Skip to main content
Skip table of contents

Multi-Factor Authentication methods

TrustBuilder supports several Multi-Factor Authentication (MFA) methods to verify the authentication factors.

Authenticator app (mobile and desktop)

The following authentication methods are supported by TrustBuilder Authenticator application (mobile or desktop).

Push notification

Users receive a push notification trough TrustBuilder Authenticator app. Push notifications can be sent automatically or triggered manually, depending on configuration. Users should then approve or reject the authentication request. Each approval operation is protected by PIN code or biometric (except for services without PIN). See TrustBuilder Authenticator User guide

To set up push notifications, depending on your needs, you can:

  • set the Default URL to Authenticator app in the connectors settings, if available

  • set the Push notifications parameter to Yes in the connectors settings, if available

See Integrations

QR code scanning

The authentication page displays a QR code that users should scan with TrustBuilder Authenticator app. Users should then approve or reject the pending operation. Each approval operation is protected by PIN code or biometric (except for services without PIN).

If users are unable to scan the QR code for any reason, they can click on a link below the QR code. This is a deep link to the Authenticator application. They will be redirected to approve or reject the authentication request.

Using IE11 may affect the QR code scan user experience. We strongly recommend upgrading to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox.

QR code authentication is only available for OpenID Connect and Microsoft Azure AD connectors. This feature can be used with Authenticator versions 6.31 and higher.

To configure QR code authentication method:

  • in the Service Parameters, enable the QR code authentication
    See Administration Console (Defining Service parameters > Configuring Authenticator app)

  • in the connector (OpenID Connect or Azure AD) parameter, set the Default Authentication URL to This is the page displaying the QR code.
    See OIDC integration or Azure AD integration

  • users should use TrustBuilder Authenticator from version 6.31 to see the “Scan a QR code” menu.
    See TrustBuilder Authenticator app User guide

QR code scanning is recommended to ensure that user initiating the request is the one validating it thanks to device binding method. It is a great solution to avoid notification spamming attacks and to protect users against Push Bombing attacks. The QR code authentication method does not use push notifications, therefore it does not enable a push bombing scenario.

More information about protecting users from Push Bombing attacks

Generate an OTP

Users generate a One-Time-Password (OTP) in TrustBuilder Authenticator app. The generated OTP should be manually entered in the TrustBuilder MFA authentication page. Users have 30 seconds to input the OTP before it generates another. Each OTP generating operation is protected by PIN code or biometric (except for services without PIN).

You can configure OTP in Service Parameters.
See Administration Console

Web Browser token authentication

TrustBuilder MFA allows a web browser based authentication with its browser tokens Virtual Authenticator and Helium. Both consist of a JavaScript iframe that is called directly from within your html logon page. To authenticate users should enter their PIN in Virtual Authenticator or Password in Helium.

To integrate TrustBuilder MFA browser tokens into your site, you'll need some basic HTML knowledge and a little JavaScript.

See Browser-based authentication

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.