Motivation: The Problem With Passwords

In 2017, a record number of ​1,579 breaches were identified, a ​44.7% increase over the previous year, accounting for a total of ​178,955,069 records exposed.

- Identity Theft Resource Center 2017 Annual Data Breach Year-End Review
81% of data breaches in 2016 leveraged either weak and/or stolen passwords

- Verizon 2017 Data Breach Report
Each data breach cost $3.6 million on average, up 23% from 2013

- Ponemon Institute

Overview

The Social-ID solution for Strong Authentication is composed of two independent modules. Both of them can be used for Multi-Factor Authentication (MFA) as an extra security step after a first traditional email/username and password login or a social login. They can also be used as a Passwordless solution for a simpler user experience.

The first module consists of a set of One-Time Password (OTP) strategies that can be used independently according to the integration context. They are based on open standards specifications provided by the Initiative for Open Authentication (OATH).

The second module features Fast IDentity Online (FIDO) support for both Universal Authentication Framework (UAF) and Universal Second Factor (U2F) specifications. The first one leverages biometrics to provide Passwordless capabilities with a high security level. The latter allows authentication based on external hardware devices for maximum security in a MFA context.

One-Time Password Solutions

The usage of OTP solutions is encouraged as the first step towards a Strong Authentication implementation. Different strategies are provided in order to allow OTP authentication in any scenario.

Email Token

In the Email Token approach, the user receives an email message with a authentication link. The user authenticates himself by following the link, which contains a randomly generated token with an expiration time to protect against brute-force attacks.

In the context of MFA, this strategy can be used whenever the user provided an email during registration. It can also be used as a Passwordless authentication method, given that the user identifies himself during login, usually by providing his email address.

The CoffeeBean solution for Email Token provides backend support for sending email messages and APIs for login integration. The email customization can be performed directly from the Social-ID dashboard.

Figure 1. Example of Email Token login flow for MFA.​

SMS Code

In the SMS Code strategy, the user receives a SMS message with an alphanumeric code. The user authenticates himself by entering the received code into the system.

In the context of MFA, this strategy can be used whenever the user provided a mobile phone number during registration. It can also be used as a Passwordless authentication method, given that the user identifies himself during login, usually by providing his mobile phone number.

The CoffeeBean solution for SMS Code provides backend support for sending SMS messages and APIs for login integration. The message customization can be performed directly from the Social-ID dashboard.

Figure 2. Example of SMS Code login flow for MFA.

Push Notification Code

In the Push Notification Code scenario, the user receives a text message with an alphanumeric code in his mobile phone through a mobile app. Similar to the SMS Code approach, the user authenticates himself by entering the received code into the system.

In the context of MFA, this strategy can be used whenever there is a mobile app that can be used during the login process to send the message to the user. The user must have authenticated himself in the mobile app before this method can be used. It can also be used as a Passwordless authentication method, given that the user identifies himself during login. In this scenario, the user usually identifies himself by providing a personal information (e.g. email address or phone number) or by requesting the code directly from the mobile app.

The CoffeeBean solution for Push Notification Code provides backend support for sending push notification messages and APIs for login integration.

Figure 3. Example of Push Notification Code login flow for MFA.

Third-Party Apps Support

In a Third-Party App scenario, the user continuously receives authentication codes in the authenticator app (e.g. Google Authenticator). Just like previous approaches, the user authenticates himself by entering the authentication code into the system.

In the context of MFA, this strategy can be used whenever the user has configured an authenticator app which supports OATH protocols. It can also be used as a Passwordless authentication method, given that the user identifies himself during login. In this scenario, the user usually identifies himself by providing a personal information (e.g. email address or phone number).

The CoffeeBean solution for Third-Party Apps Support provides backend support for registering an authenticator app and APIs for login integration.

Figure 4. Example of login flow with Google Authenticator App for MFA.


What is FIDO?

FIDO is an Ecosystem for Standard-Based, Interoperable Authentication that helps enterprises and service providers with strong authentication solutions, reducing the reliance on passwords and preventing phishing, man-in-the-middle and replay attacks.

FIDO's Security & Privacy

The Social-ID’s Support for Passwordless and Second Factor Authentications

​CoffeeBean is a member of the FIDO Alliance and uses its standard to offer Passwordless authentication and MFA (​Multi-Factor Authentication​) for the Social-ID.

The Social-ID's passwordless solution will allow the users an easier and more fluid experience when logging in, allowing for authentication using one time passwords, biometrics and device interactions.

The Second Factor Authentication will make the Social-Id's security even stronger. The login will require user to confirm the authentication using a button or NFC tab on a usb key compatible with FIDO's U2F specifications.

The FIDO Alliance currently has two sets of specifications for simpler, stronger authentication: Universal Second Factor (U2F) and Universal Authentication Framework (UAF).

Universal Authentication Framework (UAF)

In the FIDO UAF approach the user can use any authentication information, usually a biometric one such as a fingerprint, in order to authenticate himself. The authentication information must be provided in a device that supports the protocol, usually in a mobile app installed on the user’s cell phone.

This strategy was designed for the Passwordless use case, so that the only information the user needs to provide is the authentication information itself. Nonetheless, it can also be used in a MFA scenario both as the first authentication factor and as a posterior one.

The CoffeeBean solution for FIDO UAF provides backend support for the FIDO UAF protocol, namely a FIDO UAF Server, APIs for login integration and mobile SDKs for both Android and iOS platforms.

Figure 5. Example of FIDO UAF login flow using biometrics for Passwordless.

Universal Second Factor (U2F)

In the FIDO U2F strategy the user uses a FIDO U2F certified device, usually a USB token or a smart card, to authenticate himself. This protocol was designed primarily as a second authentication factor, imposing no restrictions on the first step. However, it is also possible to use it in the Passwordless scenario given that the user identifies himself during login. In such scenario, the user usually identifies himself by providing a personal information (e.g. email address or phone number).

The CoffeeBean solution for FIDO U2F provides backend support for the FIDO U2F protocol, namely a FIDO U2F Server, APIs for login integration and browser SDKs for communication with the authentication devices.

Figure 6. Example of FIDO U2F login flow for MFA.

FIDO Use Cases

Contact

If you are interested in FIDO's framework applications with the Social-ID for a stronger and easier authentication experience, please contact our sales team.

contact sales

Visit FIDO Webpage