Introduction
With Haventec’s Silent Multi-factor Authentication (MFA) solution, you can introduce multi-factor
authentication without changing the way your customers currently log in – no authentication apps; no need to rekey a one-time PIN; no need to switch devices for another authentication factor, or worry about physical tokens and smart cards for every single time a user logs in. Instead, multi-factor authentication becomes a single-step experience offering unprecedented convenience and peace of mind.
With Haventec Silent MFA, customers are seamlessly onboarded. you have the option to:
-
Automatically enrol customers after a successful login with their username and password.
-
Trigger a simple verification step before enrolment.
The username/password combination and the device signature are then used to create a rolling private key that is matched against a rolling public key for additional authentication assurance.
From the user’s perspective, all they do is log in with their username and password and the multi-factor authentication takes place in the background without the need to complete any additional login steps.
The Haventec Silent MFA feature enhances an organisation's security by improving the unique way of
authenticating users and devices.
Haventec Silent MFA improves enterprise security; it does not require your application end users to change their login steps and can be implemented quickly to maximise business and customer benefits.
This Implementation guide steps you through the process of implementing Haventec Silent MFA.
Prerequisites
Prior to beginning the implementation of Haventec Silent MFA, please ensure that the following prerequisites are in place:
Setup
-
A Haventec Authenticate application ID and API key, using the Haventec JWT protocol. Instructions can be found here: Create Application.
-
The ability to send emails i.e. SMTP. Email server configuration
-
The ability to call Haventec Authenticate APIs may involve firewall configuration.
Front-end development needs
Javascript or typescript-based frontend which can import the NPM package @haventec/mfa-client of Silent MFA SDK.
Back-end development needs
A back-end that can make API calls to Haventec’s products and some extra APIs to accommodate the front-end SDK. The customer will need to implement the API’s Register a new user or device.
The Authenticate Application Id and API key also need to be securely stored.
The backend must have the ability to store activation tokens for the magic link in a secure way, i.e bcrypt. The backend must also be able to retrieve the active sessionId from the activation token.
Overview of Architecture and End User Functionality
Register a new User
The register endpoint will need to proxy requests from the Frontend to Authenticate to create a new end user in Authenticate Silent MFA.
The response from Haventec Authenticate will contain a sessionId, userId, and activation token.
The customer backend will need to store the activation token and sessionId and pass the end user session and userId back to the front end.
The backend must support the ability to retrieve the session from the activation token when the end user clicks the magic link.
Login with an existing Silent MFA end user with an MFA device or register an existing end user in Authenticate
If the request body contains MFA device details, it is safe to assume the end user is registered with Haventec Authenticate and has an MFA device.
However, if they do not have any MFA details, their backend must handle creating an MFA device for the end user. Firstly the backend will need to determine whether there is an existing Haventec Authenticate account.
This can be done in either one of the following two ways :
-
Hitting the Create Device endpoint on Authenticate Create MFA device endpoint. A 4xx response indicates that no end-user account exists, and hence the create end-user account endpoint Create a Mfa User must be hit instead.
-
Storing the state of their end users on their own database.
Every time a user OR device registration is successful, the backend will need to
-
store the success API response userId, deviceId, sessionId, and activation token
-
send userId, deviceId, and sessionId back to the end user’s device
-
email the activation token in the form of a magic link to the end user’s email
Magic-link activation token for the end user to verify when they are registering a new device
The customer’s backend will need to match the activation token variable to the session stored from login or register. These details are then forwarded to Haventec Authenticate which will activate the MFA device.
The Silent MFA SDK will automatically download the MFA device details from the /check endpoint.
Verification
The front end calls this endpoint to download their MFA device details. If the magic link has not been pressed yet, the API will return a 422. Otherwise, it will return a 200 with MFA device details (deviceUuid, AuthKey, and token) and these device credentials will automatically be stored on the device by the SDK.
Once fresh device credentials are stored on the device, the backend may remove session/activation token details it may have stored.
Use Cases
For more on Use cases please click here
Implementation Guide
The customer will need to implement several APIs on their backend and have their front-end integrate with our SDK. This guide will go through how each API should behave and configuration options. It is assumed that prerequisites have been met.
For more info click here
Comments
0 comments
Please sign in to leave a comment.