Skip to main content

WiKID uses a cryptographically secure combination of public key and single-use AES key cryptography to secure the transmission of the one-time passcode.

After the client device is registered with a particular domain, the client device is ready for passcode request. This process is the most important and will be repeated each time a user requires access to a particular network resource protected by the WiKID System. This process is as follows:

  1. The user selects the domain for which he or she needs a passcode.
  2. The user provides the PIN for the domain, created in the registration process.
  3. The WiKID client application takes the following payload: [deviceID|PIN|serverID|random AES key] (separators are provided for readability purposes only) and encrypts this payload with the server public key provided in the registration process.
  4. The payload (password request) is sent encrypted to the server.
  5. The server receives the request and decrypts the request with its private server key.
  6. The server looks up the appropriate requesting client device (via the deviceID for the security domain) and verifies the PIN.
  7. If the PIN is correct for the security domain and client device, the server creates the passcode payload by creating a passcode (length is administratively configurable) for the client device and encrypting this payload with the client public key. The payload is then transport encrypted with the random AES key provided by the client.
  8. The passcode is then time-stamped and allowed to live based on the parameters of the security domain (from seconds to days, depending on sensitivity of asset).
  9. The WAS then returns the client request with the payload.

Passcode Reception. As the WiKID Strong Authentication Server payload is returned, the client device must follow the following process:

  1. The response must be decrypted with the random AES key sent in the request.
  2. The payload must be decrypted with the client private key.
  3. If the payload is verified, the passcode is displayed on the device and the user can use the passcode for access to the network service.
  4. If the payload is not verified, an error is created and the process should be repeated.
  5. Lastly, the WAS only allows passcodes to be valid for a specific time period and they may only be used one time.

Passcode Provision. Once the passcode is received and decrypted, the user must then use the passcode. The user must connect to a Network Client of the WAS security domain (see Network Clients below) and provide the passcode and any other identifying information required by the Network Client. It is up to the Network Client to provide the credentials to the WAS for verification. Some examples of this action are as follows (there are many other uses of the WiKID Strong Authentication System; these examples are for illustration purposes only):

  1. The user may enter the URL of a protected website, and provide a user ID and the passcode as the password.
  2. The user may provide a user ID and passcode as credentials for dial-in access to a particular network.
  3. The user may provide a user ID and passcode as credentials in a client/server application.



 

Copyright © WiKID Systems, Inc. 2020 | Two-factor Authentication