Authentication Server
The Authentication Server (AS) is a platform service within Veritran Platform that functions as a security engine that controls authentication and authorization elements for users, and manages passwords and two-factor authentication tokens for any app, both Veritran apps or clients' apps, from any channel. With all these security mechanisms, the Authentication Server verifies and confirms the claimed identity of a user operating in Veritran or a client's channel before granting access.
The Authorization Server:
Provides authentication services with user credentials, such as user and password, and allows to manage credential rules so as to set formats, attempts, and password history for users.
Allows users to sign transactions with two-factor authentication by implementing and validating OTCs and OTPs, to add an extra security layer to apps.
Manages authenticated sessions so as to control each request made by the user.
Authentication Server's Interfaces
The Authentication Server consists of different interfaces:
A user console, which allows you to manage different security features for users authentication, such as validating users and passwords or managing sessions and tokens for two-factor authentication. These elements are managed through rules and domains that allow you to adjust security capabilities to the client's needs.
An API on the back-end side, which can be invoked by Veritran's Middleware or by bank clients to implement the Authentication Server’s functionalities into their apps and to perform a wide range of actions, such as validating an OTP, creating or destroying a token, and more. To read a comprehensive list of actions that can be executed through APIs, read the AS's Primitives document provided by Veritran.
Authentication Server's Security Elements
Below you can find the security elements and information that the Authentication Server might analyze while verifying a user's identity:
User: The Authentication Server typically receives a username as part of an authentication request. This information is used to locate the corresponding user account, and is linked to a password.
Password: One of the most common authentication factors. The Authentication Server compares the provided password with the stored password associated with a user and checks for a match for its authentication.
OTC (One-Time Code): One-time use code that is independent from the device. It is a random value with a predefined expiration time that is generated and also validates in the Authentication server. An OTC might be requested, for example, when asking to validate a user's phone number when activating or reactivating the mobile channel.
OTP (One-Time Password): One-time password generated by an app's soft token that is validated by the Authentication Server to accept a user's operation. An OTP might be requested, for example, to sign a money transfer.
Session: Group of interactions between a user and an application during a given timeframe. When a user logs in an app, a session ID is created and stored securely. This session ID is sent along with each request to authorize access to the app’s services.
Token: Software-based security mechanism installed on apps that generates and validates OTPs.
Authentication Server Key Concepts
To understand how the Authentication Server works and how to operate in its console, it is important to know some key concepts, such as rules, versions and domains.
Rules are a group of fixed, preconfigured conditions that define the interaction between users and a given platform. Parametry related to users, tokens, sessions , OTCs and OTPs, such as an OTP's lifespan, is defined by these rules. For example, rules can determine a threshold of failed password or OTPs attempts, number of visible digits for credit cards, or available characters in a password.
The Authentication Server has a default set of rules that can be modified to meet the clients' needs, defined by app, channel or product. To keep track of changes made to these rules, the Authentication Server provides a versions control, which can be accessed through the AS console. Versions allow you apply new rules values and, in case there is an issue, roll back to a previous version. To modify a rule within the Authentication Server, you first need to create a new version.
Additionally, the Authentication Server allows you to further segment rules by domains. Domains are useful if a client counts with more than one app, for example, a business and a wallet app, and needs to change security rules in one of the two domains.
Read the sections below to learn about the Authentication Server's console and how to edit and manage Rules, versions and domains.
Important
Changes to rules can also be made through the Authentication Server's APIs. To read a comprehensive list of actions that can be executed through APIs, read the AS's Primitives document provided by Veritran.