In-App MFA (Tokenless)

Authentication integreted in the browser / App

In-App MFA

Using a mobile application for user authentication is easier to deploy than hardware tokens or USB dongles.

However, this solution requires that all users have a smartphone and that they have installed and enabled the MFA application.

Visual Guard bypasses this problem and allows a wider adoption of strong authentication.

Rather than using a stand-alone token (Application or hardware) and having the user enter the OTP (one time password) into a desktop client, a mobile application or a browser page, the in-App MFA allows you to generate the OTP directly in the authentication interface.

This approach replaces the use of tokens, smartphones, soft-token and even short-text codes for authentication.

In-App authentication methods and implementation

There are two methods to implement the in-APP MFA:

  • For Native applications (mobile applications or desktop clients): an MFA library, available for all platforms (iOS, Android, Windows Phone, desktop clients), must be added to the code of the application.
  • For Web applications: MFA JavaScript libraries for which it only takes a few lines of HTML to be added to the code in the application's login page

As the MFA library is integrated into the native or web application, there is nothing more to install by the user: no application, no plugin, no extension. This is why this mode is called "tokenless MFA".

How does it work?

The application, the client, or the browser must first be activated and linked to a user account.

The process is the same as with an authentication App or a hardware token. The application / client / browser literally becomes an authentication tool, storing the identity information that will be used for authentication (the "what I have" authentication factor). The MFA library manages this information on behalf of the application: transmission, communications with the authentication server, updates, protection and usage.

When connecting to the application via the App, the desktop client or the browser, the user is prompted to enter a password or biometric trait (or "nothing" in the case of a "2nd factor" scenario). The library uses this information and the identity information provided by the App / desktop client / browser to generate an OTP.

The OTP is used in the authentication request sent to the server by the application.

There is very little change for the user compared to a traditional, non-MFA authentication. Ease of use is one of the main advantages of in-App authentication.

Security model

Since OTPs are not displayed, the multi-factor authentication integrated into the application (in-App MFA) surprises because of its similarity to password authentication.

User experience is outstanding, but what about security?
To put it simply, it's exactly the same as the security of a 2FA (two-factor authentication) hardware or App token:

  • To create a valid OTP and access a user account, a hacker requires identity information from the MFA library and the user's secret code (or biometric trait). The fact that these credentials are stored in the user's App, client or browser instead of a separate MFA application or hardware token does not make it any easier or harder.
  • If the App, the client or the browser is compromised, the hacker will be able to connect to the user's account and will be able to create transactions on his behalf unnoticed only if an authenticated session has been started. This is the case whatever the authentication method, in-App or out-of-band (to avoid this, you must seal user transactions with a second authentication channel). In this respect, the MFA integrated into applications, like other authentication methods, is as secure as the App, the client or the browser used to login.

Strong authentication for any application, native or web

Unlike all other second-factor methods such as smart cards, hardware tokens, MFA applications or SMS, multi-factor in-App authentication - based on an App, a client or a browser - provides optimal security to any application without impairing the user's experience.