A new Log API

Posted by | News, Tutorials | No Comments

inWebo provides a Log API so that you don’t have to export activity logs manually every day or every week. Logs are automatically made available in your collect and analytics tools.

inWebo Log API gives access to logs for a given service. Authentication to the API requires the same client certificate as the other inWebo APIs. Following log categories are available:

  • Authentication
  • Actions related to authentication devices (activation, online OTP, notification requests)
  • User management
  • Service configuration and Administration

With a call to the Log API, you can specify start and end dates, make page requests, or filter results by log category. Each record in the result is provided as a JSON table containing the following data:

  • Method used (authenticate, loginCreate…)
  • Result (OK, KO…)
  • User login
  • Time and date
  • IP address (when available)
  • Authentication device used
  • Authentication device identifier

Contact inWebo if you would like to activate this option for your authentication service.

Biometry as a second authentication factor

Posted by | News, Tutorials | No Comments

Following Apple’s introduction of a fingerprint sensor on iPhone 5s in 2013, smartphones increasingly come with a biometric sensor. Market research firms expect that 100% of the installed base will have some form of embedded biometrics by 2020 – this is not yet a commodity, but it will come fast. inWebo has therefore upgraded its solutions to support biometry as a second factor. The option is available on request to all customers, existing as well as prospects still evaluating inWebo (free trial).

Upon activation, the biometry option offers 2 alternatives, “biometry enabled” or “biometry forced”. The former applies to services that require users to enter a PIN as a second factor. Users who opt for it replace that PIN with biometrics. The latter mandates biometry as the second factor.

Biometry Settings

inWebo support of biometry as a second factor can be leveraged with

  • inWebo Authenticator version 4.2.0 or higher. The App supports Apple TouchID, as well as fingerprint sensors on Android Marshmallow (6.0+) smartphones.
  • inWebo mAccess version (0.)2.8 or higher. Developers can use mAccess library to support fingerprint biometry in their App but also virtually any kind of biometry (voice, face…), as long as it is implemented with a “match on card” mechanism (i.e. the biometric data is stored and verified locally on the smartphone). The library documentation provides a complete implementation for fingerprint sensors.

Please contact inWebo if you would like to easily add biometry as a second authentication factor for your services or applications.

Findings on Authentication Security

Findings on Authentication Security

Posted by | White Papers | No Comments

Password security is broken and organizations are advised to switch to multi-factor authentication. Will this automatically make things better from a risks and security perspective? In this quick-read white paper, discover and understand the vulnerabilities of the various forms of authentication, and what it takes to effectively enhance identity security.

Table of Contents:

  • Fences, Gates, and Cameras.
  • No More Perimeters but a New Frontier: Identity Security.
  • The Threats to Identity.
  • Authentication Trade-Offs.
  • Separating Marketing Claims from Security Facts.
  • inWebo Security Secret Sauce.
  • A Visual Recap.
  • Protecting Millions of Identities. Everyday. Everywhere.



inWebo Virtual Authenticator

Virtual Authenticator Is For Real

Posted by | Resources, Tutorials | No Comments

We have a blog post on why browser-based authentication makes sense, explaining why and how we came to develop Virtual Authenticator.

A new and convergent authentication method

Virtual Authenticator is the latest authentication method added by inWebo to its solutions, and the successor of Helium, a browser-based authentication method released in 2012, used to protect millions of identities.

The name refers to inWebo Authenticator, the smartphone App available for iOS, Android, and Windows Phone, which supports on-demand OTP (one-time passwords) as well as OTP triggered by push notifications. The reference goes beyond the name, since Virtual Authenticator proposes a unique and converged user experience with inWebo Authenticator.

In particular, users have the same PIN for a given service on Virtual Authenticator and on inWebo Authenticator. This is the same experience on web and mobile, in both cases just a PIN to enter, no ‘security codes’ or copy-paste or App to launch.

What’s in for me?

From an organization perspective, deploying Virtual Authenticator is, actually, not a deployment. There is no software to install or to distribute to the users. You only need to make a change to your authentication page and to authorize Virtual Authenticator from your inWebo administration account. This is described here.

All things considered, this is the easiest to roll out authentication method.

A smooth transition from inWebo Helium

For those already familiar with inWebo Helium, Virtual Authenticator is not a revolution. It comes with features already available with Helium, such as:

  • 1- or 2-factor OTP generation; it can therefore be used both in step-up authentication and multi-factor authentication scenarios
  • PIN change
  • PIN reset
  • a security self-check based on a secret sentence optionally defined by the user, which can be verified by the user whenever he is asked to enter his PIN in Virtual Authenticator.

As it was the case for Helium, the secret sentence is only displayed after a successful and automatic browser authentication with inWebo servers. It cannot be obtained by phishing. We have slightly changed the way it is presented and made it similar to how websites using SSL certificates are displayed in browsers, since users are now familiar with that.

Virtual Authenticator antiphishing

Virtual Authenticator antiphishing

Additionally, Virtual Authenticator has a keyboard for the PIN-entry, which is especially useful with touch screens.

Helium is still supported!

New customers are now proposed Virtual Authenticator and inWebo Authenticator as a default. Customers already using Helium will not see any change since there is no automatic or required migration to Virtual Authenticator. Helium will continue to be supported for existing customers, but also for new customers needing more customization (e.g. branding or PIN policy).

Can I see it?

Yes, we would love to! You are only 3 clicks away. Just sign up for a free trial account for your organization here. You will be able to use Virtual Authenticator to access your administration account, but also to provide it to users so that they access your applications safely and conveniently.

Ending The Torment Of Tokens

Ending The Torment Of Tokens (revisited)

Posted by | White Papers | No Comments

Historically, multi-factor authentication has required to equip users with hardware tokens. There were therefore only a few situations where the risks were large enough to justify the impacts of deploying strong authentication, and to decide against costs and user convenience. However, there are now excellent alternatives to hardware tokens. So it is worth taking a fresh new look at strong authentication. While it is more needed than ever, there is no longer a need to endure the torments of hardware tokens!

In this quick-read use case, discover why multi-factor authentication is paramount to protect organizations against hacks, and how it can be efficiently and cost-effectively rolled out using inWebo MFA. This use case is based on projects launched by industry leaders using inWebo solutions.

Table of Contents:

  • Strong Authentication. Now, More Than Ever.
  • Form Factor: It Matters More Than You Thought.
  • Embracing The Future. Already Serving 100% Of Users.
  • Cloud-Based Authentication Is Appealing. But Is It Reasonable?
  • Millions of Identities. Working With Global Organizations. And Smaller Ones Too.

Banking & Financial Services Security

Banking & Financial Services Security

Posted by | White Papers | No Comments

As banking, payment, and financial services shift massively to web and mobile, fraud opportunities multiply. In this quick-read use case, discover why identity security is paramount to keep fraud low, and how it can be efficiently and cost-effectively rolled out using inWebo MFA. This use case is based on projects launched by industry leaders using inWebo solutions.

Table of Contents:

  • More Threats. Increased Sophistication.
  • Security by Design for Web & Mobile Transactions.
  • inWebo Adaptive Authentication for Optimal User Experience.
  • Working with Top Tier Banks and Financial Service Providers.


Connected Cars Security

Posted by | White Papers | No Comments

As cars get connected and in-car & cloud services sprout, cybersecurity issues raise safety & privacy concerns. In this quick-read use case, discover why identity security is a topic worth being considered for connected cars, and how inWebo provides a solution to address these risks efficiently, both in terms of security and, most importantly in this context, of convenience for the driver. This use case is based on projects launched by industry leaders using inWebo solutions.

Table of Contents:

  • Connected Cars: Opportunities and Threats.
  • Security by Design for In-Car, Mobile, and Web Transactions.
  • inWebo Adaptive Authentication for Optimal User Experience.
  • Working with Top Automakers, Suppliers, and Service Providers.