Overview

Lately different industry verticals (banking, telecom, retail, insurance, etc.) have been facing security issues related to passwords. The following figures illustrate the issue:

  • 80% of hacking-related breaches leveraged either stolen passwords and/or weak or guessable passwords. (source: Verizon 2017 Data Breach Report).
  • In 2017, a record number of 1,579 breaches were identified, a 44.7% increase over the previous year, accounting for a total of 178,955,069 records exposed. (source: Identity Theft Resource Center 2017 Annual Data Breach Year-End Review).
  • Each data breach costs $3.8 million on average. (source: Ponemon Institute 2017 Cost of Cyber Crime Report).
  • 73% of users share the passwords which they use for online banking with at least one non financial website. (source: Trusteer, 2010).


By using a Strong Authentication solution all these issues are avoided and the security for users and companies is increased.

The Social-ID for Strong Authentication

The Social-ID for Strong Authentication is designed to offer two services: Multi-Factor Authentication (MFA) that is as an extra security level to the traditional login/password and Passwordless for a better user experience.

This solution includes two independent modules:

  • The first module implements One-Time Password (OTP) services to be integrated with client's solutions to cover several use cases. The OTP services are based on open standards specifications provided by the Initiative For Open Authentication (OATH).
  • The second module is based on FIDO (Fast IDentity Online) to support Universal Authentication Framework (UAF), Universal Second Factor (U2F) and FIDO2 specifications. UAF leverages on biometrics (face, iris, fingerprint recognition, etc.) to provide Passwordless capabilities with a high security level and U2F/FIDO2 allow authentication based on external hardware devices for maximum security in a MFA context.

One-Time Password Solutions

The usage of OTP solutions is encouraged as the first step towards a Strong Authentication implementation. Different strategies are provided in order to allow OTP authentication in any scenario.

Email Token

In the Email Token approach, the user receives an email message with an authentication link. The user authenticates himself by following the link, which contains a randomly generated token with an expiration time to protect against brute-force attacks.

In the context of MFA, this strategy can be used whenever the user provided an email during registration. It can also be used as a Passwordless authentication method, given that the user identifies himself during login, usually by providing his email address.

The Social-ID for Strong Authentication solution for Email Token provides backend support for sending email messages and APIs for login integration. The email customization can be performed directly from the Social-ID dashboard.

Figure 1. Example of Email Token login flow for MFA.​

SMS Code

In the SMS Code strategy, the user receives a SMS message with an alphanumeric code. The user authenticates himself by entering the received code into the system.

In the context of MFA, this strategy can be used whenever the user provided a mobile phone number during registration. It can also be used as a Passwordless authentication method, given that the user identifies himself during login, usually by providing his mobile phone number.

The Social-ID for Strong Authentication solution for SMS Code provides backend support for sending SMS messages and APIs for login integration. The message customization can be performed directly from the Social-ID dashboard.

Figure 2. Example of SMS Code login flow for MFA.

Push Notification Code

In the Push Notification Code scenario, the user receives a text message with an alphanumeric code in his mobile phone through a mobile app. Similar to the SMS Code approach, the user authenticates himself by entering the received code into the system.

In the context of MFA, this strategy can be used whenever there is a mobile app that can be used during the login process to send the message to the user. The user must have authenticated himself in the mobile app before this method can be used. It can also be used as a Passwordless authentication method, given that the user identifies himself during login. In this scenario, the user usually identifies himself by providing a personal information (e.g. email address or phone number) or by requesting the code directly from the mobile app.

The CoffeeBean solution for Push Notification Code provides backend support for sending push notification messages and APIs for login integration.

Figure 3. Example of Push Notification Code login flow for MFA.

Third-Party Apps Support

In a Third-Party App scenario, the user continuously receives authentication codes in the authenticator app (e.g. Google Authenticator). Just like previous approaches, the user authenticates himself by entering the authentication code into the system.

In the context of MFA, this strategy can be used whenever the user has configured an authenticator app which supports OATH protocols. It can also be used as a Passwordless authentication method, given that the user identifies himself during login. In this scenario, the user usually identifies himself by providing a personal information (e.g. email address or phone number).

The Social-ID for Strong Authentication solution for Third-Party Apps Support provides backend support for registering an authenticator app and APIs for login integration.

Figure 4. Example of login flow with Google Authenticator App for MFA.

FIDO Solutions

CoffeeBean is a member of the FIDO Alliance and uses its standard to offer Passwordless authentication and MFA (Multi-Factor Authentication) for the Social-ID for Strong Authentication.

The Social-ID's passwordless solution will allow the users an easier and more fluid experience when logging in, allowing for authentication using one time passwords, biometrics and device interactions.

The Multi-Factor Authentication will make the Social-ID's security even stronger. The login will require user to confirm the authentication using a button or NFC tab on a usb key compatible with FIDO specifications.

2.1 Protocols

By following FIDO standards, CoffeeBean implements the FIDO protocols on the Social-ID for Strong Authentication. These protocols are explained on the following items.

2.1.1 Universal Authentication Framework (UAF)

In the FIDO UAF approach the user can use any authentication information, usually a biometric one such as a fingerprint, in order to authenticate himself. The authentication information must be provided in a device that supports the protocol, usually in a mobile app installed on the user’s cell phone.

This strategy was designed for the Passwordless use case, so that the only information the user needs to provide is the authentication information itself. Nonetheless, it can also be used in a MFA scenario both as the first authentication factor and as a posterior one.

The CoffeeBean solution using FIDO UAF provides backend support for the FIDO UAF protocol, namely a FIDO UAF Server, APIs for login integration and mobile SDKs for both Android and iOS platforms.

Figure 5. Example of FIDO UAF login flow using biometrics for Passwordless.

2.1.2 Universal Second Factor (U2F)

In the FIDO U2F strategy the user uses a FIDO U2F certified device, usually a USB token or a smart card, to authenticate himself.

This protocol was designed primarily as a second authentication factor, imposing no restrictions on the first step. However, it is also possible to use it in the Passwordless scenario given that the user identifies himself during login. In such scenario, the user usually identifies himself by providing a personal information (e.g. email address or phone number).

The CoffeeBean solution using FIDO U2F provides backend support for the FIDO U2F protocol, namely a FIDO U2F Server, APIs for login integration and browser SDKs for communication with the authentication devices.

Figure 6. Example of FIDO U2F login flow for MFA.

2.1.3 FIDO2

FIDO2 is an evolution of the U2F protocol and it consists of the W3C Web Authentication specification (WebAuthn API) and the Client to Authenticator Protocol (CTAP):

  • WebAuthn defines a standard web API that is built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication.
  • CTAP is an application layer protocol used for communication between a client (browser) with an external authenticator.


The CoffeeBean solution using FIDO2 provides backend support for the FIDO2 protocol and APIs for login integration.

(source: https://fidoalliance.org/fido2/)

2.2 Public Key Cryptography

By developing the FIDO protocols, the Social-ID for Strong Authentication uses standard public key cryptography techniques to provide stronger authentication. Below we explain in detail how the process is for registration and login:

Registration

Once the user accesses an online service and decides to register, this flow will be executed:

  • User starts by unlocking the authenticator using a secure action
  • The user's device creates a new key pair
  • The device retains the private key
  • The public key is registered on the server

(source: https://fidoalliance.org/how-fido-works/)

Login

The following steps are executed on the authentication process:

  • A challenge is created by the server when the user tries to login
  • The client device needs to sign this challenge with the private key
  • The private key can be used only after it is unlocked locally on the device by the user
  • This local unlock process is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button. This secure action is the same one that was used when the user first registered.
  • Once the private key is unlocked, it is used to sign the challenge and it is sent back to the server, which will check it using the public key and authenticate the user.

(source: https://fidoalliance.org/how-fido-works/)

Looking at the above registration and login flow you can see that the FIDO authentication protocol is based on public key pairs, while the biometric, PIN or second-factor device are only used locally to unlock the private key. Therefore, biometric information never leaves the user's device.

Security Standards and Compliances

The Social-ID for Strong Authentication may be deployed on the cloud or on customer premises. In both scenarios CoffeeBean is committed to offering the best service, especially in regards to security and performance.

Below are some of the security standards and compliances that CoffeeBean follows:

  • Compliance with PCI Data Security Standard (PCI DSS).
  • Compliance with CSA-published best practices.
  • Encryption of data in motion and at rest.
  • Periodical security auditions (penetration testing, vulnerability scans and intrusion detection tests).

Contact

If you are interested in FIDO's framework applications with the Social-ID for a stronger and easier authentication experience, please contact our sales team.

contact sales

Visit FIDO Webpage