Modern User Authentication for SaaS Applications

When a user is asked to sign-in to an app or website, the user approves the sign-in with the same biometric or PIN that the user has to unlock the device (phone, computer or security key). The app or website can use this mechanism instead of the traditional (and insecure) username and password.

As with most authentication mechanisms, passkey login begins with a registration phase. SecureAuth passkey implementation conforms to the WebAuthn specification.

The Web Authentication API (WebAuthn) is an open standard for passwordless web-based authentication introduced by the World Wide Web Consortium (W3C), Fast Identity Online (FIDO) and other industry leaders. The specification can be viewed here.

The WebAuthn protocol uses asymmetric (public-key) cryptography in conjunction with ownership and biometric-based authentication mechanisms (passkeys) to provide a more robust login framework than knowledge-based schemes like passwords.

In accordance with FIDO standards, passkeys serve as a superior alternative to traditional passwords, offering quicker, simpler, and safer logins to websites and applications across a user's various devices. Unlike conventional passwords, passkeys maintain a high level of security at all times and are resilient against phishing attacks.

SecureAuth platform sends a unique, time-limited verification code to the user's pre-registered email address or mobile phone via SMS. Such verification code can be also generated and provided to the custom sign-in application to enable it to provide codes to users over channels.

With verification codes, users do not use a password - they use the code along their email or phone number to authenticate themselves. It makes verification codes more secure than using passwords, since codes are time-limited and sent to the user for one time use.

After the user provides their email, SecureAuth generates a unique, time-limited link and sends it to the user's email address or mobile number. When the user selects the provided link, they are automatically redirected to the application and signed in.

At present, the SecureAuth platform does not support the use of Magic Links via a user interface. The feature can only be utilized through API integration and custom sign-in pages.

User provides a unique identifier (such as a username, email, or phone number) and a password. SecureAuth verifies this information against stored user data. If the provided credentials match the stored ones, the user is granted access. This method is a common and fundamental way of securing user accounts.

Users use their existing login information from a social networking service, such as Facebook, Google, or GitHub, to sign into a third-party application. It simplifies the process by allowing users to authenticate themselves without the need to create and remember a new username and password for each site.

You can connect Google or GitHub to allow users to sign in using their social networking service.

Business scenarios very often require identity federation where identities are created and managed within across multiple domains or enterprises. SecureAuth allows you to: