TrustBuilder Mobile Authenticator
Secure and user-friendly mobile authentication
Offering the best user experience combined with ultimate security, that is the promise of TrustBuilder Mobile Authenticator. It caters to the mobile user who wants to get rid of passwords and adds strong authentication for mobile as well as web-based applications.
TrustBuilder Mobile Authenticator at work
TrustBuilder Mobile Authenticator can be used as a standalone product or integrated into your mobile application, through our SDK. That SDK offers an integrated user experience and allows authentication within your application, without the need to launch a second third-party authenticator.
How to implement
By using our SDK, organizations can integrate TrustBuilder Mobile Authenticator into their applications. Users no longer need to install, configure, or use additional third-party apps. Organizations control their users’ experience for onboarding and access to their applications.
If the organization doesn’t have an app of its own, they can use the TrustBuilder authentication app which they can brand along their own style guides, making authenticating completely transparent to users.
Flow for the user – Onboarding
Since the organization can choose its own user experience, custom tailored onboarding mechanisms are possible. The principle is always the same: the user needs to receive some account credentials to initialize his account. These can be generated on the fly based on users’ input, sent by traditional or electronic mail, or reused from existing credentials. After entering these credentials into the application, a QR code will be displayed. The user then opens the app with the TrustBuilder Mobile Authenticator and scans the QR code (containing a reference to the server he needs to connect with), and chooses a unique PIN for the mobile application.
In the background, secure communication channels will be set up to generate unique key pairs. For mobile- only onboarding, the QR code is replaced by a unique key that is securely transmitted between the application and the TrustBuilder authentication service.
The app is now bound to the mobile device and linked to the user account. To make authentication even easier, the user can also activate device biometrics such as fingerprint or face recognition to avoid keying in the PIN as the second factor.
When the onboarding happens on a web page, TrustBuilder will also link the device and browser to the users’ account, for additional security and a better user experience.
TrustBuilder Mobile Authenticator combines ultimate customer experience with airtight security. This short video shows you how easy it is to connect a device to an application using TrustBuilder Mobile Authenticator. Once connected, authenticating becomes completely frictionless for your users.
Flow for the user – Authentication
Next time the user wants to access the web application, his account details will be automatically displayed based on the device and browser information that TrustBuilder receives. The user now only needs to request access by clicking a button, and a push message requesting access will be sent to the organization’s app on the user’s mobile device. The user confirms the message by keying the PIN or using biometrics and access is granted to the web application.
If the user uses a new browser, PC or if the push mechanism is disabled, he can scan the QR code that is displayed as an alternative and confirm with PIN or fingerprint.
When using the app where the TrustBuilder SDK is integrated the user will only need to use the PIN or biometrics to access the mobile app and the TrustBuilder Mobile Authenticator will then authenticate based on a unique, time-based key pair towards the server. That way, no passwords need ever be transmitted over potentially unsecure channels such as public Wi-Fi.
TrustBuilder Mobile Authenticator is developed for use on the most popular mobile platforms and is available for Android and iOS. Users only need to give permission to use the camera to scan the QR codes during the onboarding and accept notifications for the push authentication.
Use cases for TrustBuilder Mobile Authenticator
TrustBuilder Mobile Authenticator is not limited to a single use case, the solution is applicable in different circumstances, where security and user experience need to go hand in hand.
Secure login for web
Accessing a web application just got easier: the user can open the application in the browser, request a push notification, accept it on a smartphone and it can then start working immediately. If the application is not yet connected to the smartphone, onboarding needs to happen first (see above).
Secure Login for mobile app
Accessing an app on the smartphone is even smarter: TrustBuilder Mobile Authenticator can be integrated into the app. The user opens the app, provides pin or fingerprint and can then access the app instantly. All the complexity of authenticating is hidden to the user.
Consumers can use TrustBuilder Mobile Authenticator to confirm transactions, for instance a bank transfer. The banking application will send a push notification to the user’s smartphone, requesting confirmation. The message can be customized, so users are informed about what is happening. (WYSIWYS – What you see is what you sign) This also limits hacking through social engineering, thanks to adaptive authentication. By simply providing a pin or fingerprint, the transaction can be confirmed.
Transaction signing happens very much in the same way as transaction confirmation. In the case of transaction signing, a unique hash of the file is created by TrustBuilder, sent to the smartphone and then digitally signed by using TrustBuilder Mobile Authenticator. After signing, the file is encrypted and securely sent back to the banking application. Again, a PIN or a fingerprint will suffice.
Why use TrustBuilder Mobile Authenticator?
TrustBuilder Mobile Authenticator offers a great customer experience while enforcing best-of-breed security. That’s a lot already, but there are further reasons to make our tool your preferred authenticator.
Passwordless customer experience
Once users have onboarded, using TrustBuilder Mobile Authenticator offers consumers a passwordless experience. All they need to use is a pin or a fingerprint to gain access to applications. Onboarding is a painless and easy process that will not deter new customers from starting to use your app.
Asymmetric cryptography for ultimate security
At the heart of TrustBuilder Mobile Authenticator, you will find asymmetric cryptography, which uses separate, yet mathematically connected, cryptographic keys (public key and private key). This means the secret (private key) never leaves the user’s device. The secret is not stored at the server and is never sent over. This makes TrustBuilder Mobile safer than authenticators using shared secrets.
The public and private key are generated during onboarding, using unique elements from the users’ device in combination with the application it is connecting to. This eliminates the threat of cloning devices or copying applications by hackers, since each application on each device will have a unique key.
This combination of asymmetric cryptography and device binding enables an organization to link multiple private keys to one public key. An organization that has multiple apps, can generate multiple private keys that are linked to the users’ public key, which further enhances security. For each device or app, there is a separate private key. Keys are generated on the fly during onboarding so you will never encounter a case where users cannot access your application because of an administrative license mistake.
Protection against ‘Man in the Middle’ and ‘Man in the Browser’
TrustBuilder Mobile Authenticator uses Out-of-Band: the push notification is sent over a different network carrier than the connection to the app. Combined with the asymmetric cryptography, secure channel to communicate and device binding, this protects the tool against Man in the Middle and Man in the Browser attacks.
Key differentiators of TrustBuilder Mobile Authenticator
Not all authenticators are created equal. TrustBuilder Mobile Authenticator carries on where other authenticators leave off.
Authentication is made even more convenient to the user when push notifications are used. When a user wants to get access to a browser app, he can request a push notification to be sent to his smartphone. By simply typing in a PIN or scanning his fingertips, authentication is processed automatically. Push notifications on TrustBuilder can be used with any app on any device, be it mobile, tablet, smart TVs or IoT devices.
A user can connect multiple devices to an application, for instance a smartphone and a tablet. It is not linked to a SIM card like SMS OTP. Each device is activated separately, so no codes need to be copied between devices. Once the onboarding with device binding is done, any of these devices can be used to access resources. When requesting a push notification, the notification is sent to all devices where the user allowed this.
If a device that holds the private key and that is connected to an application, is lost or stolen, the user can deactivate the device through device management. This happens on the self-service portal, available as an API or a predefined server. Should someone else find the device who also knows what PIN the owner uses, TrustBuilder can add risk-based behavioral scoring with adaptive authentication measures to eliminate this risk.
Once the user is authenticated, the application can send over the private key with every interaction that is done on the mobile device. This ensures that no hacker can intercept and change messages after the authentication process. Since the application communicates with TrustBuilder over a secure channel in the background, the user will not notice anything of this elevated security.
Comparing TrustBuilder Mobile Authenticator
Many ways of authenticating are available in the market. We believe TrustBuilder Mobile Authenticator beats them all on both user experience and security.
Better than username/password
The combination of username and password is one of the preferred authentication methods for hackers. Consumers using easy passwords for multiple applications are accidents waiting to happen. And when using difficult passwords, they often reuse the same password on multiple applications. Sometimes passwords are cached on a mobile device, rendering the device even more vulnerable. Many apps that use device biometrics are still only storing passwords which are then transmitted over unsecure channels such as Public Wi-Fi. Besides, smartphone keyboards are not particularly convenient to key in difficult passwords and can also be abused by hackers. TrustBuilder Mobile Authenticator makes authenticating both easy and secure.
Better than OTP SMS
One-time passwords come with the advantage of being limited in time. This makes them less vulnerable to hacking. If not used correctly, however, OTP can pose a security risk, for instance when they are sent by SMS. Malware on the mobile device can request and intercept those OTPs without the user’s knowledge. Another famous technique is masquerading the SMS network, a technique which even intelligence organizations have difficulty to counter. Another issue with SMS is the network reliability which frustrates users when they don’t receive the OTP or request multiple OTPs resulting in blocked accounts. This is not the case with TrustBuilder Mobile Authenticator.
Better than Oath Authenticators
Authenticators such as Google or Microsoft Authenticator are based on the Oath protocol, using shared secrets. These are less safe than TrustBuilder Mobile Authenticator. Oath allows users to copy the shared secret, which can lead to unauthorized users gaining access. Some authenticators allow users to export shared secrets and use them on a second device without proper user verification. Keying OTPs that are only valid for a limited time can also be frustrating, especially if you have to look for a whole list of applications. TrustBuilder Mobile Authenticator works with device binding, so it is always clear what device was used to authenticate with. The integration and branding in your app as well as the push authentication increases customer satisfaction. As you don’t need to rely on a third party for the access to your application, you can assist users yourself should they encounter issues with the authentication.
Authentication is always a trade-off
What do you find the most important when setting up authentication? Is security your priority? Or user convenience? Finding the right solution is always a balancing act. Price, security, user convenience and user adoption are important elements to factor in. Fortunately, TrustBuilder Mobile Authenticator gets high grades on each of these axes.
How much are you willing to spend on authentication? The price of an authentication solution is more than just the license cost. Consider also helpdesk operations, cost of usage (for instance, the cost of the SMS when you send a one-time password or use another paying platform), without neglecting the hidden cost of customer churn due to hacks or complexity of your solution. Or churn because you’re giving away the control to access your application. A federated authentication solution doesn’t know how important that one user might be to your company.
If security is your prime concern, steer clear ofsolutions that send one-time passwords that are easy to intercept, or platforms that are easy to hack. Some technologies to consider when going for ultimate security: PKI-based asymmetric cryptography, out-of-band, device binding, PINs that are specific to your application, biometrics to unlock an app and multi-licensing.
Making life as easy as possible on your customers can be achieved by eliminating solutions that require the use of a hardware token system that necessitates copying numbers from one device to another. Push notifications, biometrics or behavior as a second authentication factor are much easier for the user, as they support passwordless authentication. Also, avoid solutions where you depend on an external helpdesk to solve potential issues.
Consumers don’t like it if they have to install a new app to authenticate. Using an existing solution will lead to faster rollout of your security implementation, but you will give away some of the control. Another option is to embed the authenticator into the app your customers are already using. Adding the TrustBuilder Mobile Authenticator SDK not only enhances the security of the app itself, it will increase your brand recognition and promote your mobile application. The lightweight SDK integration ensures that the authentication doesn’t interfere with the app’s main purpose, your application. Integrating through an SDK allows you to design the user journey yourself, while you can also integrate a self-service option to let users change passwords themselves. This drives down the helpdesk cost for your organization.