Introduction to AffirmId An Authenticator App
The next generation of authentication App for Android phones is here and available for download and installation.
Installation instructions can be found here.
If you are wondering, what is an AffirmId, perhaps this brief introduction will help.
Secure authentication is best done using three factors: something you know; something you have; and something you are. The players that take part in three-factor authentication include:
- “Relying Party” provides access to secure resources or facilities to those seeking access after establishing the requestors identity and rights. Doing so may be handled directly by the RP or the task may be handed off to another principal such as a Security Token Service or an OpenID service.
- “Security Token Service” if called upon authenticates the client a part of a Single Sign-On process. The STS verifies the requesting client identity and issues a token containing claims about the clients identity.
- “Client” is a device or application acting as an intermediary, such as a browser for example, between the user and a secure resource or facility managed by the RP. It interacts directly with the user and in multi-factor authentications with a device the user must have in their possession.
- “Authenticator” is something you have at the time of authentication. This may take the form of a mobile device App or self-contained token device. Regardless of which, affirmation of user presence in the authentication process is its primary responsibility.
- “First User” is the person in possession of and assignee of an Authenticator. Authenticator possession infers assumed possession by First User. Affirmed possession by First User assures Authenticator possession status.
Registration and Authentication in a Multi-Factor Model:
The multi-factor model requires Registration process before there can be Authentications. And, there is the Multi-Factor Authentication process by which a First User seeking access affirms to the Relying Party they are who they claim to be.
Registration is a process the user performs to register their AffirmId mobile device and authenticator with a Relying Party. It begins with a user request to the RP who then then initiates a series of exchanges with the user and their device, collecting user identification information and:
- if registering an OTP account then configuring TruUAtuh with account secrets and identifiers provided by the RP, often delivered by use of a QR code, is all that’s required; or
- if registering a U2F or FIDO2 account, there will be exchanges between the RP and yourself as well as with your AffirmId authenticators during which you will have to demonstrate intent by tapping the Yellow authenticator button.
Authentication is required to access secured resources or facilities. It begins with an indication to the RP of your intent:
- if its a 2FA account then authentication normally includes providing your username, a password, and a 6 digit OTP code produced by AffirmId 2FA authenticator to the RP; or
- if its a U2F or FIDO2 account then authentication begins by providing your username and password followed by, when requested, tapping the Yellow authenticator button; or
- in some FIDO2 implementations there is no password so authentication begins with the username and, when prompted to do so, tapping the Yellow authenticator button.
AffirmId Authenticator UI – App runs in the background on a 24/7/365 basis to ensure it is always aware of possession status; does a human have possession and is that person you the first user? When needed a single tap brings it to the foreground at which point the UI described below is presented.
Depicted here is the “Blocked State” UI. The display is divided into two sections, the 2FA section above “Tap to register” and below it the AffirmId icon used to invoke FIDO2 and U2F functions. The blocked state simply means use of the authenticator is blocked, it cannot be used to affirm identity in FIDO2 or U2F modes or to produce 2FA POTP or HOTP One-Time-Passwords. This locking mechanism prevents malicious use; no one other than the First User, you, can use the authenticator facilities and then only when its recognized the App device is in your actual possession.
The Tap Me UI – appears when you, the first user, are in possession of the device and have brought AffirmId to the foreground. It’s presentation indicates affirmation by AffirmId that a human is in possession of the device and further confirms that person is you.
In the 2FA display section appears a scrolling list of the One-Time-Passwords for all registered 2FA accounts. These will cycle or renew every 30 seconds indicated by the rotating icon to the top right of the display. “Tap to register” is used to register new 2FA accounts. When tapped a QR code scanner appears for scanning a QR code for account and secret key information. Optionally the account and secret key information can be entered manually.
The yellow AffirmId icon is used to access the FIDO2 and U2F facilities of AffirmId . Tapping it initiates either the Registration or Authentication process while Tap and Hold for 3+ seconds initiates the Pairing process. Either results in presentation of the Solicitation UI.
The Paring process is a process by which AffirmId and your Client device(s) establish an awareness of each other; it forms a security bonding between the devices. This process is covered in more detail in [TODO LINK].
Registration is a one-time process performed between AffirmId and the RP service account you wish to access using either FIDO2 or U2F protocols. This security measure assures a specific bonding between your RP service provider and your TrueYouID authenticator. During this process the parties negotiate which protocol to use and which features within those protocols to use. There are only two protocols but many features and options in each. AffirmId supports both FIDO2 and U2F and offers a full suite of options within each that are possible in a Bluetooth environment.
Soliciting UI – is used for both the Tap and the Tap and Hold options of Tap Me UI. When displayed it is confirmation to you that AffirmId is actively advertising its availability for connection.
A word of caution is in order. AffirmId is a wireless Bluetooth device. During the advertising for connection process there is an open window for nefarious persons who would intervene in an attempted takeover the facilities being advertised. The wireless range of Bluetooth LE is approximately 5 meters (15 feet) meaning anyone within that approximate radius of AffirmId is a potential interloper. While AffirmId takes every reasonable precaution to prevent malicious attack from succeeding, the old saying that an ounce of caution is worth a pound of cure applies in this case. This word of caution applies primarily when Tap and Hold for registration is being processed but is good advice in general where Bluetooth LE is concerned.
Soliciting will continue until a remote device initiates a connection, in which case the BLE Active UI appears, or a timeout occurs. In the event of a timeout indicating there is no device desiring to connect with AffirmId , AffirmId returns to either the Blocked or Tap Me UI. Typically, this occurs when Bluetooth is not enabled on the Smartphone or the Client device or both. Other possibilities might be an out of range condition, try again within one meter (3 feet) or less separation between Smartphone and Client device.
BLE Active UI – is displayed when the Bluetooth connection is actively engaged with another device. The subtitle under the UI button indicates the type of session activity as either “Active Pairing”, “Active Registering”, or “Active Affirming.”
The BLE active modes are:
- Active Pairing mode indicates BLE activity related to the pairing with a Client device. When it completes AffirmId returns to the Blocked or Tap Me UI. Refer to [TODO LINK] for more details on pairing.
- Active Registering mode indicates AffirmId is in an attestation conversation with the RP service provider via the paired BLE Client for the purpose of registering AffirmId with the RP service provider. During this process AffirmId and the RP will decide on which protocol to use, FIDO2 or U2F, and the options therein. When it completes AffirmId returns to the Blocked or Tap Me UI.
- Active Affirming mode indicates AffirmId is affirming to RP via Client that (1) AffirmId is a registered authenticator of RP, (2) that AffirmId is in the possession of a human, and (3) that the person in possession is known to be the First User. On the condition each of these affirmations is in compliance with RP requirements, RP grants access to the service. AffirmId control returns to either the Blocked or Tap Me UI.
Secure Key a.k.a. SecKey – Secrets are things you and only you know. As soon as a secret is shared with anyone, it is no longer a secret. SecKey is a secret that remains so if and only if you do not divulge it with anyone else. It’s like a PIN but unlike the PIN, it is not divulged. SecKey’s are created using the tile pad displayed here. The key you assign must be something you can easily remember and yet something that is unique as well. It must be between three and sixteen characters in length. A three-character key provides pretty good security while a sixteen-character key provides absolute security. Key characters are selected from a set of sixteen characters in any order of your choosing.
Each character of a key has sixteen possible combinations and coupled with the biometrics of device use in doing so yields a 1 in over 78 million chance of exact match. So, the three-character SecKey is, from a practical point of view, impossible to crack. What makes the SecKey secure is its matching algorithm, its secrecy, and its secure key storage.
One of the first acts you perform when installing AffirmId is to create your SecKey. Thereafter during the first few days of training you’ll be asked multiple times to enter the key. This repetitive requirement affords AffirmId opportunity to learn how you use your device for key entry in multiple settings. As time passes this repetition reduces to an acceptable level.
You may be asking, why the need for SecKey? As a full time biometric identification App there comes a time when AffirmId is not really sure you are you. This is especially true in change of lifestyle occurs such as, for example, a relocation, or perhaps, taking a new route to work. Regardless the reason, when this occurs AffirmId must have a way to affirm you are you. That’s where SecKey comes in. And, should it ever be the case that a malicious person gets possession of your AffirmId device, not to worry because even if they appear to be you in some regards they’ll not be able to be you so far as SecKey is concerned. And of course, outside of the training period, failing to enter a SecKey match immediately results in AffirmId flagging you as not the first user.