ReadySignOn is a comprehensive online identity and authentication ecosystem, comprised of powerful solutions that help businesses in delivering delightful user experiences while maintaining superb security and privacy protection.
ReadySignOn and QuickSignOn mobile authenticators are iOS and Android apps that allow average consumers to maintain full control of their account access through intuitive gestures.
ReadyTicket is a randomly generated number to be used by a user to initiate remote authentication requests. Although always unique to each user device ReadyTicket itself is not the key secret or credential used in validating the request. An exposed ticket may at best let a malicious party to initiate unsolicited authentication requests that are to be ignored or denied by the end user anyway. The solution may temporarily block clients that repletely send unanswered or rejected requests to fend off denial-of-service or random spamming attacks. Users could also refresh their ticket or increase the ticket length to block unsolicited authentication requests.
ReadyID is the scheme of using cryptographic user identifiers to sign up (register) or sign in (login) a user account. When referenced in literature with an uppercase first letter ReadyID represents the static global user identifier that is used to generate dynamic user identifiers (denoted as readyID) for a particular service such as a website or application. ReadyID may be used to cryptographically validate authentication responses or to generate ownership assertions. Moreover, it is not feasible to correlate different identifiers of the same user by anyone other than the actual owner of those identifiers.
ReadyConnect is the standard OpenID Connect protocol with added support of allowing websites to use ReadyTicket and ReadySignOn/QuickSignOn mobile authenticators.
ReadyMembers (https://members.readysignon.com) is an OpenID Provider (OP) that allows easy (no code/low code) integration of websites with ReadySignOn ecosystem using ReadyConnect/OpenID Connect API. In addition to its added support of passwordless mobile authentication, relying websites and applications will automatically gain the ability to authenticate users using popular social login providers such as Google, Facebook etc.
ReadyOpen is a same device low-friction authentication solution using secure deep links. It allows seamlessly integrated in-place log in to native apps.
readyPay is a very low-friction online payment and check out solution that leverages mobile payments such as Apple Pay or Google Pay for fast and secure online checkout with device gestures instead of typing.
ReadyAction is a browser based password autofill solution for reducing login friction on iOS devices (when mobile browser and authenticator are installed on the same device).
ReadyFill – is an iOS AutoFill Credential Provider extension that offers same-device credential autofill for both websites and iOS apps.
Basic use-case of ReadyTicket
Among the many components within the ReadySignOn ecosystem the mobile authenticator (ReadySignOn or QuickSignOn app) is at the center of facilitating user interactions with the system. While the ReadySignOn app is only available in the App Store and only works on iOS devices, the QuickSignOn app is freely available in both App Store and the Play Store and it works on iOS and Android devices. Neither app requires registration, email or phone number before first use. Once downloaded all user needs to do is to enable ReadyTicket and allow push notification in settings.
Both apps allow users to specify ReadyTicket length, which by default is set to 7 digits, to allow easy user input and a stable change frequency.
When using ReadyTicket to sign into a ReadyConnect enabled website, the login page will not prompt the user for username+password but will instead present a simple page where only a ReadyTicket needs to be entered. Once user enters the unique ReadyTicket displayed on the mobile authenticator into the web page, the authenticator will prompt the user to either authorize or to deny the remote login request. Additional information such as the IP address or location of the login terminal along with a randomly generated anti-spoofing word, image or color may also be displayed, to make obvious the authenticity of the request.
If the user has more than one account for a specific website the mobile authenticator will present a list from which the user can choose the account to be used.
Users shall deny or ignore unsolicited requests. Clients that submit unauthorized requests repeatedly may be throttled or blocked temporarily in order to maintain the overall soundness of the ecosystem.
ReadyPay payment authorization requests are handled in a similar fashion, with a payment sheet to be presented in place of a sign-in consent prompt.
ReadyID and custom user records
During the first launch of the authenticator a unique ReadyID will be generated along with some sample records. Thereafter the user may add as many records as deemed necessary. The auto generated ReadyID can be used to dynamically generate cryptographic user identifiers for account registration and logins at different websites (relying parties).
Although a single ReadyID can be used to generate user identifiers for unlimited number of websites, for websites that have yet configured ReadyID as its user identifiers custom account records in the authenticator can be used in ReadyTicket based logins. See here for the many secure vault functions offered by the authenticators for managing user custom records.
Using ReadyConnect to enable ReadySignOn for websites
New and existing websites can easily integrate with ReadySignOn using ReadyConnect which is OpenID Connect with an extension of supporting ReadyTicket authentication.
Because ReadyConnect is fully compatible with the standard OpenID Connect, a relying party can use any existing OpenID code or configuration to quickly enable ReadySignOn to its websites or applications. Given the prevalence of OpenID, most CMS and eCommerce platforms already have built-in support or downloadable plug-in available for turn-key integration. As such, custom coding often is unnecessary when integrating with ReadySignOn using ReadyConnect.
On websites integrated with ReadySignOn, user logins are automatically redirected to a page where only ReadyTicket is required as opposed to the typical username and password. The site where the user is redirected to is usually ReadyMembers which is a ReadyConnect/OpenID Connect Provider that also knows how to handle ReadyTicket requests.
ReadyMembers is the ultimate versatile identity provider a relying party will ever need
ReadyMembers functions as a full-fledged OpenID Connect Provider (OP). To this end it has been certified by OpenID Foundation for supporting all the major OpenID workflows. With ReadyMembers users may use local accounts or other identity providers to sign in or sign up. ReadyMembers allows relying parties to toggle on or off external login providers such as Google, Facebook etc. with simple click of a button instead of writing code or making configuration changes.
ReadyMembers supports authenticating users using ReadyID or custom records stored in the mobile authenticator’s secure vault. While ReadyID provides the strongest security and privacy protection, user custom records allow legacy websites to leverage ReadySignOn before their ReadyID adoption is fully ready. It is worth noting that in all cases the authorization assertion (whether a cryptographic proof or a shared secret) is always sent directly to the server, from the authenticator rather than from the login terminal. This drastic arrangement of sending authorization response back to the server through a separate back channel further cripples credential thefts that prey on user errors or vulnerable personal computer systems.
ReadyPay
For best and fastest payment experience ReadySignOn doesn’t ask users to register or sign in when using ReadyPay to checkout. Instead of entering payment and shipping information user only needs to verify the order, amount, shipping and payment information already stored in Apple Pay or Google Pay wallet before authorizing the transaction using simple device gestures.
Given the strong encryption and tokenization of payment information implemented by Apple Pay and Google Pay, both merchants and users are drastically better protected in ReadyPay transactions.
Integrate Relying Parties with ReadySignOn
ReadySignOn provides a rich set of interfaces for integrating with different types of websites and applications in different ways.
Website integration using ReadyConnect / OpenID Connect
Any website platform that supports OpenID Connect is automatically compatible with ReadyConnect, thus will be able to leverage ReadySignOn and its mobile authenticators to conduct low-friction secure authentication of its users. To start, the website operator needs to enable and configure OAuth or OpenID which is already supported on most web platforms either as built-in module or as downloadable add-on or plug-in. In certain rare cases custom code may be required to implement such integration, however OpenID code libraries are widely available in many different languages.
Before configuring ReadyConnect a website operator needs to register an account at https://members.readysignon.com then add the website as an OAuth/OpenID client and obtain the key configuration information such as the client ID and client secret key etc. This is also required for websites that only leverage ReadyPay. Please note the website operator needs to prove having actual control over the website’s domain or URL by means of creating a custom DNS record or a special text file on its site.
Once the website is correctly configured as a ReadyMembers client, users may begin using ReadyTicket (the unique random number displayed on the mobile authenticator) to sign in or register account instead of using the typical username and password combination.
ReadyTicket sign-in uses the same authorization flows as those defined in OAuth/OpenID specifications, with the difference being all user consent will take place on user’s mobile device rather than on the OpenID Provider (OP). User’s digital identity and profile information is also stored in the mobile authenticator rather than on the OP server, fundamentally nullifies the premise of mass user data breaches.
As soon as the user clicks on the Ready button on the login terminal the mobile authenticator will prompt the user for approval or rejection of the request. The authorization prompt will also display the geographic location of the login terminal or its IP address along with a random anti-spoofing word, image or color that must match the one also displayed on the login terminal. This is to mitigate phishing and MitM attacks by allowing the user to visually ensure that the authentication request was indeed originated from the user’s sign-in terminal .
Once the user approves the authorization request on the mobile authenticator, an authentication response will be submitted from the mobile authenticator directly to the OP server, by passing the user’s login terminal such that no sensitive information needs to traverse through the user PC which is often vulnerable to virus or malware. The OP server validates the authentication response, including verifying the digital signature using the public key corresponding to the specific relying party’s user before sending any access or ID token to the relying client (website).
Mobile apps integration using ReadyOpen
Mobile apps running on the same device where ReadySignOn is installed can use ReadyOpen to login users on demand. ReadyOpen uses the x-callback-url specification as a URL scheme-based inter-app communication protocol on iOS devices. The calling app encodes information about itself in the launching URL along with a return URL and an encryption key. ReadySignOn validates such information then reopens the calling app using a the return URL interpolated with login credentials encrypted using the encryption key passed from the calling app. ReadyOpen allows apps to defer user sign-in to when it’s necessary and is able to resume user’s original navigation flow after a successful sign-in.
Integration with desktop password manager
Information stored in the secure vault of ReadySignOn or QuickSignOn mobile authenticator can be imported into desktop password manager to support low-friction login to desktop applications via secure credential autofill.
ReadySignOn supports the popular OpenSource KeePass desktop password manager through free import/export plug-in. Users can use ReadySignOn records imported in KeePass to autofill passwords during native desktop application logins.
Using ReadySignOn authenticator with websites that still require username and password
Websites relying on the old password based authentication can still use ReadyTicket so the credential will be sent through a separate back channel for better security while the user still enjoys a low-friction login experience.
Using ReadyAction with mobile browsers
When using mobile browser on the same device where ReadySignOn authenticator is installed, users have the option to use ReadyAction to fill in login credentials directly into the browsed page. ReadyAction works only on iOS and only for website logins.
Using ReadyFill authenticator with mobile apps
ReadyFill is similar to ReadyAction except it also works on native iOS apps in addition to websites.