Multi-Factor Authentication methods
TrustBuilder supports several Multi-Factor Authentication (MFA) methods to verify the authentication factors.
Authenticator app (mobile and desktop)
The following authentication methods are supported by TrustBuilder Authenticator application (mobile or desktop).
Push notification
Users receive a push notification trough TrustBuilder Authenticator app. Push notifications can be sent automatically or triggered manually, depending on configuration. Users should then approve or reject the authentication request. Each approval operation is protected by PIN code or biometric (except for services without PIN). See TrustBuilder Authenticator User guide
.gif?inst-v=ea44a320-f875-424c-be4c-1d37c5b30b70)
To set up push notifications, depending on your needs, you can:
set the Default URL to Authenticator app in the connectors settings, if available
set the Push notifications parameter to Yes in the connectors settings, if available
See Integrations
QR code scanning
The authentication page displays a QR code that users should scan with TrustBuilder Authenticator app. Users should then approve or reject the pending operation. Each approval operation is protected by PIN code or biometric (except for services without PIN).
If users are unable to scan the QR code for any reason, they can click on a link below the QR code. This is a deep link to the Authenticator application. They will be redirected to approve or reject the authentication request.
Using IE11 may affect the QR code scan user experience. We strongly recommend upgrading to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox.
QR code authentication is only available for OpenID Connect and Microsoft Azure AD connectors. This feature can be used with Authenticator versions 6.31 and higher.
To configure QR code authentication method:
in the Service Parameters, enable the QR code authentication
See Administration Console (Defining Service parameters > Configuring Authenticator app)in the connector (OpenID Connect or Azure AD) parameter, set the Default Authentication URL to https://ult-inwebo.com/authentication-oidc/authenticator-with-qrcode. This is the page displaying the QR code.
See OIDC integration or Entra ID (formerly Azure AD) integrationusers should use TrustBuilder Authenticator from version 6.31 to see the “Scan a QR code” menu.
See TrustBuilder Authenticator app User guide
QR code scanning is recommended to ensure that user initiating the request is the one validating it thanks to device binding method. It is a great solution to avoid notification spamming attacks and to protect users against Push Bombing attacks. The QR code authentication method does not use push notifications, therefore it does not enable a push bombing scenario.
More information about protecting users from Push Bombing attacks
Generate an OTP
Users generate a One-Time-Password (OTP) in TrustBuilder Authenticator app. The generated OTP should be manually entered in the TrustBuilder MFA authentication page. Users have 30 seconds to input the OTP before it generates another. Each OTP generating operation is protected by PIN code or biometric (except for services without PIN).
You can configure OTP in Service Parameters.
See Administration Console
Web Browser token authentication
TrustBuilder MFA allows a web browser based authentication with its browser tokens Virtual Authenticator and Helium. Both consist of a JavaScript iframe that is called directly from within your html logon page. To authenticate users should enter their PIN in Virtual Authenticator or Password in Helium.
To integrate TrustBuilder MFA browser tokens into your site, you'll need some basic HTML knowledge and a little JavaScript.