The basics of multi-factor authentication: QR Tokens – Highly secure and highly versatile

One of the most secure and reliable ways to secure logins, data and transactions are QR tokens. They provide an easy-to-use and secure solution to multi-factor-authentication (MFA). And this is how authentication via QR tokens works: For a login or transaction, the user is shown a QR code. The user simply scans the QR code with the authenticator app on his smartphone.

All the user needs is mobile connectivity, no additional user input is necessary and no additional data is saved on the authenticated device. This means that QR tokens provided through the KeyIdentity MFA platform and LinOTP solution can also be used to facilitate secure offline authentication for laptops and mobile devices. Based on modern signature algorithms as well as the principles of device separation and transaction data validation, QR tokens allow for the highest level of security.  Continue reading The basics of multi-factor authentication: QR Tokens – Highly secure and highly versatile

The basics of multi-factor authentication: What is a push token and how can businesses benefit of it?

A Push Token is an advanced technology for an easy-to-use and secure multifactor authentication (MFA): When a user tries to access protected content or initiates a transaction, a push notification is sent to the users registered mobile device, for instance a smartphone. Continue reading The basics of multi-factor authentication: What is a push token and how can businesses benefit of it?

The basics of multi-factor authentication: How to pick the right token

Multi-factor authentication (MFA) is based on the idea that a user possesses several unique pieces of evidence which cannot be provided or accessed by a third party. This can be either knowledge like a password, biometric features like a fingerprint or a physical object like a hardware token.

Modern MFA solutions like LinOTP and the KeyIdentity MFA platform support a wide range of tokens to accommodate different use cases, risk levels and cost considerations in B2B and B2C scenarios. Here is a short overview on most common token types: hardware and software tokens, SMS and biometrics as well as QR and push tokens.

Hardware tokens: independent of the device running the application

Hardware tokens are available in various designs ranging from portable USB authenticators to keychain devices to flexible display panels embedded in identification cards. They all have one advantage in common: Since hardware tokens come with their own display and battery, they can operate independently of the device running the application.

A special type of hardware token is the standardized FIDO U2F supervised by the open-authentication industry consortium FIDO Alliance. Based on the Universal Second Factor standard U2F, users can “bring their own token” (BYOT). This means that tokens already owned can be reused at a consistent level of security Continue reading The basics of multi-factor authentication: How to pick the right token

What does LinOTP’s API-first development mean for you?

LinOTP – the open source MFA solution – is developed with an API-first strategy in mind. For us at KeyIdentity this does not mean to dogmatically follow each and every REST guideline but to think about the easiest yet most flexible way of introducing new features to our API in terms of simplicity of integration before the feature is actually implemented, while remaining backwards compatibility. Therefore, our API for all of our customers is feature complete.
For an integration product such as LinOTP, an easy integration into the user’s environment is probably the most important key feature. While historically LinOTP’s most used integration practice is based on the RADIUS protocol together with the FreeRADIUS server shipped with the KeyIdentity LinOTP Smart Virtual Appliance (SVA), the HTTP based API recently gains more and more importance. Especially for web applications LinOTP’s HTTP based API allows for easier and deeper integrations.
LinOTP features a stateless HTTP based API for validation, returning responses in the simple-to-parse JSON format. Request parameters may be sent as URL encoded data in a POST request’s body. This article will show what the API-first strategy means for you and how to integrate LinOTP into your own web applications.
To demonstrate LinOTP’s API by example, we show you how to integrate the QR Token into your environment.

Continue reading What does LinOTP’s API-first development mean for you?