Page tree

Do you want an overview on Nexus' solutions, customer cases, contact information and more?

__

Skip to end of metadata
Go to start of metadata


Nexus' Digital access platform is based on leading industry standards to guarantee operability with existing applications and security infrastructures. 

Nexus' solution uses standard protocols and is extendible through a plug-in API. Open standards such as X.509, Open Authentication, RADIUS, LDAP, SAML 2.0, OpenID Connect and OAuth 2.0 are supported. For applications that do not support any of these standards, integration with Web Services interface is offered. 

To find the right two-factor authentication method for your needs, consider the level of security needed for your applications and make sure it is convenient for your end users. 

Contents

Compare two-factor authentication (2FA) methods


For full lifecycle management of the authentication methods, with automated workflows and self-service functionality, see Digital ID



Virtual smart cards

Virtual smart cards use PKI-based identities in a secure environment on laptops, to let users get rid of passwords and use strong authentication, signing and encryption in a smooth way. They work as physical smart cards, but without the need to issue and manage plastic cards or other hardware tokens. 

With virtual smart cards, you get an intuitive and user-friendly two-factor authentication (2FA) method. They are also an economical choice, since they take advantage of existing technology available on many laptops, which means that you do not have to issue and manage hardware tokens, smart cards or smart card readers. 

Virtual smart cards are included in Digital ID, with automated lifecycle management and self-service workflows.

How does it work?

Virtual smart cards are hosted on your laptop and have the same level of security as a physical smart card. Keys are securely created and stored on the Trusted Platform Module (TPM) chip, which is available on most laptops. 

Nexus Personal Desktop App lets you provision and manage virtual smart cards, based on Microsoft Virtual Smart Card (VSC) and Universal Windows Platform (UWP) technology. The solution uses native Microsoft mini-driver for communication with the VSC.

The Personal Desktop App is used together with a messaging backend to manage the online authentication and signing services. 

Security:

  • Keys are created and stored on the secure TPM chip on Windows laptops

Convenience:

  • No need for extra hardware tokens

  • Intuitive use cases
  • Integrated in Windows environment 

Mobile virtual smart cards

Mobile virtual smart cards are trusted digital identities hosted in a secure mobile app. They are used for out-of-band authentication to digital resources (such as Office 365 or other apps), digital signing, email encryption and visual identification.

With mobile virtual smart cards, you get an intuitive and user-friendly two-factor authentication (2FA) method. They are also an economical choice, since most users already have a smartphone, which means that you do not have to issue and manage hardware tokens, smart cards or smart card readers.

Mobile virtual smart cards are included in Digital ID, with automated lifecycle management and self-service workflows.

How does it work?

Mobile virtual smart cards are based on PKI and enable users to easily authenticate, encrypt or sign using fingerprint or face recognition.

The mobile multi-factor app Nexus Personal Mobile for use with mobile virtual smart cards offers fingerprint and face recognition for easy usability. The app is used together with a messaging backend to manage the online authentication and signing services and for sending push notifications. 


Nexus Personal Mobile can also be used in offline mode with one-time passwords (OTP). 

Nexus Personal Mobile is available on iOS and Android.


Security:

  • Out-of-band authentication
  • Multiple encryption layers and device-binding protect keys
  • Protection against reverse engineering and malware

Convenience:

  • No need for extra hardware tokens

  • Easy enrollment and intuitive use cases
  • Biometric validation 

Smart cards

By using PKI chip cards with certificates, users can log in to computers without a password, sign documents digitally and access local and cloud resources. 

Smart cards helps users with a high-security, all-in-one solution by combining PKI certificates with RFID technology and visual identity on one card. 

If you order cards as a service from Nexus GO, you get customized and personalized PKI cards, encoded and ready to use, with the right security level for your organization. Then, Nexus provides and maintains the PKI infrastructure.

The PKI certificates on the card chip can be used for two-factor authentication, passwordless login to Windows, digital signing and encryption.

How does it work?

Combine the following components to suit your organizations special requirements:

  • Visual identity
    Get your cards customized with a company logo and color scheme and personalized with a photo and personal data.

  • PKI chip
    Use certificates for two-factor authentication, passwordless login to Windows, digital signing and encryption.

  • RFID technology 
    Choose one or combine two of the most common RFID (Radio-frequency identification) technologies on high-quality cards with the original RFID chip.

  • Visual security elements 
    Add security elements to ensure that your photo ID cards are hard to forge. 

Security:

  • Keys are created and stored on the secure PKI chip of the card

Convenience:

  • All-in-one solution for visual ID, physical access, strong authentication, signing and encryption

  • Use one card on multiple computers

Mobile OTP

The mobile app Nexus Personal Mobile supports time-based and event-based one-time passwords (OTP). 

Nexus Personal Mobile works in offline mode and offers extra security compared to other mobile apps for two-factor authentication, since the user must authenticate in the app with a PIN code or biometric validation with fingerprint or face recognition, before receiving the OTP. 

About one-time passwords (OTP)

A one-time password (OTP) is a temporary and unique passcode, that is generated by an algorithm to authenticate users to digital resources. There are different types of one-time passwords (OTP), as defined by the Initiative for Open Authentication (OATH):

  • Time-based OTP (TOTP): A TOTP is renewed after a fix amount of time, for example 30 seconds. The algorithm that generates each password uses the current time of day as one of its factors, ensuring that each password is unique. 
  • Event-based OTP (HOTP): An HOTP is valid per authentication. After authentication a new OTP is generated. 

One-time passwords (OTP) in Nexus' Digital access platform

Smart ID Digital access supports OTP-token authentication for the OATH standards for HOTP, TOTP and OCRA as well as self-registration for OATH-compliant mobile applications. 

For information on other supported OATH-based authentication methods in Digital access, see Authentication methods

Security:

  • Time- or event-based one-time passwords.
  • Protection with PIN or biometric validation.
  • Supports strong algorithms, such as SHA512 and SHA256.

Convenience:

  • No need for extra hardware tokens

  • Works offline

Hardware OTP tokens

Hardware one-time password (OTP) tokens include various devices, such as key fobs and display cards, and either one-button tokens or tokens with PIN protection. 

About one-time passwords (OTP)

A one-time password (OTP) is a temporary and unique passcode, that is generated by an algorithm to authenticate users to digital resources. There are different types of one-time passwords (OTP), as defined by the Initiative for Open Authentication (OATH):

  • Time-based OTP (TOTP): A TOTP is renewed after a fix amount of time, for example 30 seconds. The algorithm that generates each password uses the current time of day as one of its factors, ensuring that each password is unique. 
  • Event-based OTP (HOTP): An HOTP is valid per authentication. After authentication a new OTP is generated. 

One-time passwords (OTP) in Nexus' Digital access platform

Smart ID Digital access supports OTP-token authentication for the OATH standards for HOTP, TOTP and OCRA as well as self-registration for OATH-compliant mobile applications. 

For information on other supported OATH-based authentication methods in Digital access, see Authentication methods


Security:

  • Time- or event-based one-time passwords.

Convenience:

  • Works offline

Software tokens

PKI software tokens (or soft tokens) can be used when you need a convenient method that is easy to rollout, but does not necessarily have the highest security level. Typical use cases include authentication at VPN access point and web services or for digital signature of emails and documents. 

Software tokens are often used in combination with other methods. For example, a smart card might be required for Windows logon, but the security level of a software token is enough for VPN access.  

Software tokens are delivered as PKCS#12 files or published in to Windows certificate store. A software token is used together with a password for authentication, signing and encryption.  

Security:

  • Two-factor authentication by using PKCS#12 file and password
  • Easy withdrawal by revoking certificates

Convenience:

  • Certificate is available on the device
  • Used for multiple use cases