Strong Authentication

What is multi-factor authentication (MFA)?

Strong Authentication

Password authentication is based on a single authentication factor: the password itself.

Multi-factor authentication is based on several factors - usually 2 - that significantly increase the difficulty of stealing a user's identity.

Some MFA solutions generate a one-time password (OTP), valid for only one session. If a hacker were to gain access to this password, he couldn't reuse it anyway!

The most common authentication factor combinations are the following:

  • "Something you have" (PC, mobile or other physical devices) + "Something you know" (usually a PIN code)
  • "Something you have" +"Something you are" (fingerprint, face recognition...).

The form factor - the nature of the device that users carry with them - has many implications, the most important being the level of security and the user's convenience.

Why use Visual Guard Strong Authentication?

More than ever, data is threatened by attacks or identity theft. Identity protection has, therefore, become critical and requires authentication solutions that meet the challenges of data security.

Passwords are no longer sufficient, unless you choose a (too) heavy password policy (frequent changes, passwords too complex for users to remember, etc.).

Until now, strong authentication (multi-factor authentication, or MFA) was more secure, but required to equip users with hardware tokens. This implied significant delays, high costs and constraints for users.

Therefore, organizations had to choose between security and ease of use, taking into account risks, security, user constraints, management burden and, of course, costs.

This is why strong authentication was often limited to situations where the risks were high enough to justify its drawbacks.

Strong Authentication

Alternatives to hardware tokens now exist, and Visual Guard integrates the only solution that combines a high level of security and extreme simplicity for the user.

User comfort

SmartCard Authentication, in use in some banks, requires the user
  • to carry a reader and a smart card,
  • to enter a PIN code
  • and answer a question generated by the server
Security token authentication
  • Users must carry their token
  • And manually copy the generated security code into the authentication page.
Visual Guard Strong Authentication
MFA User Comfort

At the other end of the comfort spectrum, VG's strong authentication is based on trusted devices and eliminates unnecessary and tedious operations:

  • The user simply enters a PIN code.

It is also a flexible solution that allows the user to authenticate with different devices, depending on what is most convenient for him.

Find more information about possible authentication scenarios on this page.

Security level

  • Non-connected methods such as keychain hardware tokens or OTP-generating Apps are vulnerable among others to phishing attacks.
  • Short-texts are vulnerable to smartphone malware and social engineering.
  • Most software methods - especially those based on a mobile phone - are vulnerable to reverse engineering that allows stealing the authentication key.
  • Single channel methods, where transaction and authentication occur on the same device, are vulnerable to Man-in-the-Browser and Man-in-the-Middle (MITB/MITM) attacks.
  • Etc.

Costs

By removing hardware tokens, you also eliminate all costs associated with purchasing hardware, distributing tokens to users and replacing broken or lost tokens.

Agility

Visual Guard's strong authentication provides a secure and scalable registration and revocation process. Many use cases do not even require any installation on the user's device.

Key Features

Use trusted devices to enhance security

This solution raises the level of security:

  1. By producing a one-time password (valid for one session only),
  2. Generated from a trusted device (tablets, mobile or PC).
    This can be the device running your application or the user's mobile.

If anyone wishes to access your account:

  1. He must know your password (as usual, except that this password is only valid for one session!)
  2. He must ALSO have access to your trusted device.
  3. Neither of these two elements, taken separately, is sufficient.
    Both are required to connect.

All devices, no constraints

Several authentication methods are available:

  • Authentication with a dedicated mobile App:
    The user can generate a password on demand, or accept a request sent to his mobile when he tries to access his application (available on iOS, Android, Windows Mobile or Blackberry).

  • In-App Authentication:
    Thanks to a specific SDK, passwords are generated by your application.
    More information about Tokenless (In-App) MFA in this page

  • Browser authentication:
    Your web browser becomes the one-time password generator (available for all browsers).
    More information about Virtual Authenticator in this page, the easiest and most secure authentication method.

Flexible authentication

The methods listed above cover most use cases.

They can be used in very flexible ways:

  • You can deploy multi-factor authentication for all users without worrying about who will use a mobile or not.

  • A user can connect via a web browser most of the time, and use mobile authentication when he connects from a new or unusual device (personal computer, cyber café...).

  • We also support the case where the user has neither a cellular network nor WiFi on his mobile.

More details on authentication methods on this page.

Several devices, one PIN

If the user has several trusted devices, he only needs one PIN code:

  • The experience will be the same regardless of the authentication method. This may seem obvious in the context of password authentication, but it is rarely the case for strong authentication.

  • Obviously, this PIN is never stored in trusted devices.
    In the event of loss or theft, safety is not compromised.

Biometry as an authentication factor

The PIN code is often used as a second authentication factor, in addition to the possession factor (what you have).
Instead of a PIN code, users can use biometry if it is available on their device (fingerprint reading for example).

Strong Authentication Biometry
More information on biometric identification on this page.

Available, Robust, Certified

To ensure that the authentication service is always available, it relies on several independent server infrastructures, distributed in certified, fully redundant data centers, and managed by different providers.

The loss of connectivity of all but one server infrastructure would have zero impact on the availability of the authentication service.

This architecture has achieved 100% service availability over the past 5 years. Even Gmail and AWS have lower availability rates.

The implementation and design of this solution, as well as the use of patented algorithms, guarantee a very high level of security, both on the client and server sides.

In addition, these authentication algorithms are executed within security servers (Hardware Security Modules, HSM) protecting against attacks and abuses.

Thus our users have full control over the entire chain of trust.