Examples
We are pleased you stopped by our examples webpage. Here, you can experience each authentication service in a real-world setting. You can also receive a hands-on demonstration of Continuous Authentication Monitoring and learn about AffirmedID and its many features and benefits.
Before getting started you will first need to install the AffirmedID app on you cell phone. Should you need it, a link to installation instructions is provided below.
Web Applications with High-Assurance MFA
Securing web applications is often left to username and password and increasingly to a passkey. Doing so may meet the application's security needs, or not. Regardless, if an alternative providing a higher security level with an equal or better user experience and at an equal or lower cost was found, would it make sense to change? Tap 'Login' to experience the alternative in a real-life setting. For more information or to leave a comment or discuss integration options visit our contact form.
Security Assertion Markup Language (SAML)
Unlike the web application, which has no implied session, SAML 2.0 is a session-based protocol often associated with Single Sign-On application suites. As such, securing SSO sessions is normally of the highest priority. Should a session breach occur as part of authentication, during the transition from authentication to session, or following the session start, the results can be, and most often are, devastating. An interesting aspect of SAML SSO is its infinite session. Absent an external force to do so, the SAML SSO session ends when the user logs out. This is an extremely high-risk aspect that only continuous monitoring of events can protect you from. Leaving the SSO session security to anything less than the strongest possible authentication and session assurance is tempting fate. In this example you can see SAML SSO in operation using the highest levels of authentication assurance and continuous authentication monitoring. If this is of interest, contact us at to visit our contact form.
OpenID Connect (OIDC)
OpenID Connect with OAuth2 (OIDC) is another session protocol rapidly growing in popularity. Like its forerunner SAML, it too includes identity and session. A significant difference, however, is OIDC token authorization, which has a time to live measured in minutes. At its highest assurance level, NIST recommends 15 minutes. And when the token expires, so does the session. Renewal options are available. In this example you experience the OIDC authentication and session ceremony. In a soon-to-be-available website update you’ll also see continuous authentication in operation. Contact us to get more information, leave a comment, or arrange to add OIDC to your cybersecurity framework. visit our contact form.
Continuous Authentication Monitoring (CAM)
CAM is rapidly becoming a necessity, an absolute necessity for those adopting the Zero Trust Architecture. While both our integrations of session frameworks shown here include CAM support as a standard feature, it’s done in a way very different from the few others who provide it. It seems only natural that CAM should include the user, and it is this observation that prompts us to do so using a device they have on their person, their cell phone. How else could we ensure their presence and engagement? But doing so within the bounds of privacy and regulatory limits is a challenge. Those challenges have been met as discussed in this video.
Features and Facilities
Key Feature
and
Why it Matters
Superior Assurance
Assurance must be, and is, provided for user identity (PIN and behaviors), device identity (anit phishing FIDO2), and session integrity (location, bidirectional proximity, and behaviors of presence and possession).
Good cyber hygiene in today’s online environments requires assurance of user identity as an integral part of authentication, of the possession and use of a specific device and endpoint in proximity of a specific access device, and continuously monitored user presence and proximity throughout the authorized session.
Integrated Authenticator App
For cell phone use with open-source Level 1 certified FIDO2, self-contained AI-based identity recognition with cloud access is secure out-of-band networks.
Focus is on security and user experience, consistent use on all cell phones, installs and registers in minutes with one-time FIDO2 registration. Provides a push experience with unique blocking protection from social media attacks. Many ease-of-use features including self-service account recovery from lost device.
Credentialless Authentication
By using AI to recognize the cell phone user from their behaviors it foregoes the need to store or use credentials.
DBIR consistently reports year-over-year that most breaches during the prior year leveraged compromised user credentials. Other sources suggest over 80% of phishing attacks have the immediate goal of stealing credentials.
Multi-Factor Authentication
By combining FIDO2 using locally stored private key with user PIN and behavior verification, MFA at NIST’s highest assurance level, AAL3, is provided.
Phishing resistant technologies (FIDO2, Passkey, and Passwordless Push) provide high confidence, AAL2, the authenticator is bound to the authenticating account. This in a market of accelerating interest in AAL3 driven by government and regulations, need for zero trust, and in response to advanced threats.
Managed Authentication Records
Made possible by combining the authentication record with FIDO Client in the clouds, connecting with authenticators over secure out-of-band channel, and relying parties by record federation.
Benefits of cloud managed authentication records include exceptional usability, high security, out-of-band convenience, and resilience. A key advantage is recovery from a lost cell phone (authenticator). The user can recover all linked accounts in minutes without involving the help desk. Account federation simplifies things for the relying party as well.
Continuous Authentication Monitoring (CAM)
A configurable design providing seamless transition from authentication ceremony to autonomous CAM operation or to stream SIEM outputs to another 3rd party provider system.
Every SMB should be using CAM. Failing to do so puts the organization at risk of cyber attack and increasingly becomes a barrier to securing business that requires its use, such as when zero trust framework is a contract requirement. While its ROI may be difficult to measure in absolute terms, consider that between 46% and 61% of US-based SMBs suffered a cyber breach in 2024.
Unified Endpoint Management (UEM)
Included with the authenticator app is the independent UEM endpoint agent app. Following successful authentication, it provides on going location, proximity, and behavior monitoring and reporting activities.
Endpoint agent collects and forward location, proximity, and behavioral content to the cloud Policy Decision Point (PDP). Following analysis, PDP sends its findings to the Policy Enforcement Point (PEP) when enforcement of those findings is applied. When configured for 3rd party CAM mode, endpoint agent content is streamed to a 3rd party PDP.
Integrated Session Providers
Two session controllers are provided, OIDC with OAuth 2.1, and SAML SSO. Each is easily configured for direct use with SMB applications or use behind IAM’s such as Microsoft, Okta, Ping Identity, Cisco et.al.
In addition to their obvious benefits, the implementation of both OIDC and SAML identity providers includes PEP that receives signaling from the PDP located in the API cloud server. On user logout, each signals back to the cell phone app advising end of session. When CAM is configured for autonomous user auto logout may occur should PEP conclude its necessary.
User Experience
A user experience that reflects its security, consistency, elegance, and synergy and that of the authentication service. Its most burdensome activity, that of PIN entry.
Need for UX frustration avoidance is a given yet unattainable at the intersection of seemingly little inconveniences and discord. The multiple steps of passwordless push, lack of synergy between providers and across platforms and devices, operational inconsistencies across devices and accounts within the same framework, onerous recovery resulting from device loss or upgrade especially for high security device-bound accounts.
Integration Services
At present we are working on tools to streamline the SAML 2.0 and OIDC integration process for MSP integrators. Expect to see the fruits of this effort in Q4 2025. While this project proceeds on its path, we provide integration services at no cost to assist early adopters. You can learn more about those services and the tools being developed by subscribing to the integration email list .
OIDC Integration Support
TBA
SAML 2.0 Integration Support
TBA
Web Application Integration Support
TBA
Sidecar Integration Library
The sidecar library stands alongside the WebAuthN standard FIDO2 Client library used when performing FIDO2 or Passkey authentication ceremonies. It works identically to the FIDO2 Client library with one exception.
Standard FIDO2 and Passkey implementations form a bond extending from RP to Access Device to Browser to Authenticator Device. Extremely effective phishing-resistant authentication ceremony security at the expense of UX and increased help desk support needs.
Sidecar forms a bond that extends from RP to Application to Cloud Service to Authenticator Device to User and Access Device. Superior phishing-resistant authentication security without sacrificing UX and incurring increased help desk support. The exception is Application, which may be an access browser, as is normal for Passkey but could be any application with internet access.
The Benefits of Federated Architecture are many. Here are just a few examples.
The federation of a single ceremony creates a framework within which integration of the FIDO2 device identity assertion and evidence of user identity can occur. The result ensures compliance with the strict NIST requirements for AAL3 MFA for all user accounts of all RPs.
Through federation, recovery from the loss of a cell phone takes the user just minutes to complete without the need for help desk assistance. Without federation, restoration can take several hours or even days, often with substantial help desk impacts.
User mobility is becoming a necessity, and through federation it's assured no matter how many RPs or RP user accounts a user may have. The non-federated user is left with one account per RP user account, a nightmare for the user, help desk, and management.
Bulletin Board
A bulletin board used to document issues, problems, program bugs, workarounds, and user comments. Program bugs happen! Operational edge conditions may go undetected by SQA. Suggestions for improvements are common. As are general complaints. We respect them all, post them here alongside comments, workarounds, rebuttals, and apologies.
This is also where you’ll learn about new release updates, new features, and what improvements and new features we’re working on.
We try not to delay responses longer than necessary, but our priority is given to operational issues and difficulties.
1. Cell phones configured to operate hybrid calling plans such as Xfinity may experience frequent switching between Wi-Fi and cellular when used in locations with marginal Wi-Fi service. The disruptive internet access that results impacts authentication apps such as AffirmedID that rely on consistant internet access. There is no known remedy for this condition.
App Installation and Registration
The AffirmedID App
The examples provided require the AffirmedID authenticator app. It is available for use on both Android phones and iPhones. Though still a beta test release candidate, it is available in the App and Play stores for self-paced evaluation and use.
Apple iPhone users can download and launch the Apple TestFlight app on your cell phone and then select to install and launch the AffirmedID authenticator app. Apple requires using TestFlight for beta testing to protect your information and security. Otherwise, the app operates exactly as it would if downloaded from the store.
Android users can download here or on your cell phone, go to the Google Play Store, tap Search, enter AffirmedID in the search bar, and tap Search again. Select AffirmedID icon to download and install it.
Installation and Registration
Two words that often produce anxiety, but not this time.
The app operates identically on both platforms. The following applies equally to both.
Installation begins with showing regulatory disclosures followed by permission requests. A formality, as acceptance of all are required; refusing any renders the app unusable.
Following these the authenticator page appears. After a brief pause while the app connects to the AffirmedID Cloud service, create your 4-digit PIN. Optionally you can add a double tap any one of the 4-digits to improve PIN security. For example, a PIN of 1234 becomes 12234.
App registration is required. Respond ‘Yes’ to the nag prompt or select Options + Registration to display the registration page.
- In the fields provided enter email address and phone number leaving all other fields are blank.
- Tap Send to submit your registration.
- Within a minute or so you should find an email verification message in your inbox. Acknowledge it.
- A confirmation dialog with the account number appears on the phone.
You can always view the account status by clicking Options + About.
Your account is now registered and available for use. Also note that during this process, a FIDO2 account registration was also completed.