Clients are authenticated through reliable and robust methods designed for security and authorization:
Client Secret: Clients can authenticate using a client secret to ensure secure and authorized interactions with the platform. For more details, refer to the relevant RFC. For more details, refer to OAuth 2.0 RFC 6749 Section 2.3.1.
Mutual TLS with x.509 Certificate: OAuth client authentication and certificate-bound access and refresh tokens using mutual Transport Layer Security (TLS) authentication with X.509 certificates. This mechanism provides a secure method for client authentication and binding access tokens to a client's mutual-TLS certificate. For more details, refer to OAuth 2.0 RFC 8705.
These authentication methods, including mutual TLS with x.509 certificate, ensure a balanced approach to security, accessibility, and convenience for both users and clients within our platform.
Password: Traditional authentication using a secret password.
SMS: Time-based One-Time Code sent via SMS.
Tel: Time-based One-Time Code delivered via telephone voice call.
Email: One-time code or link sent to email.
Authenticator App: Time-based One-Time Password (TOTP) generated by an app (e.g., Google Authenticator, Microsoft Authenticator).
Passkeys: Cryptographic keys stored on the device.
OIDC (OpenID Connect): Authentication via trusted third-party identity providers (e.g., Google, Microsoft, or other OIDC-compatible services) for seamless login.
Single Sign-On (SSO): Users can streamline their authentication process and access multiple applications securely with single sign-on (SSO) functionality.
Authentication (Authn) is the process of verifying the identity of users, devices, applications, or other entities, providing a level of assurance that they are who they claim to be. Our system provides four levels of authentication assurance:
At AAL1, authentication is typically performed using a single-factor authentication method, such as password or one-time passcodes (OTP) sent via SMS or Email. This level of assurance is suitable for environments with lower security requirements.
Authentication Methods for AAL1:
Password
SMS OTP
Email OTP
TEL (Phone call verification)
AAL2 requires multi-factor authentication (MFA), combining at least two independent factors to verify the identity of the user. This may include combinations of passwords, TOTP (Time-based One-Time Password), or Passkeys with methods like SMS OTP, Email OTP, or TEL. This level of assurance is appropriate for systems that require moderate security.
Authentication Methods for AAL2:
Password + SMS OTP
Password + Email OTP
Password + TOTP
Passkeys + SMS OTP
Passkeys + Email OTP
TEL + Password
AAL3 involves strong multi-factor authentication to ensure high security, typically using biometrics or physical tokens like smartcards combined with TOTP, Passkeys, or SMS/Email OTP. This level is required for high-risk environments where robust identity verification is essential.
Authentication Methods for AAL3:
Password + Passkeys + TOTP
Passkeys + TOTP + SMS OTP
Passkeys + TOTP + Email OTP
Passkeys + SMS OTP + TEL
Passkeys + Email OTP + TEL
AAL4 represents the highest level of assurance, involving multiple independent factors, including biometrics, smartcards, Passkeys, TOTP, SMS OTP, Email OTP, and TEL. This level is designed for environments that require maximum security, ensuring a very high level of trust in the user or entity's identity.
Authentication Methods for AAL4:
Passkeys + TOTP + SMS OTP + TEL
Passkeys + TOTP + Email OTP + TEL
Passkeys + TOTP + Biometric Authentication
Authentication Factors
Our system categorizes authentication Factors into three classes:
Something you know: Knowledge-based methods (e.g., passwords, PINs).
Something you have: Possession-based methods (e.g., email, phonenumber, sms, voice, app one-time password generators).
Something you are: Inherence-based methods (e.g., fingerprint, voice recognition, facial recognition, iris scan).
Multifactor Authentication (MFA) is a security mechanism that requires two or more different types of authentication factors to verify a user’s identity.
Primary Types of Authentication Factors:
Something You Know: Information that only the user knows, such as a password or PIN.
Something You Have: A physical item the user possesses, such as a smartphone, security token, or smart card.
Something You Are: Biometric data unique to the user, such as a fingerprint, facial recognition, or voice recognition.
Additional Contextual Factors:
Location: The user’s IP address or physical location.
Time: The time of day or expected usage patterns.
Our platform offers three levels of authentication, each designed to meet different security needs. Low, Medium, and High levels vary based on the number and type of factors used to verify a user’s identity.
Low:
Requires the user to authenticate with one factor from any of the following categories:
Something You Know (e.g., password, PIN)
Something You Have (e.g., security token, smartphone)
Something You Are (e.g., fingerprint, facial recognition)
Note: Low mode is not recommended for critical or high-risk systems, as it provides only basic security. It is more suitable for low-risk environments or non-sensitive applications.
Medium:
Requires the user to authenticate with two factors from any of the following combinations:
Something You Know & Something You Have (e.g., password + OTP)
Something You Have & Something You Are (e.g., security token + fingerprint)
Something You Are & Something You Know (e.g., facial recognition + password)
Medium mode provides an enhanced level of security, making it suitable for most general use cases where moderate security is necessary.
High:
Requires the user to authenticate with three factors from the following categories:
Something You Know (e.g., password)
Something You Have (e.g., smartphone, hardware token)
Something You Are (e.g., biometrics like fingerprint or facial recognition)
High mode offers the strongest security and is ideal for high-assurance environments, where protecting sensitive or critical data is essential.
Framework
Low
Medium
High
NIST SP 800-63B
AAL1: Single-factor authentication (e.g., password, fingerprint, or OTP).
AAL2: Requires two distinct factors (e.g., password + OTP).
AAL3: Cryptographic or hardware-based MFA with biometrics.
eIDAS
Not compliant for secure transactions.
SCA-compliant for standard transactions.
Required for high-assurance transactions (biometric-based MFA).
PCI DSS
Not compliant for systems handling sensitive data.
Required for access to cardholder data and admin access.
Recommended for securing sensitive payment data.
ISO/IEC 27001
Suitable for basic access control (low-risk systems).
Recommended for privileged accounts and sensitive systems.
MFA with biometrics for critical systems or data.
NIS2 Directive
Not recommended for critical systems.
MFA required for critical and essential sectors.
MFA with biometrics or hardware tokens for high-risk sectors.
SOC 2
Not compliant for systems managing sensitive data.
Required for securing systems with customer data.
Adds extra security for sensitive customer data environments.
ISAE 3402
Suitable for basic assurance engagements.
Demonstrates secure access controls for data protection.
Enhances assurance by combining MFA with biometrics for critical use cases.
GDPR
Single-factor insufficient for Article 32 compliance.
Meets access control requirements for protecting personal data.
Strengthens compliance for systems handling sensitive personal data.
HIPAA
Not sufficient for protecting ePHI.
Helps meet HIPAA’s technical safeguards for access control of ePHI.
Ideal for protecting ePHI with biometrics for enhanced security.