Passwordless MFA System: Proof of Concept
Highlights
In 2018, Identité, an American seed-funded startup in authentication solutions, turned to PSA for turnkey product development, from concept finalization to deployment and further support. The product idea was a passwordless registration and authentication system, that was expected to be the easiest to use and the most secure on the market.
Challenge
Customer Challenge
Implement a passwordless authentication solution in the most secure way to capitalize on it.
Project Objective
Create the easiest and most secure passwordless authentication and registration tool suitable for versatile use.
Solution
To validate and finalize the idea of a passwordless authentication tool, PSA conducted research on how to implement authentication that is ultimately secure without a password. As a result, we invented the method we called Full-Duplex Authentication®, which allows for verification of all sides of the interaction – both services and the users. Thus, we have introduced a new authentication standard and created intellectual property in form of a written patent. The simplified version of the method looks like this:
-
Generating a one-time password on the authentication server
-
Providing generated password to the user device and the web portal
-
Verification of passwords displayed on the portal website and on the user device
To provide the ultimate security level of the solution we implemented the concept of Multi-Factor- Authentication (MFA): by login, secure token (one-time password), and biometrics. The whole authentication concept sounded like this: With minimal typing or actions by a user, they could quickly register and authenticate with 3 factors – something they knew, something they had, and something they were. The solution was decided to be called NoPass®.
In parallel to this, we conducted detailed market research to ensure the business value of the perspective tool, and identify market niches to propose it. Thus, we delivered a concept of 3 separate products to be developed:
-
NoPass Consumer – for marketplaces to authenticate consumers,
-
NoPass Employee MFA – for companies’ workers' authentication,
-
NoPass Employee SSO (Single-Sign-On) – for authentication in various systems within one portal.
In addition, we provided the client with the concept of NoPass SDK – a software development kit that allows for building the NoPass multi-factor authentication into the existing mobile applications. With NoPass SDK, you keep the user from having to install an additional app on their smartphone that performs authentication.
The first PoC (Proof of Concept) of the NoPass product was a demo portal called PerShop that we connected to the NoPass server. Our applications accomplished the task of simple and secure password-less user registration and authentication.
Development Included
- Functional requirements definition
- Researching modern authentication standards
- API documentation
- Deployment guide creation
- SDK architecture documentation
- StoryBoard creation
- POC delivery
Result
-
The invented method of passwordless authentication eliminates man-in-the-middle, spoofing, and phishing attacks
-
The patent was created and registered
-
A stable income was expected after 1-year
Technology Breakdown
Further Cooperation
After delivering the initial concept, the PSA team moved further to development in order to enter the market with the simplest and the most secure authentication tool.