Frictionless Strong Authentication - kharazm.net execution (for OTP validation) One or several connectors between applications requesting authentication and the validation server

InWebo Technologies sas

3 rue de Montyon, 75009. Paris.

France.

InWebo Technologies Inc

169 11th street

San Francisco CA 94103

USA

Frictionless Strong Authentication

InWebo Technologies. Confidential 2

InWebo’s key features

InWebo offers hardware-less secured solutions that are easy to implement, to manage

and to use. Available as a SaaS, the solution delivers incredible flexibility with

unmatchable TCO.

InWebo preserves your control on your identities, but manages in a smart way, under

your policy, all steps for authentication: enrolment, token management, identity

federation, recovery, auditing and smooth migration, bringing a value of ease of use to

the end-user.

InWebo Platform turns any mobile, PC, web browsers & native Apps on any device into

2-factor authentication tokens.

InWebo is your “last mile” partner to manage your identities in your IT infrastructure.

A Flexible and secure SaaS architecture

The architecture of the solution involves:

○ A validation server available online in HA mode. The security is provided by the

intensive usage of Hardware Security Modules (HSM) for key protection and secure

application execution (for OTP validation)

○ One or several connectors between applications requesting authentication and the

validation server. The connectors are configured on the application and on the InWebo

administration console. Several connectors are available: Web Service, Radius, SAML V2

○ Authentication tools (“tokens”) (Authenticator for phone, Browser token, mAccess

library) that generates One Time Passwords.

OTPs generated by the end-users are sent to the application, the application uses the

connectors to validate the OTP on the validation server.


When the user needs to authenticate, he/she will launch the application or connect to the web

application by entering the url in their browser or by launching the mobile app.

A rich set of software tokens: “Bring Your Own Token”

With InWebo, users can have as many authentication tools (tokens) as you would allow. InWebo

tokens are super-easy to install and to use. They run in all the devices that a user would typically

have: phones, smartphones, PCs, Mac, Tablets, even connected TV’s or connected cars . Users

can use any tool indifferently to connect to The Customer Applications. Tokens are free of

charge.

Thanks to this multi-token approach, organizations can implement security policies of their

choice. For instance, they can force multi-channel (“out-of-band”) authentication for highly

sensitive operations or external personnel in non-controlled environments.


- Mobile token: “InWebo authenticator” or “nCode” is a universal OTP

generator for phones, smartphones and tablets. Available for all java phones

(including old Java phones in developing countries). InWebo Authenticator is

available for free on the appstores, or it can be packaged and distributed

for/by organizations. The mobile token application can operate in online or

offline mode. In offline mode, it displays the OTP and the user can retype it in

the appropriate application. In online mode, using authentication notification,

the OTP is automatically generated and send, proving an unmatched user

experience. The mobile token works as a local “key holder”: it allows

connection to multiple applications from one single device, and with one single pin-code.

On a PC or tablet where no tool is installed, authentication with the mobile

token is done according the following steps:

● The user launches his application.

● The user enters his userid

● A notification for authentication is send to the mobile (no SMS or phone

number needed)

● The mobile token app is launched and prompts the user for its PIN

code.

● The mobile token generates the OTP and sends it to the server for

validation

● The user is authenticated

- Browser token: InWebo Virtual Authenticator is a 2-factor authentication module directly enabled in the browser without any installation and with Single Sign On features. It allows a user to authenticate, even if he has no mobile. The device or browser is used instead as a first factor (what I have). It is available on all HTML 5 browsers (including IE8). User profiles allow sharing a device between multiple users.

On a PC or tablet or smartphone where no tool is installed, authentication is done according the

following steps:

● The user enters the url of the target site. The login page

includes simple scripts which invoke the browser token

● The browser token is loaded in the web page and prompts

the user for its PIN Code (the first time, the user will enroll

and define its PIN Code). The PIN Code is never sent

over the Internet.


● The browser token generates the OTP and fills in the appropriate form

● The OTP is transparently validated by the InWebo server

● The user is authenticated

- In-App token: mAccess is a 2-factor authentication library that allows customers to integrate

authentication functions to their own applications. It can also seal transactions. It can be used to

enable 2-factor authentication within a mobile app, or to build your own authentication application,

similar to InWebo authenticator, but under your organization logo.

Supported platforms & browsers

InWebo Authenticator (Mobile token) is available for IOS4+, Android, Windows Phone and

Blackberry free of charge. Push is availalble on IOS, Android, Windows Phone only.

InWebo nCode (Mobile token) is also available on:

● Any Java phone, even old (MIDP 2.0), Nokia Symbian,

● Windows Mobile smartphone

● Samsung Bada smartphone

InWebo nCode is available for download at m.InWebo.com

InWebo virtual Authenticator (Browser token) is available for any HTML5 browser (mobile

browser or not) on any platform (Windows, MacOS, Linux, Android, iOS, Blackberry, .


- Option: “customer Authenticator”: InWebo may develop a custom authenticator mobile

application. This application will be similar to “InWebo Authenticator” but dedicated to the

customer authentication service.

The main features of the application are:

Enrolment with QR-Code or manual

Authentication via notification (push)

Offline OTP Generation

Unlock device with unlock code to be entered

Change PIN Code

Activate an additional device

Configuration synchronisation

Application workflow:

1 - Launch the mobile application:

• Splash screen (your logo)

• Access to main screen. The main screen displays a button to generate an OTP

• Access to the menu (according to platform standards) with the following items:

• Unlock device : displays an unlock code for manual unlocking

• Change PIN code facility

• Add aa additional device

• Configuration synchronisation

2 - In addition, the application will be able to receive notifications for:

• Authentication requests

3 - In case the application is not activated (ie first launch), it will display automatically the

activation screen. Activation will be possible using QR-Code or by entering manually the

activation code.

Application may be developed for iOS, Android, WinPhone. Blackberry on request.


Unmatched security at every level

Robust security, although hidden to the end-user, is present at all steps of the design and the development

InWebo’s authentication technology offers an incremental level of security compared to traditional

software OTP authentication solutions (see details in the security section, below):

● A new valid OTP cannot be obtained from cloning the OTP generation software

● A new valid OTP cannot be derived from the observation of a (once) valid OTP, combined

with the cloning of the OTP generator

● Copying active keys does not allow to calculate a new valid OTP

● An OTP is only valid for one service

● The OTP validation is processed within the programmable cryptographic core of the HSM box

Furthermore, InWebo offers additional protections, against:

● OTP replay: an OTP cannot be replayed, and it has a short lifetime

● Phishing and Pharming attacks: InWebo Virtual authenticator check that the requested login

site is specifically identified, as authorized by the service administrator

● Man-In-The-Middle attacks: InWebo Virtual authenticator match the user IP address providing

from the target login site, with the one which has been captured during the server pre-

authentication sequence

● Key-logging attacks: «out-of-band » generation of OTP on the mobile device defeats capture

of the pin-code by key-logging. The pin-code is never entered on the PC itself.

● InWebo’s security library, as soft token technology, has obtained ANSSI certification.

Please refer to http://www.ssi.gouv.fr/entreprise/certification_cspn/librairie-ncode-iwlib-java-version-2-1/

Special focus on server side security:

● Server-Side security is ensured thanks to a thorough implementation of Hardware Security

Module technology. The HSM is not only used for keys protection, but also for application and

data protection inside the HSM.

● The OTP validation application is executed within the HSM and not on the server. With such

architecture InWebo reaches the highest level of security. This means also that our customers

will not have to trust administrator of the servers or to fear attacks of the platform; all sensitive

information are stored and executed within the HSM. Note that the HSM prevents from

exporting any key outside its internal secured storage.

http://www.ssi.gouv.fr/entreprise/certification_cspn/librairie-ncode-iwlib-java-version-2-1/


Integration

Easy Integration with The Customer applications

InWebo supports 3 standard application integration methods for delegated authentication: SAML

V2 (the InWebo platform is a technical Identity Provider), Radius (the InWebo platform is a radius

server to the VPN or to the application), or through web services.

Also, InWebo is declared as a third party Identity Provider in the ADFS identity Federation model.

Easy integration with The Customer AD and user repositories

The InWebo DirSync utility software (IWDS), installed on premises, performs on-the fly

synchronization of the user lifecycle between the customer AD or LDAP resources and the

InWebo platform; it works across several AD clusters. IWDS can also be used for other user

repositories such as customer or partner database, even if flat file format only is supported by

these repositories.

Furthermore, InWebo exposes a comprehensive set of web services APIs that can be integrated

to IAM tools and workflows, or self-enrollment pages (e.g. exposed to external users or partners).

Enrollment

Users - actually, only their credentials - need to be enrolled in the validation server. There are

several ways to enroll a user:

● With the web-based console: this manual management is usually used for testing

purposes only (a few users), or by the helpdesk to answer individual support requests;

● With the web services APIs (protected by a dedicated certificate), so that any application

or IAM system that manages users can enroll them

● With the InWebo DirectorySync tool: this Java tool does replicate any group of users that

exist in the Active Directory or in a LDAP directory. It can also import in batch in CSV

format.


Usually, the users are enrolled in an anonymous way using an alias, so that no identification of

the users is possible on the validation server. The application knows the identity of the user and

keeps the link between the user and his alias, but the validation server uses aliases only.

When a user is enrolled in the validation server, a unique activation code is generated for him/her

by InWebo. This activation code has to be sent to the end-user via the adequate means,

according to the security level targeted for the application. For instance, it can be delivered face

to face or send via (registered) mail or any relevant means (by SMS, or through any existing

application). It can also be delivered immediately during the registration process in a mail or by

the application itself. Note that InWebo Browser token can detect the activation code in a

webpage, thus the user may not even need to rekey it.

The way the activation code is being delivered to the end-user is under complete control and

responsibility of the organizations.

This activation code can be active or not during the transfer to the legitimate recipient. This allows

having a secure procedure for the transfer of the code. If not active, an activation code can be set

active by using the appropriate API. This can be done, for example, by the recipient himself by

connecting to his portal (still with username/password or previous authentication method at that

stage) avec then selecting an option to use the new InWebo authentication method.

Then, the activation code received has to be entered in the InWebo token. The InWebo token has

been downloaded from a public or private appstore (except for the Browser token which pops-up

automatically).

Once the user has received and entered the activation code, he/she will then have to choose

his/her personal PIN code to protect the authentication tool and to finalize the instantiation. Make

a note that the administrator will not have to manage end-user PIN Codes. The PIN code is only

known by the user and NOT stored in any of the InWebo tokens.

InWebo mobile token may use QR-Code for even better user experience. The end-user has only

to scan the QR-Code to transfer the activation code into the mobile token.


Selfcare= Easy Customer Support

The InWebo solution comes with embedded self-care facilities. Those features are available in

order to minimize end-users calls to the helpdesk. End-users can get access to selfcare facilities

from their PC, from their phone or directly from the authentication portal. They can:

● Activate an authentication token on a new desktop/laptop, tablet or phone

● Lock, unlock, rename, delete any authentication token

● Change their user PIN code

● With InWebo, users create their own PIN code (within the policy guidelines). The

Customer does not have to manage the PIN code lifecycle.

Selfcare features have a direct impact on the TCO of the solution, as well as on customer

productivity.

InWebo provides several PIN code restoration methods:

● The selfcare function can resend a restoration code by email. This code is

only valid for a blocked token, thus an interception of this code is useless. This feature can be

activated/desactivated by policy

● Organizations can setup user portal for code restoration/regeneration.

Organizations may setup the appropriate internal authentication method (ie AD password,

questions and answers) prior to generating the restoration code. The restoration code may be

sent to the user by means of mail, SMS, etc, as decided by the company.


● Tools can activate and unlock each other: the phone may generate

restoration code for the PC. The PC may generate restoration code for the phone, etc. This is

made possible because the user authenticate strongly to the InWebo platform, and therefore

he/she can be trusted.

● Helpdesk has also all facilities through the administration console under

the user management tab, using restricted roles if relevant.

Service Management

InWebo includes :

● A comprehensive management console for technical setting, security setting, user

management, connector management, admin role management, logs and reporting.

● An exhaustive set of webservices (SOAP & REST) APIs for authentication and

provisioning, easy to configure in many environments.

● An online trusted platform for identity validation with high availability mechanisms

Easy Administration & Service Management

The management of the InWebo platform is fully web-based. Administrator access the web

console with 2-factor authentication.

Service administrators can create a new service, or modify a service policy with a few mouse

clicks (no scripting). Once validated, the service settings are immediately propagated to the

enrolled users. Every administration action is automatically traced (action, old/new setting,

author, date).

The console grants access to all settings:

● User management: add, delete, rename, lock, unlock, select bookmarks (url) for the user,

role assignment

● Role Management: create, change, delete management role in the console. Apply role to

users


● Group Management: create, change, delete groups in the console. Assign users to

groups, assign policies to groups.

● Settings related to the OTP generated with nCode: active/non active; format of the OTP

● Settings related to the OTP generated with InWebo Browser Token: active/non active,

restricted number of browsers, Push notifications (optional, mandatory)

● Settings related to the OTP generated with mAccess library: active/non active, format of

the OTP, time to live period for PIN entry

● Setting for the API

● Restricted IP address for the API

● Generation of the certificate protecting access to the web services API

● Upload/download of the metadata of the Identity Provider for the SAML V2 connectors

● Predefined SAML connectors: GoogleApp, Saleforce, ADFS, OODrive, ADP-GSI, …)

● Bookmark management (add, delete, rename, url, SSO setting, extra field settings)

● Change logo and name of the service

● And many other settings…

The console grants access to log and reporting tools:

● Logs of the authentication activity

● Logs of the provisioning activity

● Logs of the users activation

● Logs of the administration activity

● Reporting of the users not using the service

● Reporting on authentications (authentication result & errors, versions and OS of InWebo

soft-tokens)

● Reporting on activation status


A robust scalable SaaS Platform

The global architecture is described in the following drawing:

The InWebo solution comes with a high availability infrastructure offered in standard for all

subscription. It provides 99.9% availability. This performance is achieved by the fully redundant

infrastructure between 3 separate sites.

24x7 support

InWebo provides support during business hours. Additional 24/7 support option can be

subscribed for support in case of any concern related to the availability of the platform.

This 24/7 support will provide a status of the service. If the service is not available an engineer

will be assigned to the customer until the problem is fixed.


InWebo Software Tokens lifecycle management

The “philosophy” of the InWebo solution is to integrate with customer user lifecycle tools (AD,

enrollment workflows, IAM systems, helpdesk) and to offload organizations from token lifecycle

management.

Indeed:

- the user PIN is defined by the user within company policies, and it can be reset by the user (or

by the helpdesk). It is not managed or even known by the company helpdesk teams and systems

- tokens are applications, libraries and scripts activated by the users, based on rights (activation

code) obtained from user lifecycle tools/processes (enrollment/synchronizarion, selfcare,

helpdesk). Credentials (i.e. keys) management is entirely and transparently made by the solution.

In particular, there is no need for a “credential synchronization” helpdesk feature or API.

Nevertheless, InWebo APIs give a view on the user tokens and their status (activated, expired,

locked) and offer the possibility to reset to zero a PIN error counter, or to unlock a specific token,

should selfcare not be possible in some situations.

Documents

Frictionless Strong Authentication - kharazm.net execution (for OTP validation) One or several connectors between applications requesting authentication and the validation server