BankVault Enterprise – Passwordless Authentication (IAM)
Passwordless Web Logins
Simple, Low-Cost Deployment – Hours (Not Months)
– No infrastructure changes
– No client software
– No user setup
Ask to Test Drive your website
Finance
Healthcare
Education
Government
Users
Users no longer have to remember or enter their login credentials.
Businesses
Seamless access increases user engagement, creating sticky customers which drives business.
Security
No single attach surface makes it incredibly difficult for hackers to compromise.
- Accounting
- HR / Payroll
- Healthcare
- Management
- Insurance
Identity Theft / Account Takeovers
Every website uses passwords. When users enter login credentials through their device, the single attack surface makes intercepting passwords easy. Users further corrode their own security by using dictionary words or recycling the same password everywhere.
2 Factor Authentication (2 step login) using a separate physical device dramatically improves security but this is still frequently defeated with social engineering (tricking a user to reveal or use their 2nd factor) or Man-in-the Browser (JavaScript injection) simply changing details such as destination bank account numbers behind the screen which the user then authenticates. 2FA is also quite clumsy for users.
Password Managers try to solve the problem but expose use credentials whenever they auto-fill web forms. The asterisks which appear in password fields are only a mask for human eyes so any software in the browser intercepts it as instantly as clear-text.
This fundamental design flaw in browser security can’t be patched by Password Managers or software on the users device.
The solution is to handled authentication at the back-end, inside the webserver that delivers the login screen.
Passwordless Authentication
BankVault Passwordless is a simple REST API integrated into the webserver creating a virtually cosmetic change that harnesses user mobiles and browsers for authentication.
The system generates a security secret and projects an image of a keyboard or keypad into the users mobile browser. Onscreen actions are stored in the cloud but can only be interpreted inside the webserver when the mobile phone and browser are present. (see Webserver Encrypted Keyboard below)
When the user subsequently initiates a login their biometrics (proof-of-presence), along with their device (something they have) reconstitute the same credentials (something they know) inside the webserver which logs them in. Multiple reference points must be present together in order to reconstitute the credentials and authenticate the user.
Simple, low-cost deployments (20-lines of code in the webserver)
- No change to backend authentication
- No client software
- No user set up
Multi-Factor Authentication is invisible to users with nothing to download, install or configure.
Biometrics – WebAuthn (FIDO2)
Proof-of-Presence
BankVault supports biometrics and other proof-of-presence methods such as screen swipe or PIN, by incorporating the WebAuthn standard (the component of the FIDO2 standard responsible for authenticating web services).
WebAuthn implementations are normally complex and can be very involved.
BankVault customers inherit WebAuthn capability without custom coding, eliminating weeks or months of effort.
User Choice
End-users can select fingerprint, face scan, screen swipe, PIN, or other methods. These details never leave the users local device.
- Android support for WebAuthn is operational now
- Apple support for WebAuthn is due with Safari 14
The capability depends on the capability of users hardware and operating system. When not present it defaults to requesting a PIN.
Webserver Encrypted Keyboard
- On mobiles the experience is seamless.
- On workstations the user scans a QR code with their phone camera.
The dynamics of cybersecurity fundamentally change when user credentials can never be intercepted by malware on any device.
Implementation Options:
- Cloud
- On-Premise
How It Works
A shallow integration of a REST API with the webserver is virtually a cosmetic change requiring just 20-lines of code and can be done in as many minutes.
The API simply harnesses the users mobile as a secondary input and authentication device.
No Technical Risk: If the service was to fail then users just enter their login credentials as usual.
No Security Risk: The encryption secret is generated and known only to the webserver. Encrypted web sockets would require billions of years to decrypt and the information gleaned would be meaningless and lacks context. The user credentials can only be reconstituted inside the server when the user and their device are present.
No Change Management: When offered as a choice to users, adoption occurs by osmosis.
Test Drive and Go-Live
Test drive the system with your own web service. Set up a test login page on a test web address (URL) and circulated this with staff or selected user groups. Users can access the original against test login page for side-by-side comparison.
Evaluation, Trial, Proof-of-Concept, Pilot and Go-Live don’t require any system changes.
The system is branded to your organization.
Drive Business Growth
Seamless access increases user engagement creating sticky customers.
Build Customer Trust
Build trust by securing customers connecting with your web service..
Simple Implementation
Integration in minutes with a cosmetic change to the webserver login page.
High Security Frictionless Access
Delivered seamlessly to protect customers even using compromised devices.
Ask to Test Drive your website