Two-Factor Authentication

Overview & Key-points

  • Two-Factor AuthenticationSecure
  • Simple
  • Two-Factor AuthenticationOverall Protection


SecSign ID delivers a two-factor authentication method that uses possession of the user’s mobile device and the knowledge of the user to verify his or her identity.

The user enters a login through a Web browser and is presented with a symbol. The user then selects the user name in the SecSign ID mobile app and enters a PIN. By selecting the correct symbol in the app, the user is logged into the desired service. No further inputs are necessary.

Two-factor authentication is a concept that is used widely in ATM security. To gain ATM access, a user must insert an ATM card (possession) into the machine and must enter a PIN (knowledge). With SecSign ID, users identify themselves at a secure Web service with two factors based on this same concept:


a private key on the user’s mobile device


a PIN / password to access the private key on the smart phone.

Neither the key nor the password is ever transmitted through a network. This protects SecSign ID, your user accounts, and your critical business assets against phishing attacks, malware, or even direct attacks against the web server.

This same authentication methodology is also used for SecSign Portal, which provides secure messaging, file storage, and file sharing for businesses.

1. The user enters a user name (SecSign ID) into a web browser

The diagram shows what the web server will request from the identity server (SecSign ID server).

What Happens During This Step
  • a) User enters the SecSign ID through the Internet service
  • b) Internet service requests authentication from the ID server
  • c) ID server sends push notification to the user’s mobile device
  • d) ID server sends access symbol to the Internet service
  • e) Internet service displays the required access symbol


2. The user selects the SecSign ID using a mobile app and enters a PIN

The diagrams shows the messages which are exchanged between mobile device and SecSign ID server.

What Happens During This Step
  • a) Mobile app confirms that the user is the owner of the SecSign ID
  • b) ID server sends access symbols to the mobile app


3. The user selects the correct access symbol using the mobile app

What Happens During This Step
  • a) User confirms the correct access symbol and the mobile app sends this to the ID server
  • b) Internet service checks the status of the authentication session
  • c) ID server confirms access permission
  • d) Web service grants user access

Authentication is simple for the user and highly secure. See for yourself with a free SecSign ID account!

The SecSign ID app allows the user to generate new key pairs for existing IDs at any time. During this process, the key on the mobile device and the key on the ID server will be replaced.



Private Key Generation

  • RSA-encryption scheme with 2048-bit private keys
  • User creates an ID on the mobile device
  • Asymmetric key pair is generated for future authentication
  • Private key generated and stored on a mobile device
  • Public key stored on the SecSign ID server


The SecSign ID session authentication is based on an RSA-encryption scheme with 2048-bit private keys. The SecSign ID app contains the private key of the user (encrypted with a PIN), and the SecSign ID server knows the user´s public key. During a session authentication for a login, the SecSign ID server verifies possession of the private key and knowledge of the password. The SecSign ID server evaluates the authentication request and informs the requesting service if access can be granted. If the user creates an ID on the mobile device, an asymmetric key pair (RSA) will be generated for future authentication.

The public key will be transmitted in encrypted form to the remote server and will then be deleted on the mobile device. The private key will be encrypted by a PIN and stored on the smart phone. Neither the PIN nor the private key is ever transmitted. Therefore, they cannot be intercepted by a potential attacker. This procedure protects against phishing attacks and direct attacks against the identity server.


Challenge-Response Authentication with 2048-Bit RSA Key Pairs

  • User enters user name (SecSign ID) in a Web browser
  • ID server verifies whether the user’s smart phone has the private key associated with the ID
  • ID server sends a random number (challenge)to the smart phone
  • Smart phone signs this challenge with its private key and submits a result to the server
  • ID server verifies the signature of the challenge via the public key stored on the server



After the user enters a user name in the Web browser, the ID server will start an authentication session for that ID. During this procedure, the identity server verifies whether the mobile device has the private key associated with the identity. This is done with challenge-response authentication using a simple 4-digit PIN on the mobile device.

During challenge-response authentication, the server sends a random number (the “challenge”) to the mobile device. The mobile device signs this “challenge” with its private key and submits the result to the server. The server then verifies the signature of the “challenge” via the corresponding public key. A successful verification has proven the possession of the private key because this is only possible with the correct PIN.

The user then provides final confirmation of identity by choosing an access symbol on the mobile device that matches the corresponding symbol in the Web browser.


Maximum brand recognition with your corporate design. We build your company app for you, offer SDKs for easy integration in existing apps or simply add some design modifications to match your profile.

More information

Do NOT follow this link or you will be banned from the site!