MFA FAQ
Discover our MFA FAQ topics and get answers to the most frequently asked questions.
MFA Technology
How is inWebo MFA different from other solutions?
Thanks to our patented random dynamic key technology, MFA can be done without worrying about the security level of the user equipment. We therefore offer an extremely simple user experience.
Does your solution require upgrading my IS?
Since we have been around for more than 10 years, we have seen several generations of IS pass through. We are here to support you, whether you have an up-to-date infrastructure or not.
How does your solution improve the end-user experience?
The traditional solutions of MFA are restrictive for the user (OTP to retype, need to have a specific equipment or a smartphone, impossible to connect when the token is lost/broken, etc)
TrustBuilder.io Multi-factor Authenticator eliminates all these shortcomings by offering a solution that is accessible on all the user’s equipment and easy to use.
What are the HSMs used for in your data centers?
The HSMs handle all the sensitive operations of the service and protect users’ account security data. HSMs ensure that no one can manipulate these operations, not even our own teams.
Is TrustBuilder.io Multi-factor Authenticator for PC/Mac different from the mobile version?
No, it’s exactly the same application, only you don’t need a smartphone to use it.
Does TrustBuilders MFA still work if the smartphone is not connected to the internet?
Yes, smartphones can be in a spot without network coverage. Even under these conditions, the user will be able to generate inWebo OTPs with the same level of security.
Is TrustBuilder.io Multi-factor Authenticator passwordless?
Yes, our Multi-factor Authenticator is by nature passwordless: users simply enter a PIN code rather than a long, complex password that has to change regularly.
What is the user experience when using TrustBuilders SDK?
It’s up to you. You can make the experience completely invisible for the user who will feel like he is logging in with a simple 4-digit code or, on the contrary, choose to enhance the security level of your application for your users by adding specific screens.
Why doesn't TrustBuilder recommend conditional access for its MFA?
Conditional access is an approach that seeks to avoid requiring MFA under certain conditions. An attacker will always seek to put himself in a context that is convenient for him. Providing exceptions for MFA is a breach of security that an attacker will be able to take full advantage of.
For some MFA solutions, the user experience remains complex and could justify conditional access in order to simplify the login experience. It is certainly not the case for inWebo, which offers a natively flexible approach.
Our customers are free to set up conditional accesses but we believe that with an easy-to-use MFA it is worth having MFA requested whatever the circumstances. This way your users won’t get lost when they are in one of the exceptional circumstances that requires MFA. In addition, you will reinforce or initiate a Zero trust approach within your organization.
MFA Infrastructure
What are the specificities of the TrustBuilder.io Multi-factor authenticator infrastructure?
Designed as a SaaS solution, TrustBuilders infrastructure exceeds the market’s standards with 3 main pillars.
High availability: TrustBuilders servers are spread over 3 datacenters with a synchronous replication and an automatic failover – in no time – providing an availability of 99,9% per year.
Agile scalability: TrustBuilders infrastructure guarantees agile and structural scalability, capable of handling large load peaks, even unexpected ones. By design, our servers have a 6x overcapacity compared to our current needs and can be reinforced very quickly and easily.
High level ofsecurity: Our HSM’s have an unbreakable cryptographic core. No one can access or manipulate your sensitive data, not even our own teams or your administrators.
What about Digital Sovereignty? Where are TrustBuilders datacenters located?
Digital Sovereignty is a key component of TrustBuilders Security approach. Therefore, all our datacenters are private and located in Europe.
Security
Why is a PIN code more secure than a traditional password?
The PIN code never transits and is not stored. It cannot be intercepted or copied. It is of no use without the trusted equipment.
On the other hand, a password is transmitted at each authentication and is generally stored on the user’s workstation and/or the server: it can be intercepted or stolen and then reused on an access protected only by password.
Is SaaS as secure as my own infrastructure?
We designed the solution to be SaaS. This means that our data centres have synchronous replication and automatic failover to guarantee service availability. Our platform is multi-tenant and HSMs perform all sensitive operations to guarantee you a tamper-proof environment.
We offer an availability of 99.9% per year, i.e. less than 4 hours of downtime per year.
Does TrustBuilder protect against phishing and man in the middle?
Yes, we even protect against advanced phishing attacks by preventing the user from authenticating on a website that is not legitimate.
Deviceless / Smartphoneless / Browser Token
What is Deviceless? or "browser" token?
Deviceless offers the user the ability to strongly authenticate himself without needing to have a specific equipment (smartphone, smart card, usb key, etc.).
Check out our article on the Deviceless MFA technology.
What does this technology bring to multifactor authentication?
Thanks to our browser token (Deviceless MFA), authentication can be done directly in the users’ browser without the need to install a mobile application or PC/Mac.
Token
Do I need special equipment? What are the authentication methods?
TrustBuilder.io Multi-factor Authenticator provides a wide choice of authentication methods (Mobile Application, Desktop Application, Browser) that shall be used in combination with an application password, a PIN code or a biometric factor.
How many devices can a user have?
The administrator configures how many trusted devices users can have. This way the user won’t be unable to log in if he has forgotten or lost his smartphone.
Is it necessary to give a phone number?
No, our technology does not require sending a text message.
What happens if a user loses his trusted device?
If he has other trusted equipment available, he can connect with or use it to declare new trusted equipment.
An administrator or helpdesk agent can also help a user define another Trusted Equipment in seconds.
Do we need a smartphone?
Not necessarily, you can also use our PC/Mac Authenticator or simply use your browser as a trusted device. Check out the “Deviceless” topic in the FAQ to learn more about this technology.
Deployment
How do we deploy TrustBuilder.io Multi-factor Authenticator?
Our solution is SaaS-based and does therefore require very little effort to install. The only bricks to install are: a provisioning tool for accounts provided by TrustBuilder and potentially a specific connector when the application to protect is not compatible with our connectors.
Can the solution be used in B2C apps?
We provide web and mobile SDKs for consumer projects that want to embed MFA without disrupting the user experience.
Administration
TrustBuilder provides a specific website with practical tools and guides to facilitate (even more) the integration of our multi-factor authentication solution to your applications.
Documentation
Documentation and tutorials to guide you in integrating TrustBuilder.io Multi-factor Authenticator (MFA) into your architecture.
Integrator kit
Resource files and sample code to integrate the InWebo Web Services API in your desired language.
Support
You need technical support and can’t find the answer to your question in the FAQ?
Keep in mind that TrustBuilder cannot provide direct support to the end users of its solution for security and confidentiality reasons. Contact the support of the organization that opened your account and gave you your access codes.
If you’re a partner or direct customer of TrustBuilder you can contact our support team.
How to create your TrustBuilder account?
You can’t create a profile TrustBuilder.io Multi-factor Authenticator yourself and associate it with your accounts – it’s up to the organizations managing those accounts to do that for you. For example, your company creates a profile for you to access your business applications, and your bank allows you to authenticate to its online banking application.
Where can I find my access codes?
The organization that creates your profile will provide you with an activation code. This can be a numeric code or a clickable link in an email sent by your organization. TrustBuilder does not have access to this information.
I haven't received an access code, what should I do?
If you haven’t received an activation code or email, first check your junk mail (spam) folder. If you still can’t find it, you should contact the organization that created your profile TrustBuilder.io Mobile Authenticator directly. This can be the IT support team, a customer support hotline or other depending on the organization.
I cannot login
If you can no longer access your TrustBuilder account, you must contact the organization that created your profile directly. Please do not contact us for this, we are unfortunately unable to respond to support inquiries from end users.
