What functionality does the Nevis Access App offer?
The Nevis Access App is a standardized access app. It is possible to create customer-branded instances with the following functionality:
- Available for iOS and Android (supported version: iOS 11+ and Android 6+)
- Registration of the Access App via QR-code.
- 2nd factor authentication initiated via push notification.
- Authentication via PIN, fingerprint, face or iris recognition on Android devices.
- Authentication via PIN, fingerprint or face recognition on iOS devices.
- Transaction confirmation via PIN, fingerprint or face recognition on iOS devices.
- Transaction confirmation via PIN, fingerprint. face or iris recognition on Android devices.
- Deregistration of the Access App from within the app.
- Customer-branding (logo, colors).
- Low integration costs due to out of the box compatibility with the Nevis Mobile Authentication backend (nevisProxy, nevisAuth, nevisIDM, nevisFIDO). * Based on the FIDO UAF 1.1 standard.
The Access App is tested on which devices?
The Access App is tested on various iPhones and Android devices, with each release. See the chapter Device Support for the up-to-date list of devices.
In what scenarios can I use the Nevis Access App?
You can use the Nevis Access App to perform authentication for a single identity and one or multiple applications served by the same authentication server. In less technical terms, this means:
- The Nevis Access App supports authentication for one identity. I.e., you may not use the same instance of the Access App to authenticate with your private account and your business account to your application.
- The Nevis Access App communicates with a single authentication server (relying party). Depending on whether this authentication server is configured to serve one or multiple applications, the same Access App can be used to log in into a single or also multiple applications.
You can use the Nevis Access App to perform transaction confirmation.
Transactions, financial transactions, agreement to terms, agreement to the release of personal data etc, can be displayed to ensure that users have seen and accepted a particular transaction before they authenticate it.
I have multiple web applications that my users access via a browser. I would like to authenticate them using mobile authentication. Is the Nevis Access App the right approach for that?
Yes. The Nevis Access App is an excellent fit for this scenario. When a user attempts to log in to the application, an authentication request is triggered and sent to the authenticating user's Access App. The Nevis Access App supports handling multiple accounts or identities, so, if your web applications require to authenticate with different identities, a single Access App will be enough.
I have multiple native business applications on my smartphone and would like to authenticate with mobile authentication. Is the Nevis Access App the right solution for that?
Yes. If you consider single sign-on across the native mobile applications, consider implementing the Best Current Practice RFC OAuth 2.0 for Native Apps.
To what extent can I customize the Nevis Access App for my company?
The customizable parts are described in the chapter Ordering an Access App.
What if I want to customize my access app to a greater extent than what is possible with the Nevis Access App?
You have multiple options:
- A Nevis partner can develop a custom Access App based on the Nevis Mobile Authentication SDK, or a derivation of the Nevis Access App.
- The customer can develop a custom Access App by using the Nevis Mobile Authentication SDK.
The Nevis Access App offers authentication via PIN or fingerprint. What about face recognition or other mechanisms?
Currently we support fingerprint and PIN for Android and iOS. Face recognition is supported on Apple iOS devices supporting FaceID. Face and iris recognition is supported on Android devices running on Android 10 or later that have a Class 2 (Weak) or Class 3 (Strong) biometric sensor.
Android Face Authenticator (Class 2 and Class 3)
Only the Google Pixel 4 and Pixel 4 XL offer a Class 3 face authenticator according to Google, therefore, if only Class 3 sensors are allowed, all other Android devices offer the Fingerprint Biometric authenticator only.
Samsung devices, such as the Samsung 21, have a Class 2 biometric sensor, which is supported if Class 2 sensors are allowed when ordering the application.
Face authentication is automatically offered in the app during registration if the Android biometric authenticator is allowed by the backend policy and metadata (default), and the device hardware offers the capability.
I have lost my mobile device with the registered Access App. How can I de-register that device?
There are multiple options depending on specific security requirements.
- A proven option is that the user calls a service desk agent to request de-registration of a certain device (like you would do for a lost credit card).
- A dedicated self-administration portal allows to log in via other credentials (for example a grid card).
- Deregistration via a self-administration functionality embedded into a business application (e.g., in an eBanking application).
Is it possible to use an instance of the Nevis Access App to authenticate against multiple authentication servers (relying parties)?
No. The Nevis Access App is designed for ease of use and simple administration and management processes. It only supports authentication against one authentication server (relying party).
When authentication against multiple relying parties is needed, we recommend using a dedicated Access App for each relying party. This also allows dedicated branding based on the relying party.
As an alternative option, set up identity federation between the relying parties such that an authentication at an Identity Provider allows to log in at the other relying parties as well.
The Nevis Access App implements registration through QR-code. Are there any other options for registration?
Yes. The current version of the Nevis Access App implements registration via QR-code and links (Universal Link for iOS and App Link for Android or custom URIs). Although for most customer use cases, the QR-code is the default solution.
Can the same Access App be used for multiple identities? E.g., can an end user use the same Access App installation to authenticate with his private account as well as with his business account?
Yes, this is supported. The Nevis Access App supports authentication multiple accounts.
The Nevis Access App stores private keys locally. How is it ensured that those private keys can not be compromised on iOS and Android devices?
Private keys are always stored in the secure storage, that is, in a Secure Enclave (iOS) or in a hardware-backed Keystore.
Private keys can never be extracted from the secure storage and used outside the secure world (i.e. dedicated hardware isolated from the main processor).
As an additional security measure, a user is authorized to access the private key once the user has provided a PIN or fingerprint.
Fingerprint is managed by the phone OS in the secure world. PIN is PBKDF2-hashed in the Keychain (iOS) or Shared Preferences (Android). In case of Android, it is also encrypted before storing it.
Will an end user be able to register multiple Access Apps for the same identity on separate devices? E.g., on his private mobile phone as well as on his business mobile phone?
Yes, the Nevis Access App and Nevis Mobile Authentication support this.
How will Access Apps be upgraded to new iOS and Android versions?
Upon release of new Android and iOS versions, we will test the Nevis Access App and release a new version if required. See the chapter Update and Release Process for more information.
I want to use the Nevis Access App. What are the prerequisites and what steps are needed until customers are able to use it?
The following steps will be required until a branded version of the Nevis Access App is available in the App store for your customers to download. Roughly, the following steps are involved:
- Set up the Nevis Mobile Authentication backend system as part of the Identity Suite or Authentication Cloud offering of Nevis.
- Communicate the backend URLs, SSL certificates, company logo, color schemes, fonts and supported languages to Nevis.
- Nevis will hand over the final iOS and Android packages to the customer. Customers then need to publish the Access App into the App stores following the Apple and Google guidelines.
For more detailed information, see chapter Ordering an Access App.
Can passwordless authentication with the Nevis Access App be considered as two-factor authentication (2FA)?
Yes, passwordless authentication with the Nevis Access App can be considered as two-factor authentication.
- Something you have: the private keys are bound to the device. That is, there is no way to get access to the required keys without being in possession of the device.
- Something you know/are: in addition to that, the private keys are protected by either something you know (PIN) or something you are (fingerprint).
What about privacy? Will biometric data or passwords be stored on the server side?
No. Biometric data (e.g., fingerprint) or passwords including the FIDO UAF 1.1 private keys are solely stored on the device. This data is never transferred to the server-side.
Authentication on the Access App is triggered via a push notification. Since push notifications are not end-to-end encrypted per default, could this lead to information leakage?
No. Push notifications are indeed not end-to-end encrypted per default. Push notification service providers could thus read the content of the messages in transit. As an application designed to be secure, the Nevis Access App implements end-to-end encryption on the application layer. This prohibits the content from push notifications to be disclosed to anyone else than the sender and receiver.
Is there a QoS (quality of service) / guaranteed delivery for push notifications?
No. There is no guarantee for push messages to be delivered to the mobile phone. Additionally, there is no guarantee that the mobile OS will handle a delivered push message correctly. For example, the push message might get "silently swallowed" by a battery conservation app or service.
To reduce this potential non-delivery issue, push messages are always delivered with "high priority".
If I decide to get a branded Access App, will I also get a version for testing on the integration environment?
We will deliver two versions of the Access App. An INT version for integration in a test or integration environment and a PROD version for integration in the production environment.
Besides different backend URLs, these Apps will also have different security settings. The INT version supports logging, while the PROD version is fully hardened and has disabled logging.
Can I install the INT and the PROD version of the Access App in parallel on my phone?
No, this is currently not supported. Only one of the versions can be installed at any moment in time.
What is transaction confirmation and what I can use it for?
Transaction confirmation is a method typically used when non-repudiation is required.
The user can see and accept particular transactions before he authenticates it. Such transactions include but are not limited to financial transactions, agreement to terms, or agreement to the release of private data. In this scenario users can be assured that what they see is the transaction they accept (sign). With other words it is called: What You See Is What You Sign (WYSIWYS).
These transactions are initiated by the relying party.
(iOS) Does the access app use the Advertising Identifier (IDFA)?
No, the Nevis Access App does not use the Advertising Identifier. (This question may be asked during app store submission.)
How many accounts can be registered with a Nevis Access App?
If the Access App has been configured for multiple accounts, the upper limit is five.
If you need more accounts, contact Nevis.
Can the Device name contains emojis?
Yes, if the Nevis Mobile Authentication backend system is used as part of Authentication Cloud solution.
No, if the Nevis Mobile Authentication backend system is used as part of Identity Suite solution.
Can I back up and restore my phone / the Nevis Access App and restore it on another phone?
No. As the credentials are kept in the TEE module (Android) and SecureEnclave (iOS), the hardware-backed keys cannot be backed up and restored on neither the same device nor a new device (this includes iCloud backup). The keys never leave the secure hardware.