Passive Authenticators

AffirmID provides two passive authenticators, each being a type of one-time-passcode, or OTP.


You use an OTP codes to augment another authentication factor, most often a password or PIN. While the methods may vary, generally the OTP code is appended to or added with a first factor to form a composite of something you know, a password for example, or are, perhaps a fingerprint, with something you have, the device producing the code.

Time-based OTP, or TOTP, is a 6-digit code renewed every 30 seconds. A 30 second timer in the top right display corner indicates the amount of time to live for the present OTP. When it reaches 0 a new code is produced.

Event-based OTP, or HOTP, is also a 6-digit code but is not tied to the timer. The displayed code persists till you tap it. The tap produces a new code replacing the old.

OTP authenticators must be registered, a one-way activity where the relying party or designee provides information including a secret key needed to register the authenticator with the secured account. It’s important you not reveal the secret key to anyone. Internally AffirmID encrypts this key to prevent its theft. Often a QR code is provided to automate the registration process. Tapping the + sign in the lower right display corner activates the camera for ingestion of registration information including secret key from the QR code.

Double tapping the OTP code takes you to an editor where you can edit the registration information. The editor can also be accessed from the options list. Unless instructed to do otherwise by the relying party or you help desk, edits should be limited to the account “Name” field.

Active Authenticators

AffirmID provides three active authenticators, each being of the 2-way cryptographic type. They include: WebAuthn, FIDO2, and Push.

WebAuthn is a joint standard of the FIDO Alliance and the World Wide Web Consortium. It may be encountered as a second factor in 2FA authentication applications. It may also be encountered as demonstration of what you have and either what you know or what you are in other 2FA scenarios applications. It is especially popular with web browsers.

FIDO2 can be seen as a superset of WebAuthn performing as it does and providing support for desktop applications and web services. In time it is reasonable to anticipate FIDO2 use by applications such as desktop login, VPN’s, RDP, and perhaps even SSH applications.

While either WebAuthn or FIDO2 could be employed in password-less applications, often the preferred method is “Push” authentication. Here an exchange takes place between the relying party and AffirmID active authenticators involving a sonication to authenticate by the relying party responded to with a digitally signed token by the authenticator upon button tap gesture by you approving the authentication.

A color coded AffirmID icon is employed for both WebAuthn and FIDO2 authentication. Two buttons are provided for Push, a Decline and an Accept button.

WebAuthn and FIDO2 comms with remote client devices such as a laptop or other IoT device having Bluetooth connectivity. Thus, comms between your phone and the client device is over Bluetooth LE or also known as BLE, a secure protocol.

Color coding is: Yellow indicating the authenticator is available, Green when ready, a green BLE symbol when active, and Red when not available. Operationally, tap the yellow icon once if your intent is to register or authenticate and twice if to pair. When Green, tap again to complete the registration or authentication process.

Push authentication completes registration as outline above. However, authentication is somewhat more automated in as much as when required 2 buttons appear in the active area, a red button labeled Decline and a Green button labeled Accept. Tapping either completes the authentication process.