The Nexus Invisible Token is a unique on-demand solution that combines the strength of passwords and tokens for two-factor authentication (2FA). It is secure, convenient, easy to deploy, and most importantly easy to use. Invisible Token is based on HTML5 and transforms your browser into an OTP-token that is independent of the platform you are using.
Your browser is enrolled when used for the first time with a technology that seamlessly configures your browser and integrates an OTP-token into it. The standard activation flow is using a one-time activation code to activate the current browser. The activation code is sent to the user as SMS or email. Roles or persons in the organization with a clear connection to the user can be used to support the user in activating the Invisible Token. It could for instance be a team member, manager or help-desk staff that is selected to receive the activation code as a fallback or emergency operation. The deployment process can reuse existing passwords and other information available in directory services. Through simplified provisioning an administrator or help-desk can allow a browser to be activated at next logon, without using activation code. The user will be able to activate one browser using only username and password.
Once enrolled, the usage of Invisible Token is transparent to the users; they continue using password based authentication and existing passwords in directories such as LDAP or by using Active Directory. The end user never needs to interact with Invisible Token – all they need to do is enter their username and password on a trusted device using a trusted web browser.
The OTP algorithm is based on the standard from Open Authentication, OATH HOTP. The seed used to calculate the OTPs is stored using the WebCrypto API in the browser. The use of a not-exportable flag protects it from theft based on e.g. user tampering or XSS (Cross Site Scripting) attacks. The OTP-token in the browser has a configurable lifetime. If the end user loses their password, in e.g. a phishing attack, the attacker will still be unable to log on using the stolen password, as they don’t have access to an activated browser.
You define your own password policy and set requirements for password length, complexity, disallowed characters, password change and password history. The solution can integrate with Microsoft Active Directory and reuse the passwords from Active Directory. Then the password policies in Active Directory will apply when a user changes or resets a password.
For more information, see Set up Invisible token.