inWebo Authenticator App (= trusted device) is used as an offline one-time password (OTP) generator. The username and OTP are then submitted by Lisa in your authentication page. Our platform is interrogated via the application connector, validates the OTP, and authenticates Lisa.
This works in any circumstances (including in offline and airplane modes), but fortunately, users almost never have to do that. There are much easier ways.
Push notifications (the trendy way)
Philip submits his username in your authentication page. Our platform is interrogated via the application connector and sends a push notification to the registered authentication App for that username, inWebo Authenticator or your organization’s mobile App using inWebo mAccess in-App authentication libraries. It wakes up and pops up the App on Philip’s phone. He enters his PIN so that an OTP is generated by the App and submitted in the background to our platform for validation.
With the assumption that there’s enough signal, this method is much easier. However, Philip still needs his phone each time he authenticates. This is fun initially, but users get rapidly tired of it. Can’t we do better?
Browser-based authentication (the frictionless way)
The browser used to access your service has been enrolled as a trusted device. Your authentication page detects it and displays inWebo browser-based authentication method, Virtual Authenticator (see our developer website for more info on how to make this magic happen). Emily can optionally check the security information (as she would do for a website with an SSL certificate) and enters her PIN. An OTP is generated and submitted in the background to your server. Our platform is interrogated via the application connector, validates the OTP, and authenticates Emily.
Much easier: Emily didn’t need her phone since she was accessing your service from one of her usual devices – as we all always do, isn’t it?.
Convergent authentication (the ultimate way)
Of course, your authentication page is now smart enough to test for any given transaction if the browser-based authentication method can be used, and to automatically propose alternative options (push notifications, mobile offline OTP, SMS OTP) otherwise. The whole experience is seamless. Only with inWebo.