The user enters a login through a Web browser and is presented with a symbol. The user then selects the user name in the SecSign ID mobile app and enters a PIN. By selecting the correct symbol in the app, the user is logged into the desired service. No further inputs are necessary.
Two-factor authentication is a concept that is used widely in ATM security. To gain ATM access, a user must insert an ATM card (possession) into the machine and must enter a PIN (knowledge). With SecSign ID, users identify themselves at a secure Web service with two factors based on this same concept:
a private key on the user’s mobile device
a PIN / password to access the private key on the smart phone.
Neither the key nor the password is ever transmitted through a network. This protects SecSign ID, your user accounts, and your critical business assets against phishing attacks, malware, or even direct attacks against the web server.
This same authentication methodology is also used for SecSign Portal, which provides secure messaging, file storage, and file sharing for businesses.
The diagram shows what the web server will request from the identity server (SecSign ID server).
The diagrams shows the messages which are exchanged between mobile device and SecSign ID server.
Authentication is simple for the user and highly secure. See for yourself with a free SecSign ID account!
The SecSign ID app allows the user to generate new key pairs for existing IDs at any time. During this process, the key on the mobile device and the key on the ID server will be replaced.
The SecSign ID session authentication is based on an RSA-encryption scheme with 2048-bit private keys. The SecSign ID app contains the private key of the user (encrypted with a PIN), and the SecSign ID server knows the user´s public key. During a session authentication for a login, the SecSign ID server verifies possession of the private key and knowledge of the password. The SecSign ID server evaluates the authentication request and informs the requesting service if access can be granted. If the user creates an ID on the mobile device, an asymmetric key pair (RSA) will be generated for future authentication.
The public key will be transmitted in encrypted form to the remote server and will then be deleted on the mobile device. The private key will be encrypted by a PIN and stored on the smart phone. Neither the PIN nor the private key is ever transmitted. Therefore, they cannot be intercepted by a potential attacker. This procedure protects against phishing attacks and direct attacks against the identity server.
After the user enters a user name in the Web browser, the ID server will start an authentication session for that ID. During this procedure, the identity server verifies whether the mobile device has the private key associated with the identity. This is done with challenge-response authentication using a simple 4-digit PIN on the mobile device.
During challenge-response authentication, the server sends a random number (the “challenge”) to the mobile device. The mobile device signs this “challenge” with its private key and submits the result to the server. The server then verifies the signature of the “challenge” via the corresponding public key. A successful verification has proven the possession of the private key because this is only possible with the correct PIN.
The user then provides final confirmation of identity by choosing an access symbol on the mobile device that matches the corresponding symbol in the Web browser.
Want to learn more about SecSign’s innovative and highly secure
solutions for protecting your user accounts and sensitive data?
Use our contact form to submit your information, and a SecSign sales representative will contact you within one business day.
If you need assistance with an existing SecSign account or product
installation, please see the FAQs for more information on the most common questions. You don’t find the solution to your problem? Don’t hesitate to contact the
I am Interested in