Using custom employee identifiers in the Trusona App

Easily use your employees' existing user identifiers in the Trusona App

Core implementation components

Let’s do this.

Implementing custom identifiers for your employees uses components from your systems and Trusona.

  • Your components
    • Backend application(s)
  • Trusona components
    • Trusona Cloud Service
    • Trusona App
    • Trusona Web SDK

Getting started

The first step in your Trusona implementation is getting access to the Trusona service and components.

Trusona credentials

To interact with the Trusona service, you will need Server SDK credentials. Trusona supplies these as part of project kick-off.

Global infrastructure

Choose a global infrastructure instance based on your performance and compliance needs. The Trusona Cloud Service stores Users of the Trusona App in a specific region based on a pre-configured email domain. Trusona configures this email domain as part of project kick-off.

  • North America (United States)
  • Europe (Ireland)
  • Asia (Japan)

SDK access and installation

Trusona server and web SDKs are open source and available on Trusona’s GitHub Repository. You can find more details in the SDK-specific documentation.

Core implementation workflows

There are two key workflows, registration and authentication.

The registration workflow describes how to register a custom identifier for a Trusona App User.

The authentication workflow includes different ways to authenticate your users.

Registration

When using custom identifiers, your employees need to download and register with the Trusona App using their email address. They cannot register with the custom identifier.

The registration workflow relies on a few key terms:

  • User – The end user of the Trusona App
  • User Identifier – The unique identifier of a User in your user directory
  • Secure QR Code – Trusona’s random, unique, and animated QR code used for Device identification
  • Device – The User’s mobile device with the Trusona App installed

Registration responsibilities

Your backend application handles:

  • Authenticating and authorizing the User
  • Interfacing with the Trusona Web SDK
  • Interfacing with the Trusona Server SDK

The Trusona App handles:

  • Scanning the Secure QR Code
  • Identifying the Device to the Trusona Cloud Service

Registration steps and data flow

Secure QR code custom identifier registration
  1. The User authenticates to your backend system using the existing authentication mechanism
  2. Your Backend Application then requests a Secure QR Code from the Trusona Cloud service using the Trusona Web SDK
  3. The Trusona Cloud Service returns the unique and random Secure QR Code
  4. Your Backend Application uses the Trusona Web SDK to render the Secure QR Code for the User
  5. Using the Trusona App, the User scans the Secure QR Code
  6. The Trusona App tells the Trusona Cloud Service that the code was scanned and identifies the scanning Device
  7. The Trusona Cloud Service returns an identifier of the scanned Secure QR Code
  8. Your backend system tells the Trusona Cloud Service to associate the logged-in user’s identifier with the device that scanned the secure qr code
Registration for new users

The steps above assume an existing user. For new users, step 1 of the workflow is different. Your registration process must display the Secure QR Code for the User to scan. After the User scans the Secure QR Code, use the Trusona Server SDK to associate the new User Identifier.

Authentication

The authentication workflow relies on a few key terms:

  • Trusonafication – The authentication challenge issued by Trusona to the User
  • Cached identifier – A User Identifier that is derived from a local cache (e.g. cookie)

Authentication responsibilities

Your Backend Application handles:

  • Identifying the User to authenticate
  • Interfacing with the Trusona Server SDK
  • Interfacing with the Trusona Web SDK
  • Authorizing the authenticated User

The Trusona App handles:

  • Challenging the User to authenticate
  • Completing the Trusonafication

Authentication strategies

How you authenticate your Users depends on your use case. Three common options include user supplied identifiers, Secure QR Codes, and cached identifiers.

User supplied identifier

Users are familiar with authenticating by first specifying a username. Once identified, your Backend Application issues a Trusonafication for the User.

Secure QR code custom identifier authentication with username
  1. The User begins the process by entering their username
  2. Your Backend Application creates a Trusonafication for that user, using the supplied username
  3. Your Backend Application uses the Trusona Server SDK to continually request the status of the Trusonafication
  4. The Trusona Cloud Service sends a push notification to the User’s Trusona App
  5. The User opens the Trusona App and completes the authentication process
  6. The Trusona App sends a response back to the Trusona Cloud Service
  7. The Trusona Cloud Service returns the result of the Trusonafication to the process started in step 3
  8. Your Backend Application authorizes the authenticated User
  9. The User is now logged in

Be aware of knock-knock attacks!

An unprotected implementation of user supplied identifiers may enable the possibility of “knock-knock” attacks. An attacker can enter a known username and hope that an unsuspecting user approves the Trusonafication.

Secure QR code

An alternative to a User supplied identifier, is device discovery with a Secure QR Code. This strategy uses a Secure QR Code to identify the User’s Trusona App. This strategy prevents knock-knock attacks.

Secure QR code custom identifier authentication with Secure QR Code
  1. The User begins the process by navigating to your Backend Application
  2. Your Backend Application requests a new Secure QR Code using the Trusona Web SDK
  3. The Trusona Cloud Service returns a unique Secure QR Code
  4. Your Backend Application renders the Secure QR Code using the Trusona Web SDK and waits for a response from the Trusona Cloud Service
  5. The User uses the Trusona App to scan the Secure QR Code
  6. The Trusona App sends its identifier to the Trusona Cloud Service, indicating that it scanned a specific secure QR Code
  7. The Trusona Cloud Service returns the identifier of the scanned Secure QR Code
  8. Your Backend Application creates a Trusonafication for that user, using the scanned Secure QR Code identifier
  9. Your Backend Application uses the Trusona Server SDK to continually request the status of the Trusonafication
  10. The Trusona Cloud Service sends a push notification to the User’s Trusona App
  11. The User opens the Trusona App and completes the authentication process
  12. The Trusona App sends a response back to the Trusona Cloud Service
  13. The Trusona Cloud Service returns the result of the Trusonafication to the process started in step 3
  14. Your Backend Application authorizes the authenticated User
  15. The User is now logged in
Cached identifiers

For an improved user experience, cache the user supplied identifier. Cookies are a common approach. When the user returns, your Backend Application issues a Trusonafication for the User.

Secure QR code custom identifier authentication with cached username
  1. The User begins the process by navigating to your Backend Application
  2. Your Backend Application retrieves the identifier from the cache
  3. Your Backend Application creates a Trusonafication for that user, using the cached identifier
  4. Your Backend Application uses the Trusona Server SDK to continually request the status of the Trusonafication
  5. The Trusona Cloud Service sends a push notification to the User’s Trusona App
  6. The User opens the Trusona App and completes the authentication process
  7. The Trusona App sends a response back to the Trusona Cloud Service
  8. The Trusona Cloud Service returns the result of the Trusonafication to the process started in step 3
  9. Your Backend Application authorizes the authenticated User
  10. The User is now logged in

Get in touch

Have more questions or need additional help? Contact us.


Passwordless authentication for your consumers
Trusona's Mobile SDK for iOS