When it comes to talking about Haventec Silent Multi-factor Authentication (or MFA), first and foremost, it is an alternative to conventional multi-factor authentication (like SMS or authenticator apps) that is faster to log in with, easier to use, and so much more secure.
Before introducing Haventec Silent MFA we need to talk about the authentication technology most commonly used today: usernames and passwords.
Most of us are familiar with logging in to an application or a website with a username and password.
When we sign in with a username and password, what generally occurs after you enter the password, is that it gets hashed and salted, and the resulting obfuscated value is sent to a central server – this centralised server is responsible for storing (and protecting) this information.
When you login to that account in the future you need to produce the same hashed and salted value by typing in your username and password.
Unfortunately, password-based protection is failing us because passwords are really hard to protect, and hard to use securely — according to Forgerock, two billion usernames and passwords were compromised in 2021, an increase of 35% over 2020.
The classic security measures used by many enterprises to improve username and password security has not stemmed the tsunami of compromised credentials. And many approaches introduced to strengthen security, such as conventional multi-factor authentication, are creating usability issues, leading to new types of threats and slowing down business.
This is why we introduced Haventec Silent MFA
With Haventec Silent MFA, not only is the user authentication experience familiar, but entire categories of security problems, like weak and reused credentials, credential leaks, and account take over, are just not possible anymore.
Haventec Silent MFA allows a user to login to their accounts with their username and password, just like they do today. In the background Haventec Silent MFA completes a second factor authentication that does not require them to do anything else - no need to enter a PIN sent via SMS; or type in a code from an authentication app; no tokens or smart cards; no USB keys and no QR codes.
On the surface, it appears incredibly simple. Behind the scenes, the Haventec Authenticate engine is establishing an end-to-end encrypted communication channel and authenticating the user’s device using rolling keys, all to let a user login in a way that is easy and familiar while maintaining strong security.
Haventec Silent MFA uses three rolling keys every time a user logs in. These keys are unique to the user, their device and the application they are logging in to.
- One key is a one-time-use public key and is stored on the server running the Haventec Authenticate engine.
- One key is a one-time-use symmetric key and is stored on the server running the Haventec Authenticate engine.
- One key is a one-time use derivative of a private key (authkey) that is stored on the user’s device.
When a user logs in and is successfully authenticated using their username and password, the Haventec Authenticate engine requests the authkey and UUID from the user’s device.
The authkey and UUID are then sent to the Haventec Authenticate engine where the corresponding public key and symmetric key are retrieved.
The UUID, symmetric key and authkey are used to create the private key. The Haventec Authenticate engine then creates a temporary piece of data, signs that data with the public key and then validates the signature with the private key. If the solution is valid, the user’s device has then been successfully authenticated and the user is granted access to the application.
All of the keys are then destroyed and rolled and a new authkey, symmetric key and public key are created.
The new authkey is then sent to the user’s device ready for the next time they login.
Why Haventec Silent MFA?
- Haventec Silent MFA allows users to login in securely to their account from any device – workstation, laptop, tablet and phone – simply by entering a username and password (just like they do now).
- For enhanced security and cost management, Haventec Silent MFA does not store the users private key anywhere.
- Since the server does not hold any private keys, it is a less valuable target for attackers.
- Since the users device does not hold any private keys, it is a less valuable target for attackers.
- Since the private keys are not stored anywhere, the enterprise does not need to incur additional costs and risks associated with the management and protection of large numbers of private keys.
- Since the server does not hold any private keys, it is a less valuable target for attackers.
- All keys are a one-time use keys providing additional security protection for the enterprise, the user and their accounts.
- The user is not required to manage and take responsibility for the storage and protection of their private keys.
- Haventec Silent MFA does not require employees to use their personal devices to sign into their corporate applications.
- All of the cryptography and rolling key protection is totally transparent to the user.
- Haventec Silent MFA can be integrated easily into your current authentication flows using SDK’s, Restful APIs or OpenID Connect.
Haventec Silent MFA delivers the business benefits of simple to use and privacy preserving authentication, without creating usability issues, introducing new threats or slowing down business. And with multi-factor authentication now required by most insurance agencies to qualify for cyber-insurance, it has never been more important.