OTP SMS has many drawbacks: it is not really multi-factor authentication, does not work while roaming, delivery times vary from very good to very bad.
However, the use of SMS OTP may be relevant in some situations. As a result, SMS OTPs are supported (option not allowed by default). The user will have to enter a code received on his mobile phone to connect to your service.
The authentication application provided with Visual Guard (= trusted device) is used as an offline one-time password generator (OTP). The user's name and OTP are then submitted by the user in your authentication page. The application connector queries our platform, validates the OTP and authenticates the user.
This method works in all circumstances (including offline and airplane mode). However, it is tedious and there are much simpler ways.
The user submits his login in your authentication page. The strong authentication platform is queried via the application connector and sends a push notification to the authentication application registered for that username. The application wakes up and appears on the user's phone. He enters his PIN code and the application generates an OTP submitted to our platform for validation in the background.
Here, the PIN (aka the second factor) is a step that can be skipped if there has been a first authentication. It can also be replaced by a touch on a fingerprint sensor if the smartphone is equipped with one. Soon, it will also be facial or voice recognition or any other form of biometric authentication provided by the smartphone or strong authentication module.
Assuming that there is enough signal, this method is much more user-friendly. However, the user needs his phone every time he authenticates himself. The ease of use is appreciable, especially compared to previous authentication methods. However, repeating this procedure every time you connect to an application quickly becomes tedious.
Some of your users may not be equipped with smartphones or some don't want to use their personnal one to authenticate themselves to your service. Perhaps they would like something even simpler...
To cover these and other cases, Visual Guard uses a web app that displays OTPs directly in the user's browser.
It is a two-factor authentication without a phone or token! But carrying a token is only half the pai, the other half being dealing with OTPs. Can we remove that altogether? Indeed we can do that for web-based services.
The browser used to access your service has been enrolled as a trusted device. Your authentication page detects it and displays the Virtual Authenticator, the browser-based authentication method. The user can optionally check the security information (as they would for a website with an SSL certificate) and enter their PIN. An OTP is generated and submitted in the background to your server. Our platform is queried via the application connector, validates the OTP and authenticates the user.
This method is much simpler: The user did not need his phone because he used one of his usual devices to access your service.
But how can he connect to his applications if he doesn't have his usual computer?
Your authentication page is now smart enough to test transactions. If browser authentication is not possible, an alternative will be offered automatically (push notifications, offline mobile OTP, SMS OTP). The experience is seamless.