A step-by-step guide to the key processes and functions that the Encap Security solution offers.
The activation process binds the user’s identity to the following security credentials: a smart device and a PIN-code. These provide the something-you-have and something-you-know elements of 2FA.
The security credentials will subsequently be used in the Encap Security authentication process. The binding is established through the registration and issuance process that is described below. It is assumed in the following that the user is already known to the service provider and has been issued with a set of existing security credentials (e.g. token, SMS OTP or username/password).
1. User logs in and is verified
The user logs onto an online or mobile service via existing credentials. The trust built into the existing credential will be the basis for the trust built into the Encap Security solution. After agreeing to use Encap Security as a new form of 2FA, the user starts the activation procedure by downloading the Encap Security client from the platform specific mechanism (AppStore for iOS and Google Play for Android).
2. Activation code is entered
After installing the client, the Encap server generates a time-limited activation code. The Encap server or the service provider shows the activation code to the user and asks the user to enter the activation code into the Encap Security client.
3. Activation code is verified
After the Encap Security client has captured the activation code, it calls the Encap Security server and sends the activation code for verification. Once verified, the Encap Security server knows that the user holds the specific device and what type of device the user has.
4. User chooses a PIN
After successfully verifying the user and the device, the user is asked by the Encap Security client to select a PIN and repeat the PIN for verification. The length of the PIN can be configured by the service provider.
5. Device is “fingerprinted” to create a Secure Key
The Encap Security client “fingerprints” the device to create a secure key using the users PIN, a device ID from the smartphone (such as IMEI number) and data from the Encap Security client. This Secure Key is stored by the Encap Security server. Neither the secure key nor the user PIN is ever stored on the device. The service provider binds the users identity (including the user name) and the fingerprint, which concludes the activation process.
This process takes seconds and is hidden from the user who simply has to input their PIN code. It is designed specifically to provide fast, simple and yet secure access, protecting the user from attack and reduces the risk of breaches, hijacking and fraud.
1. User requests login
The user starts an authentication process by launching the service provider’s application and typing in their unique ID (i.e. a user name). The service provider looks up the user name, verifies the binding established during activation and asks the Encap Security server to start the authentication process. The Encap Security server can be configured to launch the Encap Security client automatically using push messages, or the user simply starts the client manually.
2. Server sends challenge
The Encap Security client initiates a process to identify itself towards the Encap Security server, and the Encap Security server returns a challenge message together with service- and/or transaction specific information. The information is displayed to the user by the Encap Security client to help validate the authenticity of the transaction (and avoid Man In The Middle (MITM) attacks).
3. User enters PIN
The Encap Security client asks the user for the PIN that was chosen in the activation process. The user will have three attempts to type the correct PIN, or the Encap Security client will be locked on the server.
4. Encap client generates a response
The Encap Security client generates a response to the challenge in step two by re-generating the Secure Key from the activation process, encrypting the challenge with the Secure Key and returning the response to the Encap Security server.
Upon receipt of the response from the Encap client, the Encap Security server verifies the response using its stored Secure Key and makes a decision on whether the authentication is successful or not. The authentication decision is handed back to the service provider which takes appropriate action based on this information (e.g. let´s the user login or approves a payment transaction).
Unlike many other authentication platforms, Encap Security adds value by also providing facilities for PKI signing. This enables Encap Security to perform more advanced authentications processes for ultra-secure applications, provide legally binding digital signatures and non-repudiation.
The Encap Security client on the smart device generates a private/public key pair during the activation process, and locks the private PKI-key on the device using an unlock key generated by Encap Security server. The Encap Security client sends the public key to Encap Security server as a CSR (Certificate Signing Request), which is passed on to the PKI Certificate Authority.
1. User requests to sign a document
The service provider presents a document to be signed by the user, for example on a web page. The user views the document on the web and selects the “Sign document on smart device” button in the service provider’s web page. The Encap Security server receives the message to start the signing process.
2. Server sends challenge and document
The Encap Security client is launched, connects to the Encap Security server and receives a challenge, together with the title, a summary and the document to be signed. The Encap Security client can present the document to be signed by the user.
3. User views document and types PIN
The user opens the document on the smart device, opts to sign it using the Encap Security client, and enters the PIN (same as for authentication).
4. Encap Security client generates response and gets unlock key
The Encap Security client generates a response to the challenge, and send it to the server. The Encap Security server verifies the response against its stored Secure Key and returns the unlock key, generated during activation, to the Encap Security client.
5. Encap Security client signs document and returns signature
The Encap Security client unlocks the user’s private key using the unlock key received from server, generates a digital signature of the summary document, and returns the signature to the Encap Security server. Encap Security server forwards the signature to the service provider which concludes the digital signing process.
If the document to be signed is very large, it can prove costly to send it over the mobile network and cumbersome to review. In this case, the service provider has the option of sending a summary to the mobile device prior to signing.