AffirmedID
Affirmed Identity Authenticator and Identity Service Privacy Policy

Seamless Continuity

During the Authentication Challenge and Ceremony

There are several points during challenge delivery and completion of the ceremony where potential gaps may allow attacker intervention.

Of those, credential stuffing, brute-force attacks, phishing, and social engineering focus on compromising the authentication credential(s) used.

  • AffirmedID’s use of machine learning for identity recognition and verification eliminates the need for credentials thereby aboiding these risks.

Other potential gaps include Man-in-the-Middle, weak authentication factors, and compromised authentication servers can lead to compromising the authentication ceremony.

  • By combining strong multi-factor identity verification, phishing resistance of FIDO2 and its device identity assertion factor, and use of end-to-end encrypted out-of-band channels these risk factors are effectively blocked.

Implementing FIDO2 or Passkey authentication brings forth several additional considerations regarding potential vulnerabilities that could be exploited to undermine the security of the authentication process. They include: malicious relying parties, phishing attacks that target the FIDO2 Client device, browser vulnerabilities, and sophisticated attacks to trick users into malicious authentication ceremonies.

  • These attacks are mitigated by AffirmedID avoiding reliance on browser-based FIDO2 Client. In its place, the FIDO2 Client is relocated to the secure cloud and accessed by the authenticator app over out-of-band, end-to-end encrypted channels. In this way all risks and gaps related to the use of devices and browsers with uncertain security are avoided. These risks are pronounced in remote work situations where the relying party has little or no influence over the security of the device and its applications.
Continuity during the authenticatesd session

The unmonitored session is especially vulnerable to attack, and to a lesser degree, so is the monitored session for which a seamless transition from authentication does not occur, leaving a gap for session takeover.

  • Enabling continuous authentication monitoring in AffirmedID ensures session monitoring begins promptly at the point when the confirmed challenge response is sent to the relying party.
  • By combining continuous authentication and session monitoring with proper configuration of each, the relying party can significantly reduce or eliminate the risk of session hijacking.

How it Works

An error has occurred. This application may no longer respond until reloaded. Reload đź—™