InWebo Technologies sas
3 rue de Montyon, 75009. Paris.
France.
InWebo Technologies Inc
169 11th street
San Francisco CA 94103
USA
Frictionless Strong Authentication
InWebo Technologies. Confidential 2
InWebo’s key features
InWebo offers hardware-less secured solutions that are easy to implement, to manage
and to use. Available as a SaaS, the solution delivers incredible flexibility with
unmatchable TCO.
InWebo preserves your control on your identities, but manages in a smart way, under
your policy, all steps for authentication: enrolment, token management, identity
federation, recovery, auditing and smooth migration, bringing a value of ease of use to
the end-user.
InWebo Platform turns any mobile, PC, web browsers & native Apps on any device into
2-factor authentication tokens.
InWebo is your “last mile” partner to manage your identities in your IT infrastructure.
A Flexible and secure SaaS architecture
The architecture of the solution involves:
○ A validation server available online in HA mode. The security is provided by the
intensive usage of Hardware Security Modules (HSM) for key protection and secure
application execution (for OTP validation)
○ One or several connectors between applications requesting authentication and the
validation server. The connectors are configured on the application and on the InWebo
administration console. Several connectors are available: Web Service, Radius, SAML V2
○ Authentication tools (“tokens”) (Authenticator for phone, Browser token, mAccess
library) that generates One Time Passwords.
OTPs generated by the end-users are sent to the application, the application uses the
connectors to validate the OTP on the validation server.
InWebo Technologies. Confidential 3
When the user needs to authenticate, he/she will launch the application or connect to the web
application by entering the url in their browser or by launching the mobile app.
A rich set of software tokens: “Bring Your Own Token”
With InWebo, users can have as many authentication tools (tokens) as you would allow. InWebo
tokens are super-easy to install and to use. They run in all the devices that a user would typically
have: phones, smartphones, PCs, Mac, Tablets, even connected TV’s or connected cars . Users
can use any tool indifferently to connect to The Customer Applications. Tokens are free of
charge.
Thanks to this multi-token approach, organizations can implement security policies of their
choice. For instance, they can force multi-channel (“out-of-band”) authentication for highly
sensitive operations or external personnel in non-controlled environments.
InWebo Technologies. Confidential 4
- Mobile token: “InWebo authenticator” or “nCode” is a universal OTP
generator for phones, smartphones and tablets. Available for all java phones
(including old Java phones in developing countries). InWebo Authenticator is
available for free on the appstores, or it can be packaged and distributed
for/by organizations. The mobile token application can operate in online or
offline mode. In offline mode, it displays the OTP and the user can retype it in
the appropriate application. In online mode, using authentication notification,
the OTP is automatically generated and send, proving an unmatched user
experience. The mobile token works as a local “key holder”: it allows
connection to multiple applications from one single device, and with one single pin-code.
On a PC or tablet where no tool is installed, authentication with the mobile
token is done according the following steps:
● The user launches his application.
● The user enters his userid
● A notification for authentication is send to the mobile (no SMS or phone
number needed)
● The mobile token app is launched and prompts the user for its PIN
code.
● The mobile token generates the OTP and sends it to the server for
validation
● The user is authenticated
- Browser token: InWebo Virtual Authenticator is a 2-factor authentication module directly enabled in the browser without any installation and with Single Sign On features. It allows a user to authenticate, even if he has no mobile. The device or browser is used instead as a first factor (what I have). It is available on all HTML 5 browsers (including IE8). User profiles allow sharing a device between multiple users.
On a PC or tablet or smartphone where no tool is installed, authentication is done according the
following steps:
● The user enters the url of the target site. The login page
includes simple scripts which invoke the browser token
● The browser token is loaded in the web page and prompts
the user for its PIN Code (the first time, the user will enroll
and define its PIN Code). The PIN Code is never sent
over the Internet.
InWebo Technologies. Confidential 5
● The browser token generates the OTP and fills in the appropriate form
● The OTP is transparently validated by the InWebo server
● The user is authenticated
- In-App token: mAccess is a 2-factor authentication library that allows customers to integrate
authentication functions to their own applications. It can also seal transactions. It can be used to
enable 2-factor authentication within a mobile app, or to build your own authentication application,
similar to InWebo authenticator, but under your organization logo.
Supported platforms & browsers
InWebo Authenticator (Mobile token) is available for IOS4+, Android, Windows Phone and
Blackberry free of charge. Push is availalble on IOS, Android, Windows Phone only.
InWebo nCode (Mobile token) is also available on:
● Any Java phone, even old (MIDP 2.0), Nokia Symbian,
● Windows Mobile smartphone
● Samsung Bada smartphone
InWebo nCode is available for download at m.InWebo.com
InWebo virtual Authenticator (Browser token) is available for any HTML5 browser (mobile
browser or not) on any platform (Windows, MacOS, Linux, Android, iOS, Blackberry, .
InWebo Technologies. Confidential 6
- Option: “customer Authenticator”: InWebo may develop a custom authenticator mobile
application. This application will be similar to “InWebo Authenticator” but dedicated to the
customer authentication service.
The main features of the application are:
Enrolment with QR-Code or manual
Authentication via notification (push)
Offline OTP Generation
Unlock device with unlock code to be entered
Change PIN Code
Activate an additional device
Configuration synchronisation
Application workflow:
1 - Launch the mobile application:
• Splash screen (your logo)
• Access to main screen. The main screen displays a button to generate an OTP
• Access to the menu (according to platform standards) with the following items:
• Unlock device : displays an unlock code for manual unlocking
• Change PIN code facility
• Add aa additional device
• Configuration synchronisation
2 - In addition, the application will be able to receive notifications for:
• Authentication requests
3 - In case the application is not activated (ie first launch), it will display automatically the
activation screen. Activation will be possible using QR-Code or by entering manually the
activation code.
Application may be developed for iOS, Android, WinPhone. Blackberry on request.
InWebo Technologies. Confidential 7
Unmatched security at every level
Robust security, although hidden to the end-user, is present at all steps of the design and the development
InWebo’s authentication technology offers an incremental level of security compared to traditional
software OTP authentication solutions (see details in the security section, below):
● A new valid OTP cannot be obtained from cloning the OTP generation software
● A new valid OTP cannot be derived from the observation of a (once) valid OTP, combined
with the cloning of the OTP generator
● Copying active keys does not allow to calculate a new valid OTP
● An OTP is only valid for one service
● The OTP validation is processed within the programmable cryptographic core of the HSM box
Furthermore, InWebo offers additional protections, against:
● OTP replay: an OTP cannot be replayed, and it has a short lifetime
● Phishing and Pharming attacks: InWebo Virtual authenticator check that the requested login
site is specifically identified, as authorized by the service administrator
● Man-In-The-Middle attacks: InWebo Virtual authenticator match the user IP address providing
from the target login site, with the one which has been captured during the server pre-
authentication sequence
● Key-logging attacks: «out-of-band » generation of OTP on the mobile device defeats capture
of the pin-code by key-logging. The pin-code is never entered on the PC itself.
● InWebo’s security library, as soft token technology, has obtained ANSSI certification.
Please refer to http://www.ssi.gouv.fr/entreprise/certification_cspn/librairie-ncode-iwlib-java-version-2-1/
Special focus on server side security:
● Server-Side security is ensured thanks to a thorough implementation of Hardware Security
Module technology. The HSM is not only used for keys protection, but also for application and
data protection inside the HSM.
● The OTP validation application is executed within the HSM and not on the server. With such
architecture InWebo reaches the highest level of security. This means also that our customers
will not have to trust administrator of the servers or to fear attacks of the platform; all sensitive
information are stored and executed within the HSM. Note that the HSM prevents from
exporting any key outside its internal secured storage.
InWebo Technologies. Confidential 8
Integration
Easy Integration with The Customer applications
InWebo supports 3 standard application integration methods for delegated authentication: SAML
V2 (the InWebo platform is a technical Identity Provider), Radius (the InWebo platform is a radius
server to the VPN or to the application), or through web services.
Also, InWebo is declared as a third party Identity Provider in the ADFS identity Federation model.
Easy integration with The Customer AD and user repositories
The InWebo DirSync utility software (IWDS), installed on premises, performs on-the fly
synchronization of the user lifecycle between the customer AD or LDAP resources and the
InWebo platform; it works across several AD clusters. IWDS can also be used for other user
repositories such as customer or partner database, even if flat file format only is supported by
these repositories.
Furthermore, InWebo exposes a comprehensive set of web services APIs that can be integrated
to IAM tools and workflows, or self-enrollment pages (e.g. exposed to external users or partners).
Enrollment
Users - actually, only their credentials - need to be enrolled in the validation server. There are
several ways to enroll a user:
● With the web-based console: this manual management is usually used for testing
purposes only (a few users), or by the helpdesk to answer individual support requests;
● With the web services APIs (protected by a dedicated certificate), so that any application
or IAM system that manages users can enroll them
● With the InWebo DirectorySync tool: this Java tool does replicate any group of users that
exist in the Active Directory or in a LDAP directory. It can also import in batch in CSV
format.
InWebo Technologies. Confidential 9
Usually, the users are enrolled in an anonymous way using an alias, so that no identification of
the users is possible on the validation server. The application knows the identity of the user and
keeps the link between the user and his alias, but the validation server uses aliases only.
When a user is enrolled in the validation server, a unique activation code is generated for him/her
by InWebo. This activation code has to be sent to the end-user via the adequate means,
according to the security level targeted for the application. For instance, it can be delivered face
to face or send via (registered) mail or any relevant means (by SMS, or through any existing
application). It can also be delivered immediately during the registration process in a mail or by
the application itself. Note that InWebo Browser token can detect the activation code in a
webpage, thus the user may not even need to rekey it.
The way the activation code is being delivered to the end-user is under complete control and
responsibility of the organizations.
This activation code can be active or not during the transfer to the legitimate recipient. This allows
having a secure procedure for the transfer of the code. If not active, an activation code can be set
active by using the appropriate API. This can be done, for example, by the recipient himself by
connecting to his portal (still with username/password or previous authentication method at that
stage) avec then selecting an option to use the new InWebo authentication method.
Then, the activation code received has to be entered in the InWebo token. The InWebo token has
been downloaded from a public or private appstore (except for the Browser token which pops-up
automatically).
Once the user has received and entered the activation code, he/she will then have to choose
his/her personal PIN code to protect the authentication tool and to finalize the instantiation. Make
a note that the administrator will not have to manage end-user PIN Codes. The PIN code is only
known by the user and NOT stored in any of the InWebo tokens.
InWebo mobile token may use QR-Code for even better user experience. The end-user has only
to scan the QR-Code to transfer the activation code into the mobile token.
InWebo Technologies. Confidential 10
Selfcare= Easy Customer Support
The InWebo solution comes with embedded self-care facilities. Those features are available in
order to minimize end-users calls to the helpdesk. End-users can get access to selfcare facilities
from their PC, from their phone or directly from the authentication portal. They can:
● Activate an authentication token on a new desktop/laptop, tablet or phone
● Lock, unlock, rename, delete any authentication token
● Change their user PIN code
● With InWebo, users create their own PIN code (within the policy guidelines). The
Customer does not have to manage the PIN code lifecycle.
Selfcare features have a direct impact on the TCO of the solution, as well as on customer
productivity.
InWebo provides several PIN code restoration methods:
● The selfcare function can resend a restoration code by email. This code is
only valid for a blocked token, thus an interception of this code is useless. This feature can be
activated/desactivated by policy
● Organizations can setup user portal for code restoration/regeneration.
Organizations may setup the appropriate internal authentication method (ie AD password,
questions and answers) prior to generating the restoration code. The restoration code may be
sent to the user by means of mail, SMS, etc, as decided by the company.
InWebo Technologies. Confidential 11
● Tools can activate and unlock each other: the phone may generate
restoration code for the PC. The PC may generate restoration code for the phone, etc. This is
made possible because the user authenticate strongly to the InWebo platform, and therefore
he/she can be trusted.
● Helpdesk has also all facilities through the administration console under
the user management tab, using restricted roles if relevant.
Service Management
InWebo includes :
● A comprehensive management console for technical setting, security setting, user
management, connector management, admin role management, logs and reporting.
● An exhaustive set of webservices (SOAP & REST) APIs for authentication and
provisioning, easy to configure in many environments.
● An online trusted platform for identity validation with high availability mechanisms
Easy Administration & Service Management
The management of the InWebo platform is fully web-based. Administrator access the web
console with 2-factor authentication.
Service administrators can create a new service, or modify a service policy with a few mouse
clicks (no scripting). Once validated, the service settings are immediately propagated to the
enrolled users. Every administration action is automatically traced (action, old/new setting,
author, date).
The console grants access to all settings:
● User management: add, delete, rename, lock, unlock, select bookmarks (url) for the user,
role assignment
● Role Management: create, change, delete management role in the console. Apply role to
users
InWebo Technologies. Confidential 12
● Group Management: create, change, delete groups in the console. Assign users to
groups, assign policies to groups.
● Settings related to the OTP generated with nCode: active/non active; format of the OTP
● Settings related to the OTP generated with InWebo Browser Token: active/non active,
restricted number of browsers, Push notifications (optional, mandatory)
● Settings related to the OTP generated with mAccess library: active/non active, format of
the OTP, time to live period for PIN entry
● Setting for the API
● Restricted IP address for the API
● Generation of the certificate protecting access to the web services API
● Upload/download of the metadata of the Identity Provider for the SAML V2 connectors
● Predefined SAML connectors: GoogleApp, Saleforce, ADFS, OODrive, ADP-GSI, …)
● Bookmark management (add, delete, rename, url, SSO setting, extra field settings)
● Change logo and name of the service
● And many other settings…
The console grants access to log and reporting tools:
● Logs of the authentication activity
● Logs of the provisioning activity
● Logs of the users activation
● Logs of the administration activity
● Reporting of the users not using the service
● Reporting on authentications (authentication result & errors, versions and OS of InWebo
soft-tokens)
● Reporting on activation status
InWebo Technologies. Confidential 13
A robust scalable SaaS Platform
The global architecture is described in the following drawing:
The InWebo solution comes with a high availability infrastructure offered in standard for all
subscription. It provides 99.9% availability. This performance is achieved by the fully redundant
infrastructure between 3 separate sites.
24x7 support
InWebo provides support during business hours. Additional 24/7 support option can be
subscribed for support in case of any concern related to the availability of the platform.
This 24/7 support will provide a status of the service. If the service is not available an engineer
will be assigned to the customer until the problem is fixed.
InWebo Technologies. Confidential 14
InWebo Software Tokens lifecycle management
The “philosophy” of the InWebo solution is to integrate with customer user lifecycle tools (AD,
enrollment workflows, IAM systems, helpdesk) and to offload organizations from token lifecycle
management.
Indeed:
- the user PIN is defined by the user within company policies, and it can be reset by the user (or
by the helpdesk). It is not managed or even known by the company helpdesk teams and systems
- tokens are applications, libraries and scripts activated by the users, based on rights (activation
code) obtained from user lifecycle tools/processes (enrollment/synchronizarion, selfcare,
helpdesk). Credentials (i.e. keys) management is entirely and transparently made by the solution.
In particular, there is no need for a “credential synchronization” helpdesk feature or API.
Nevertheless, InWebo APIs give a view on the user tokens and their status (activated, expired,
locked) and offer the possibility to reset to zero a PIN error counter, or to unlock a specific token,
should selfcare not be possible in some situations.
Top Related