What is a "white label service" ?
It's a fully customizable offer in the inWebo strong authentication cloud service.
It differs from our "standard service", which is built around Virtual Authenticator and inWebo Authenticator mobile app.
For White label service, the authentication tools are different:
as a browser token, which can be deeply customized (look, colors, logo, templates,...).
mAccess-based mobile application
as a mobile token. It means you'll have to develop you own application, or integrate the inWebo library into an existing one to use mobile authentication.
As a consequence, please note that you won't be able to use Virtual Authenticator or the inWebo Authenticator mobile app in a white label service.
White label service creation is only available to "inWebo Enterprise" or "inWebo Safe Transactions" clients
Where to start?
In the inWebo Administration console, select "Add a white label service" in the service "drop-down menu" displaying your service ID at the top of the page.
Setting up your service preferences
After defining your service name you have to select your preferences to build your service:
Global inWebo Helium and mAccess settings
Without password: user's password is not required to generate an OTP
With password: user's password is required to generate an OTP
You can select here the format of the password. According to your needs this can be either an alphanumeric password or a PIN code with 4 to 8 digits.
Number of retries before locking password
You can define here the maximum number of tries a user may attempt with his password or PIN code, before locking his access.
inWebo Helium (browser)
Users will be able to connect to the "Secure Sites" and applications with inWebo Helium.
Authentication with notifications allowed:
If you activate this option, your users will be able to authenticate with inWebo Helium via mobile notifications
Authentication with notifications only:
If you activate this option, your users will be able to authenticate with inWebo Helium but ONLY via mobile notifications
Maximum number of devices
You can define here the maximum number 'inWebo Helium' instances a service user will be able to activate.
Email password recovery:
If you activate this option, your users will be able to directly receive recovery codes on their email address to reset their inWebo password.
Activate a new device per email:
If you activate this option, your users will be able to activate new devices directly from your website or application, by generating new 'Secure Site IDs' they will receive on their email address and without using My inWebo or inWebo Authenticator on their mobile phone.
User login policy:
Real user logins are in use: if real user logins are used in the inWebo Provisioning Web Services and Management Console, inWebo application can automatically insert the login of a user during the authentication procedure
User logins are aliases: if logins used in inWebo Provisioning and Management tools are aliases, the user will have to manually insert his/her login during the authentication procedure
Maximum number of devices of all types:
You can define here the maximum number of 'authentication' devices, (phone or browser) a service user will be able to register for his account.
Activate IP filtering (option):
Activate the filtering of IP addresses that will have access to inWebo Web Services.
Authorized IP addresses (option):
You can define a list of authorized addresses here, using a semicolon-separated list of IP addresses.
(IP addresses of the authentication web server)
Once you have created your service, you'll have a new service ID, displayed in the "drop-down menu" at the top of the page.
Managing Service parameters
After the creation of your service you can still change your initial service settings or add more specifications in the "Manage service parameters" tab.
You will have the following settings you can adjust :
mAccess activation allows you to add the SDK to your client applications (inWebo library for mobile authentication)
Maximum number of mAccess based devices
You can define here the maximum number of mAccess based applications, a service user will be able to activate.
Authentication with biometrics allowed:
Allows users to use their fingerprint to authenticate with the application instead of their password (It should be implemented by the appropriate mAccess functions in your code/Application)
Authentication with biometrics only:
If you activate this option, your users will be restricted to authenticate with their fingerprint only (This is only possible if the service has been set without password)
This option allows you to use inWebo mAccess to seal transactions with your application.
If activated, authentication requests with connected OTP are accepted. If not activated, they are refused.
Connected OTP format
You can choose the format based on what your authentication interface supports.
Choose OTP length according to the security level required, meaning the probability of finding the correct OTP by luck or brute force: the longer the OTP, the safer it is.
Connected OTP validity duration (sec.)
You can define here the duration of validity for online generated (connected) OTPs. In case of complex network infrastructures operating numerous network equipments it might be useful to set this duration to a higher value. This guarantees that the OTP is still valid when submitted to inWebo servers for the final verification.
If activated, authentication requests with offine OTP are accepted. If not activated, they are refused.
Offline OTP format
Choose OTP length and complexity according to the security level required, meaning the probability of finding the correct OTP by luck or brute force: the longer the OTP, the safer it is.
This is the time in seconds during which your service doesn't request users to type their mAccess password again (for connected OTP only). To generate an offline OTP, users must type their password each time.
No PIN push allowed
Yes: the user's mAccess PIN or password is not required to authorize a connection request received via push notifications.
No: the user's mAccess PIN or password is required to authorize a connection request received via push notifications.
After creating your "White label service" you can consult Helium integration documentation to help you with your integration.