Haventec Authenticate - Frequently Asked Questions

_____

 

What is Haventec Authenticate?

Haventec Authenticate is a decentralised authentication engine that eliminates friction and enables safe, simple and secure access for customers, citizens and employees. Haventec Authenticate is powered by an internationally patented Rolling Key technology consisting of dynamic, single-use public and private keys.

Back to top

_____

 

What solutions does Haventec Authenticate enable?

Haventec Authenticate enables market leading authentication solutions including Passwordless Authentication and Silent MFA. Haventec Authenticate can be also be integrated into your existing IAM or accessed through a CIAM-as-a-Service.

Back to top

_____

 

Does Haventec rely on a bearer token to authenticate the user and their device?

Bearer tokens are used as part of an HTTP / OAUTH2 authentication scheme. Whilst Haventec uses standard protocols such as OATH and OIDC there are some exceptions. To enhance security Haventec uses a proprietary 'AuthKey' which is cryptographically secured using a patented one-time use rolling key architecture. Similar to a bearer token, AuthKey is an opaque string that is unreadable by the user. However, unlike a bearer token, the Authkey is for one-time use and is rolled every time the user authenticates to Haventec. 

Further, the Authkey presented by the user must also cryptographically match with the user's details in the Haventec system, meaning that the Authkey can not be arbitrarily used by another user.

Back to top

_____

 

Where is Haventec Authenticate information stored on the user's device?

For web-based applications, the information is stored in the browser's Local Storage and controlled via a Same-origin policy. This ensures only the Haventec domain can access this data in Local Storage. This is an industry-standard location for the storage of data required to be accessed by web applications.

For mobile users, the data is stored either in the Keychain for IOS, or in the Keystore for Android devices. The keychain or Keystore can be unlocked via biometrics.

Back to top

_____

 

Can the Haventec private key be intercepted in transit between the user's device and the Authenticate engine?

No. Haventec does not distribute either the public or the private key to the end-user or enterprise. Further, the private key is not stored by Haventec but is cryptographically recreated on a just-in-time basis at the point of authentication. Once authentication has been successfully completed, both the public key and private key pairs are destroyed and then rolled ready for the next time the user authenticates. 

Therefore the key pairs are one-time use and never distributed outside the Haventec service. Furthermore, the private key is not stored but recreated when required.

Back to top

_____

 

What deployment options are available for Haventec Authenticate?

Haventec supports standards-based deployment options including OIDC, SAML, SDKs and RestAPIs. Typically the Haventec service is set up as an Identity Provider (IDP) and is easily integrated into most customer environments either within the existing Identity and Access Management (IAM) framework or directly into frontend/backend applications. 

Back to top

_____

 

If I use the same username for multiple applications, does that mean the Haventec Authenticate private key could also be used to access multiple applications?

No. Each application using Haventec will create a unique, one-time use public and private key pair and an Authkey for authentication. Therefore the same Authkey cannot be used to authenticate to multiple different applications. However, the user can have the same PIN for each application, giving a Single Sign On (SSO) experience. As each PIN is salted and hashed the values are cryptographically different and therefore unique to each application, even though the original PIN may be the same. Note that Haventec never stores the user PIN, only the hashed and salted values, and Haventec never distributes the key pairs to the user or enterprise. Further, Haventec never stores the private key, but cryptographically recreates it in a just-in-time manner at the time of authentication. All keys are for one-time use only and are rolled after every successful authentication.   

Back to top

If you would like to know more about Haventec solutions, please contact us.