1. Who this guide is for
This guide explains how to implement Passwordless authentication using Trusona’s mobile SDKs in your mobile application along with Trusona’s server SDKs in your backend systems.
2. Obtaining API credentials
In order to make use of the Server SDK, you’ll need a token and secret from Trusona. These API credentials can be obtained by creating an account on Trusona’s Customer Dashboard. You’ll need to download and register with the Trusona App which can be found in the Apple App Store or Google Play store.
3. Overview
To remove the need for your users to remember or use a password requires the collaboration of the following three components: your mobile app using the Trusona Mobile SDK, your backend systems and services, that require authentication, using the Trusona Server SDK and the Trusona API services themselves.
In this overview we will walk through the four most common use cases and how the three components work together to provide a Passwordless MFA experience for your users.
3.1. What replaces the password?
Instead of a password, the Trusona Mobile SDK will create up to two private-public key pairs on the device. The first key pair represents the device key which Trusona uses to identify the device itself, and during the registration flow, will be bound to a user identifier. The second key pair, the auth key is used for a higher level of authentication where the user’s presence is checked using the same OS security feature that is used to unlock the device.
The device key is supported on all devices that Trusona supports. It does not require that a hardware backed keystore is present on the device. For this reason, it is not considered as secure as a key created using a hardware backed keystore.
The auth key requires a hardware backed keystore to be created. This key is necessary to be able to check for user presence. If a device is unable to support this key, then the device and user will only be able to be authenticated with the most basic authentication level Trusona supports.
The private and public key pairs for both keys are created and stored on the device. The private keys never leave the device, but the public keys are sent to Trusona during the registration process. The Trusona Mobile SDK also derives the device identifier from the device key, which is the UUID used to interact with the Trusona API services.
It is the combination of these keys being bound with a user identifier that provide the secured credential that replaces the password.
4. Glossary of Terms
| Term | Description |
|---|---|
| Account Verification | The process by which the Relying Party verifies new or existing Users. (e.g. email verification) |
| Activation Code | A unique identifier representing the Device+User Binding record in the Trusona API. |
| Active Device | A Device+User Binding which has been activated by the Relying Party in the Trusona API. |
| Auth Key | A public/private keypair created by the Mobile SDK for use during a Trusonafication requiring user presence. |
| Device Identifier | A unique identifier, based on the Device Key, for each Device and each Relying Party App. |
| Device Key | A public/private keypair created by the Mobile SDK for use during a Trusonafication. |
| Device+User Binding | A combination of a Device Identifier and User Identifier that connects a Relying Party’s user with a Relying Party’s user’s Relying Party App. |
| Inactive Device | A Device+User Binding which has not yet been activated by the Relying Party in the Trusona API. |
| Primary Information | Details required by the Relying Party for a user creating a new account or identifying an existing one. (e.g. email, name, phone or address) |
| Relying Party App | The Relying Party’s mobile application in which the Trusona Mobile SDK is embedded. |
| Relying Party Server | The Relying Party’s backed systems in which the Trusona Server SDK is integrated. |
| Relying Party | The Trusona Customer, using Trusona’s services. |
| Trusona API | The Trusona API services which interact with the Mobile and Server SDKs. |
| Trusona Mobile SDK | The Mobile SDK provided by Trusona for integration in your iOS or Android application. |
| Trusona Server SDK | The Server SDK provided by Trusona for integration in your backend systems. |
| Trusonafication | A Relying Party initiated challenge to a known User for a specific action and resource. |
| User Identifier | An identifier which uniquely represents a Relying Party’s user in the Relying Party’s system. Created and managed by the Relying Party. |
| Trusona Gateway | An authentication server that can be integrated into a relying party’s authentication flow using SAML or OpenID connect. It can provide either anonymous primary authentication using a TruCode, or a second factor MFA experience for a relying party’s existing primary authentication method. |