Security Features

Auth Armor is packed with security features to ensure the best possible security at every step of the way.

Cryptographically Secure

When using WebAuthn or the Auth Armor Authenticator, you can be sure each auth request is cryptographically secure and verified. The validation step in both of these auth methods will return data that you can also use to independently verify the FIDO standard messages.

FIDO

FIDO standards for Faster Identity Online. The FIDO alliance creates standards, such as WebAuthn, that allow for easy, open and secure authentication and authorization. The FIDO alliance has members such as Google, Microsoft, Apple and more. Learn more here: https://fidoalliance.org/

Replay

Auth Armor employs replay detection mechanisms to ensure messages can't be sent twice. For example, when trying to send an auth request, this request cannot be captured and replayed. This prevents un-wanted spam and abuse.

Replay is an added protection included in the JavaScript Client SDK.

Ip Address Validation

Ip Address validation is an optional feature that can be used for all auth methods. This feature will record the Ip address of the client during the start of an auth request. Then, at the time of validation, the ip address can be passed again. This will be compared with the value that was sent at the start of the request. This helps ensure the request that is being validated matches the start of the request.

JavaScript Client SDK

When using the JavaScript Client SDK, the Ip address is always populated for you by the SDK. To use the optional security measure, simply provide the Ip address of the client during validation. The Ip address will be compared with what the JavaScript Client SDK detected during the start of the auth request.

Backend API

When using the backend API to start an auth request, you must provide the Ip address value to use this optional security feature, Then, during validation, pass the Ip address of the client. The Ip address will be compared with what was sent during the start of the auth request.

User Agent

User agent validation works in the same way as Ip address validation and is another security mechanism that can be used to prevent spam and abuse.

JavaScript Client SDK

When using the JavaScript Client SDK, the user agent is always populated for you by the SDK. To use the optional security measure, simply provide the user agent of the client during validation. The user agent will be compared with what the JavaScript Client SDK detected during the start of the auth request.

Backend API

When using the backend API to start an auth request, you must provide the user agent value to use this optional security feature, Then, during validation, pass the user agent of the client. The user agent will be compared with what was sent during the start of the auth request.

Nonce

Providing a nonce for the start and validation steps is yet another optional security mechanism. In this case, you can create your own custom unique value and send it to Auth Armor during the start of an auth request. Then, during validation, you should send the same nonce to Auth Armor and our systems will validate that the value was the same as what was provided during the start of the auth request. This helps to prevent phishing attempts and is highly recommended.

JavaScript Client SDK

To use the nonce security feature with the JavaScript Client SDK, you need to provide your own value and set that value via a method in the setup of the SDK. Here is a sample:

Recpatcha

reCaptcha is an optional service you can enable that will add reCaptcha abilities to the JavaScript Client SDK forms. You must configure and setup reCaptcha for this to work. See more here: