One-Time Passwords, Trusted Devices, Authentication Methods
inWebo user authentication options
SMS OTP – For mobile users who don’t have your App yet
SMS OTP have many flaws (it’s not actual 2FA, it doesn’t work in roaming situations, delivery delays vary from very good to very bad). Yet, we recognize that for some use cases SMS OTP are still relevant, therefore we support them in our solutions (this option is not authorized by default though). To sign in to your service, a user has to enter a short-text code that she receives on her cellphone.
Mobile offline OTP – The old-fashion way
inWebo Authenticator App (= trusted device) is used as an offline one-time password (OTP) generator. The username and OTP are then submitted by Lisa in your authentication page. Our platform is interrogated via the application connector, validates the OTP, and authenticates Lisa.
This works in any circumstances (including in offline and airplane modes), but Lisa doesn’t like it and, fortunately, she almost never has to do that. There are much easier ways.
Push notifications – The trendy way
Philip submits his username in your authentication page. Our platform is interrogated via the application connector and sends a push notification to the registered authentication App for that username, inWebo Authenticator or your organization’s mobile App using inWebo mAccess in-App authentication libraries. It wakes up and pops up the App on Philip’s phone. He enters his PIN so that an OTP is generated by the App and submitted in the background to our platform for validation.
Actually, the PIN here (aka the second factor) is just an option that you control. It can be skipped if there was a primary authentication. It can also be replaced with a touch on a fingerprint sensor if Philip’s smartphone is equipped with one. Soon, it will also be facial or voice recognition or some other form of biometric authentication provided by the smartphone or by inWebo Authenticator App.
With the assumption that there’s enough signal, this method is much easier. However, Philip still needs his phone each time he authenticates. Initially, he found it fun, especially compared with what he had to do previously for authentication, but he got rapidly tired of having to do that each time he connects to his applications. Can’t we do better?
OTP display – A scrappy yet smart variant of mobile OTP
Not all your users are equipped with smartphones, right? Or some might have a personal smartphone but don’t want to use it for authentication to your service, or would like something easier, etc. To cover these cases and a few others, we have developed a “web app” that displays OTPs directly in the user browser.
It’s 2FA without a phone or a token! But why stop there? Carrying a token is only half of the pain, the other half being dealing with OTPs. Can we remove that altogether? Indeed we can do that for web-based services.
Browser-based authentication – The frictionless way
The browser used to access your service has been enrolled as a trusted device. Your authentication page detects it and displays inWebo browser-based authentication method, Virtual Authenticator (see our developer website for more info on how to make this magic happen). Emily can optionally check the security information (as she would do for a website with an SSL certificate) and enters her PIN. An OTP is generated and submitted in the background to your server. Our platform is interrogated via the application connector, validates the OTP, and authenticates Emily.
Much easier: Emily didn’t need her phone since she was accessing your service from one of her usual devices – as we all always do. Besides, as promised, she didn’t see or have to copy-paste an OTP. For the first time in years, Emily is really happy about this security thing that you have just rolled out. But wait, she said, does it mean I can only connect to my applications from my laptop? No, because you have more good news for her.
Convergent authentication – The ultimate way
Your authentication page is now smart enough to test for any given transaction if the browser-based authentication method can be used, and to automatically propose alternative options (push notifications, mobile offline OTP, SMS OTP) otherwise. The whole experience is seamless. Only with inWebo.
Ultimate way? But what about FIDO?
In this page, we discussed the various authentication options available with inWebo, from the basic ones to the frictionless and sophisticated ones, both for users and for IT and security professionals who are increasingly requested to provide secure yet convenient solutions to their organization. However, we didn’t talk about standards such as FIDO because these standards by themselves do not bring additional benefits, features, supported use cases, or security.