TiQR Login & Signing Server
TiQR is an award-winning mobile PKI solution which combines mobile technologies and advanced security standards to provide stong user authentication and secure online transactions. It is based on OATH open standards and RSA cryptography for providing banking-level electronic signatures. It uses intuitive QRCode scans and push notifications to provide a unique user experience where other alternatives would require complex smartcard software and hardware.
TiQR’s unique user friendly experience includes a one-click enrollment using QR codes and secure authentication/signing without having to re-type complicated codes and passwords. The TiQR Mobile application from RCDevs supports both OATH-OCRA and RSA algorithms to support a large variety of use cases. Its internal security is based on AES-256 encryption.
TiQR mobile is available for OS and Android and is co-developed by SURFnet and RCDevs.
Please read our TiQR QuickStart Guide to easily implement TiQR QR Login or TiQR Signature in your Web applications.
- User scans the QR Code or recieves a mobile push notification.
- User confirms he wants to proceed with the login or transaction signing.
- User enters his TiQR security PIN code.
- With signing, user confirms or cancels the transaction details on screen.
- User logged in or signed the transaction/document nearly magically.
TiQR Server provides easy SOAP, REST and JSON-RPC interfaces. The SOAP API is provided with a WSDL service description file. It is also very simple to implement TiQR login into your existing web applications. For a quick try, sample login pages are available in the Downloads section.
With RCDevs TiQR Login Server, you can authenticate users on:
- Web Applications (Java, PHP, ASP, Python, .Net…)
- OpenID-enabled Web Sites (with RCDevs OpenID Provider)
- SAML and Google Apps (With SimpleSAML Plugin)
- Cloud SSO applications (SalesForce, SugarCRM, GoToMeeting…)
- OpenSSH (with our TiQR PAM module)
- Web-based Products (SugarCRM, Joomla, RoundCube…)
- Any other system (using our simple integration libraries)
TiQR provides the ability to sign online transactions and documents with RSA signatures and 1024bit or 2048 bit RSA keys. It also provides the functionalities of a PKI and leverages the use of the mobile devices instead of the usual smartcards. TiQR Sign has been designed to be integrated into existing Enterprise workflows and banking applications. Its mobile PKI API provides the functionalities for managing public keys, signing with QRCodes or push notifications, validating signatures and more.
TiQR for User Authentication
With TiQR, users just need to scan a QRCode displayed on a Web page in order to securely authenticate a Web access or SSH session. The user’s mobile application has the user identity information and there is no need to enter a username or password (domain password verification as second factor is an optional feature). A PIN code, combined with complex cryptography mechanisms on the mobile and the server prevents another person to use the user’s identity. With TiQR it is possible to use push notification instead of QRCode scans.
TiQR for Electronic Signatures
TiQR Sign is an innovative concept of RCDevs and SurfNet. It provides mobile PKI functionalities such as document signing. On the server-side, the PKI functionalities are proposed via a set of simple API methods. There is no need for a certificate authority or similar complex IT infrastructure to use RCDevs TiQR mobile PKI. TiQR sign is proposed with push notifications too.
TiQR Sign provides secure transactions and electronic signature with RSA keys where the private keys are securely stored in the mobile devices. A TiQR transaction is first authenticated and requires the user’s PIN code. Once authenticated, the transaction details is displayed to the user who can securely sign or cancel.
TiQR for PGP (beta)
The last evolution of TiQR provides mobile PGP. Through a set of simple API methods, you can implement PGP functionalities such as document signature and file encryption. Multiple PGP signatures (batches) can be processed in a unqiue transactions.
Hardware Security Modules
TiQR complies with the highest security requirements by supporting Hardware Security Modules (HSM). The YubiHSM hardware modules from Yubico can also be used in order to enforce hardware cryptography in TiQR with AES encryption of TiQR secrets and true random generation for TiQR challenges.
The use of HSM modules in OpenOTP is 100% transparent and the move to hardware cryptography can be done at any time without impacting your business. RCDevs WebADM server supports up to 8 HSM modules in hot-plug mode for fault-tolerance and increased performances.
MAIN KEY FEATURES
Those are only some key features. There are plenty more
- User friendly and easy (no username or password required)
- Very secure (relies on OATH Challenge-Response, RSA cryptography and AES)
- Simple user registration in User Self-Service Desk and Self-Enrollment apps
- Requires a PIN code on the mobile device
- Optional password check as second authentication factor
- Simple SOAP/XML API (with WSDL service description) over HTTP/HTTPS
- User login and transaction signing with with QR Scan or mobile push
- SOAP, REST & JSON native APIs over HTTPS with WSDL service description
- OpenID API for OpenID-enabled websites (OpenID Service Provider)
- SAMLv2 IdP with POST redirections and IdP-initiated requests
- Domain segregation with mappings to LDAP subtrees or dedicated LDAP
- Per-client, group and network authentication policies
- Group-based access control & authentication policies
- Data consistency with no replication/import/synchronization of LDAP users
- Many configurations adjustable per server, domain, group, user, client
- Support for both LDAP direct and indirect (Active Directory) groups
- Support multiple LDAP datasources (directory federation)
- Sensitive user data (ex. Token seeds) are encrypted in LDAP with AES-256
- Geolocation of all user accesses with Google map reporting
- Per user location policies (IP address geolocalisation)
- Session locking and session duplicate protection (clustered deployments)
- Multilingual support for user messages (per-user language support)
- Comprehensive logging and reporting in SQL (WebADM Log Viewer)
- User blocking timers and blocking policies for authentication failures
- Clustered session replication secured with with AES-256
- Designed from the ground for high scalability (supports millions of users)
- High performances (500 transactions per second on a two-nodes cluster)
- Advanced failover and load-balancing (active-active cluster)
- Dynamic remote connector failover for LDAP, SQL, SMTP…
- Easy installation, update and configuration in RCDevs WebADM
- Mail and SQL system alerts for administrators