Simplicity + Clarity + Transparency

= security without obscurity

Of course we can’t spell security without creating a flawless user experience first.

Mobile Centric

ReadySignOn minimizes the amount of sensitive information stored on servers and going through desktop or laptop computers as these systems are more susceptible to spyware and system-level compromises due to their less restrictive software installation and execution controls.

Decentralized

ReadySignOn promotes decentralized security where sensitive user account and profile information is kept on user’s mobile device, in user’s own hands as opposed to being stored in a centralized database which most certainly will attract strenuous hacking and breaching attempts.

Threat Resiliency

Highly resistant to online phishing, credential stuffing, MitM, malware and key-logging attacks.

Drastic Measure

Authentication credentials are sent directly from the authenticator to designated servers through a separate back channel communication, completely eliminated any opportunity for online phishing attacks.

Cryptographic Proof

The authentication token is made of a time-sensitive cryptographic proof (digital signature), thus even a compromised communication channel would not subject the user to credential stuffing or MitM attacks.

Explicit Consent

The app always asks for explicit user consent before any bit of information can be extracted or transmitted. There is no automatic data sync or implicit behaviors. Information is always fully protected in transit and at rest.

Are mobile devices less secure?

It cannot be further from the truth. Modern smart devices are equipped with security hardware and biometric sensors for strong encryption and privacy preserving ownership verification. These measures combined with curated apps running within sandboxed environment under least privileges are typically more resilient to malware and viruses than personal computers. ReadySignOn takes full advantage of the underlying security features offered by modern mobile platforms.

Strong at-rest data protection

LAYER 4

One-time pad encryption of sensitive fields using individually salted high-entropy keys

LAYER 3

Holistic encryption of the secure vault using AES256

LAYER 2

Biometric hardware sensors for device access control

LAYER 1

Disk encryption and instantaneous remote wipe provided by the platform

Defense in Depth shouldn’t mean doing the same thing repeatedly

ReadySignOn always encrypts all user information including metadata such as record count using AES256 to ensure strong protection and zero leakage of usage information. Additionally, information marked as sensitive is further protected using one-time pad encryption with individual keys derived from user passphrase and random salts.

Enhanced Security

Without Enhanced Security the strength of the encryption key management is ultimately determined by the underlying system though the authenticator app stores portions of the decryption key using different mechanisms of the underlying system such that a defeat of a single security measure of the platform would not lead to the recovery of the entire decryption key.

With Enhanced Security enabled the decryption key is not stored anywhere on the device, thus success circumvention of the system security alone cannot yield protected information. Since the key is not stored anywhere user must be prompted to enter brain password every time it is required for decrypting user information, hence the trade-off of convenience for security. To mitigate this usability issue and to allow user to control the balance between security and productivity the solution can use biometric authentication as access control with time and location constraints.

Additional info on encryption implementation

End-to-end in-transit data protection

With ReadyID – the cryptographic user identifier, ReadySignOn is capable of maintaining authentication integrity and prevent user credential theft even when its communication channel has been compromised. Nevertheless, it always protects all its data transmission using Transport Layer Security (TLS).

OOB MCA (Multi-Channel Authentication)

Out of band multi-channel authentication (MCA) is more resilient in defending against online phishing, credential stuffing, MitM, key-logging or other type of malware attacks.
  • Authentication credentials are sent directly from the authenticator to the designated server’s pre-validated URL endpoint through a separate back channel communication, completely eliminated any opportunity for online phishing attacks.
  • Authentication credentials completely bypass the user login terminal, thus even a compromised login terminal would not cause the sensitive credentials to leak.
  • Since the authentication token is made of a time-sensitive cryptographic proof (digital signature), thus even a compromised communication channel would not subject the user to credential stuffing or MitM attacks.
  • Since no user login information goes through the login terminal, ReadySignOn allows safe zero-footprint sign-in from Kiosk or shared computers.
  • Direct entering of any character without having to shift

  • Never caches

  • Full-size with portrait and landscape layouts

No QR Scan

ReadySignOn avoids the use of the obscure QR codes which are vulnerable to image substitution attacks due to its human incomprehensible nature. Besides, in many places awkward camera scans are either outright unacceptable or just downright unpleasant. ReadySignOn enables a more natural, intuitive, and elegant user experience with exceptionally strong security and privacy protection.

Tried and Tested

Using iOS and Android devices means the solution can take full advantage of the multi-layered security measures offered by the respective platforms and built-in hardware (e.g., iOS keychain, AES engine, Secure Enclave and Biometric Scanners etc.) to ensure both robust security and strong user privacy protection. Patches, fixes, and upgrades can be timely deployed.

Cryptography in ReadySignOn

  • Static user identifiers are based on RSA key pair of 2048 bits

  • Dynamic user identifiers are based on ECC key of 384 bits

  • Every authentication assertion is uniquely signed with ECDSA

  • Symmetric encryption is done using AES256 & One-Time Pad

  • All keys are generated using PBKDF2 with 1,000,000 iteration count

  • Seeds are generated using high entropy RNG engines

Have More Questions?

Get in touch with our team for fast technical support and more information. We’d love to hear from you!

Contact Us Today!