Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This article describes key features of the ready-to-use mobile app Nexus Personal Mobile and the software development kit Nexus Personal SDK, which can be used to implement your own mobile app for authentication and signing. Personal Mobile is entirely based on Personal SDK. 

Both the SDK and the app comes with a complete protocol and interface documentation.


Features

Personal SDK

Personal Mobile

Use cases

Activation of user profiles, including provisioning of user certificates for authentication, signing, and encryption.

Image Modified

Image Modified

Authentication to local or web applications.

Image Modified

Image Modified

Signing transactions.

Image Modified

Image Modified

Certificate import and renewal.

Image Modified

Image Modified

Delete profiles from device, both started from server and local

Image Modified

Image Modified

SDK app branding

Public keys, certificates and other identity metadata are available to the app.

Image Modified

Image Modified

Implementer decides which identity and other parameters shall accept or reject the pending request.

Image Modified

Image Modified

Implementer-specific metadata can accompany any request, for example raw data, text, pdf or images.

Image Modified

Image Modified

Attestation key can be provided by implementer so that the server can validate that it is your client responding.

Image Modified

Image Modified

Built-in fingerprint and biometric authentication.

Image Modified

Registering device and receiving push notifications from Nexus Push Service hosted by Nexus.


Image Modified

Hosting your own Nexus Push Service backend server for push notifications.

Image Modified


Displaying the SDK licence dependencies.


Image Modified

Easy-to-use and intuitive interface.

Image Modified

Can be integrated to an existing app

Image Modified


Easy to trigger from external applications via app-to-app transitions using the 'personal://' URL-scheme.


Image Modified

Built-in mobile device management (MDM) integration. This applies to iOS only.


Image Modified

Secure sharing of keys with apps signed by same developer via shared key chain. This applies to iOS only.

Image Modified

Image Modified

Secure communication

Activation links are only for one-time use, and cannot be reused.

Image Modified

Image Modified

PIN codes are validated on the server side, to perform flow control and add extra security.

Image Modified

Image Modified

The identities continue to communicate with the same server that provisioned them.

Image Modified

Image Modified

Prevention of man-in-the-middle attacks by TLS handshake and server certificate validation in response.

Image Modified

Image Modified

Possibility to define that specific server certificates are the only ones allowed.

Image Modified

Image Modified

Attestation key included to make sure that the client is genuinely Nexus.

Image Modified

Image Modified

Secure key storage

Generates keys on the device and provides proof of possession to the server.

Image Modified

Image Modified

Key storage is device-bound and non-extractable.

Image Modified

Image Modified

Protected with obfuscation, root detection, real-time checks and debugger detection.

Image Modified

Image Modified

When storing secrets offline, device keystore is a required part. Android 6+ is required for OTP.

Image Modified

Image Modified

Minimum PIN policy is fixed at six digits and disallowing sequences.

Image Modified

Image Modified

Blocked after wrong PIN attempts for increasing amount of time, until the tenth try when the identity is entirely blocked.

Image Modified

Image Modified

Lifecycle management

Uses either X.509 certificates or raw key pairs, based on JSON Web Keys, see RFC 7517.

When activating a certificate, a signed PKCS#10 certificate signing request (CSR) is provided for each key in the activation response.

Image Modified

Image Modified

Renewal of certificates supported, including cryptographic key exchange.

Image Modified

Image Modified

Secure import of keys is supported:

  • Import keys from the server side, for example for encryption certificates.
  • Import keys to the keystore of the device's operating system.

Image Modified

Image Modified

Identities can be migrated from one server to another, but keys never leave the device.

Image Modified

Image Modified

Support for securing OATH tokens for use in offline scenarios, for example with bad internet connection, RADIUS or on airplanes.

Image Modified

Image Modified

Usability

Uses either Nexus Hybrid Access Gateway, Nexus PRIME or Hermod to communicate.

Image Modified

Image Modified

One server implementation can talk to all our clients: iOS, Android, Windows, Mac, and Linux.

Image Modified

Image Modified

Possibility to have multiple identities in the SDK simultaneously.

Image Modified

Image Modified

Support for multiple simultaneous authentication or signing requests.

Image Modified

Image Modified

Possibility via server trust to login to external servers by trusting the certificate authority (CA).

Image Modified

Image Modified

Uses standard protocols like HTTPS, JOSE and REST. All keys and crypto are handled within JOSE standard objects.

Image Modified

Image Modified

Support for Google OTPAUTH protocol. This enables migration from Google and Microsoft Authenticator. Support for user display name in OTP profiles for ease-of-use.

Image Modified

Image Modified

Possibility to secure your existing accounts with two-factor authentication, for example in Google, Visma, Hubspot and Microsoft.

Image Modified

Image Modified

Cryptographics

Minimum 2048-bit RSA key pairs.

Image Modified

Image Modified

Signatures use standard JSON Web Algorithms (JWA), either RS256 or RS512.
For more information, see RFC 7518.

Image Modified

Image Modified

Keys are stored with password-based key derivation and encrypted using Advanced Encryption Standard (AES). Keys use device keystore when available.

Image Modified

Image Modified

Keys are securely encrypted with multiple layers of AES-256.

Image Modified

Image Modified

Keys are stored with server-based parameters to increase security in online scenarios.

Image Modified

Image Modified