Trusted Device Authentication 101

June 2, 2022

Engineering

Suppose you have to use your phone or other devices frequently, and you don’t want to type your password every time you wish to access an application. By implementing Trusted Device authentication, your system will recognize the device’s authentication and help you log in to the application quickly and safely. The whole process will not only save your time but will also allow you to witness an advanced authentication procedure.

This article will provide an introduction to Trusted Device authentication, along with its usage and advantages. We will also take a look at how you can use this technology to its fullest with a Software Development Kit (SDK).

What is a Trusted Device Authentication?

Trusted Device authentication is a technology that allows secure authentication to a user to his device without putting passwords on each login occasion. This technology is beneficial for passwordless authentication as it saves a lot of time while you are in a rush and have to use your device frequently.

Also, this technology is beneficial to those users who have to work on their devices for quite an extended period without a single bit of inactivity. We know that inactivity will log the user out of the device after a specific time, but with the Trusted Device authentication, this problem gets eliminated.

How does Trusted Device Authentication work?

The Trusted Device technology is relatively easy to set up and use on our device. However, if we want to use this technology, we must mark our device as trusted. Therefore, while setting up, we have to put one of our credentials, be it an email or a phone number, where we will receive the One Time Password (OTP). This OTP will serve as two-factor authentication that will embark us to go passwordless on our device.

If we get logged out or our device gets a closure due to inactivity, the next time we enter, we don’t have to type our password as we will get an unlocked device or a one-click login to our account.

Advantages of Trusted Device Authentication

Trusted Device technology comes with a host of advantages. Let’s take a look at those:

  • Going passwordless is the prime advantage of this technology as it doesn’t involve repeated passwords every time a user gets logged out;
  • Single -Click logging in is another advantage that comes along with the trusted device technology. After the two-factor authentication with an OTP is complete, we can easily log in to the system with a single click;
  • Saving time, as we don’t have to go through the hustle of entering a password whenever we try to enter;
  • Creating more time for focused work by eliminating interruptions caused by having to re-login.

Disadvantages of Trusted Device Authentication

Although there are some great advantages to using Trusted Device authentication, we can’t look away from some disadvantages this technology brings. The prime and only drawback of this technology is that if we lose our device, the other person can easily access our information. As we already marked our device as a trusted one, it will not ask for a password the next time someone enters. And in case of losing, a stranger can quickly enter because the device will not ask for a password until or unless the device gets a very long period of inactivity.

Trusted technology and passwordless SDKs

With passwordless Software Development Kits (SDKs), the goal is to focus on a safe and secure passwordless world. With this technology, a person will only have to do an authentication once with an OTP, and he can get a single click login with a passwordless authentication. One popular SDK in this category is the SAWO SDK.

With the successful integration of SAWO SDK, the SDK will trust the browser or device session after a proper authentication with a credential and OTP. This phenomenon will help the user to get a one-tap login without any password. It will genuinely save time and not be a bane for frequent users. And, if it experiences a long period of inactivity, the user has to authenticate again with a credential followed by an OTP.

How to set up Trusted Device Authentication

Integrating SAWO SDK in a sample HTML page

In this section, we will look at how trusted device technology works with an application with the help of SAWO SDK. To do that, we will integrate the SAWO SDK with a simple HTML page. For that, we have to set the SAWO dashboard and get the API Key from there (Note it down in a notepad because we will use it later). Remember, the API key is one of the prime elements that will enable the technology.

SAWO SDK API key

To set up the SAWO dashboard, you have to go to the SAWO developer page and set up an account. When you are opening an account, you will be asked to enter the OTP after putting in an email ID. It will be the one, and only time you will be asked for the OTP. Then, a message will pop up on your screen asking you to trust the browser. Click yes and proceed.

trusted device authentication SAWO dashboard

Then, you have to enter the project name and the hostname. For development, enter “localhost” as the hostname and for production, enter the URL of your application as your hostname.

create a new project

If you have an HTML page ready and want to integrate trusted device authentication with the help of SAWO SDK, you have to add the following code inside the body tag of your HTML codebase:

<div id="sawo-container" style="height: 300px; width: 300px;"></div>
<script src="https://websdk.sawolabs.com/sawo.min.js"></script>
<script>
var config = {
containerID: "sawo-container",
// can be one of 'email' or 'phone_number_sms'
identifierType: "phone_number_sms",
// Add the API key copied from dashboard
apiKey: "",
// Add a callback here to handle the payload sent by sdk
onSuccess: (payload) => {
console.log(payload)
},
};
var sawo = new Sawo(config);
sawo.showForm();
</script>

In the above code, you have to put the API Key that you will get from your project dashboard.

After the successful setup of the SDK, you will see the SAWO login dialogue box on the application home page.

SAWO login dialogue box

You can log in with a mobile number as well as an email ID. 

After putting in either of the two, you have to enter the OTP that you will receive. Now, the trusted device technology will come into play, telling you to trust the browser. Click yes, and currently, your browser is authenticated with trusted device authentication. So, next time you log in, you can do that with one click of a button in a passwordless manner.

What to do with your payload?

After integrating the SAWO authenticator in your web page, a question of “what to do with the payload?” might occur in your mind. A typical payload may look something like this:

Payload : {
    "user_id":"123e4567-e89b-12d3-a456-426614174000",
    "created_on":"2021-08-04T15:11:41.396000Z",
    "identifier":"[email protected]",
    "identifier_type":"email",
    "verification_token":"0IH0beD9Fue7rJcLmkauQomAfpRmkRpFsi6d",
    "customFieldInputValues":{
        "Name":"John",
        "Company Name":"XYZ"
        }
    }

As you can see, the payload will appear in JSON format. Here are a few things that you need to know from the above JSON payload:

  • user_id – A unique string that gets generated with the successful authentication of the user.
  • created_on – Contains the date and time of the authentication.
  • identifier – Holds the value of the user’s email address or phone number.
  • identifier_type – The type of identifier defined by the user.
  • verification_token – Includes a unique string that is used for authentication.
  • customFieldInputValues – The object which contains the key details and values of a user.

On successful authentication, you will get a payload like the above one and you can use this payload for a variety of reasons. Some of them are listed below:

  • Storing data to the database – This is one of the obvious ones. The payload in JSON will contain all the crucial information about the user and his authentication. You can use JSON to store the information in your database by running a simple API request.
  • Managing session storage – The verification token in the payload can be used to store the sessions of a user and manage them effectively. 
  • Customer relationship management – You can integrate the payload into your CRM system and with that, you can have a better and more effective connection with your customers, streamline your processes, and can have an overall improved experience.

How to verify a user?

After getting a payload, it is important to verify a user for an added layer of security. Let’s take a look how we can verify a user with the running of an API request in a Postman workspace:
Open your workspace and create a new collection. Toggle down the collection, and you will see the option to add a request. Add a request by clicking on the button. Next, change the request type from GET to POST and add the following URL:

https://api.sawolabs.com/api/v1/userverify/

After that, click on the body section right under the URL. You will see that “none” is selected. Change the type from “none” to “raw” and also select the type of the input text as “JSON”. The body of the POST request will contain two key-value pairs. A sample body is shown below:

{
    "user_id" : "a0a12430-7460-4a8e-2166-3baf2c43423d",
    "verification_token" : "km07qNfnAADdHrv3OWdKUkgi4yrIVqoCdj8y"
}

You can see that the JSON body will contain the user_id and the verification_token with which we will be able to verify an user.

If the user gets verified in the SAWO’s server and the user is valid, then the request will return with a response 200 and with the following output:

{
  "user_valid": true
}

If the user gets verified in the SAWO’s server but the user is not a valid one, then the request will return with a response 400 and with the following output:

{
  "user_valid": false
}

If the user is not found in the server, then the request will return a response 404 with the following output:

"User not Found"

Next Steps

Throughout the article, we have learned about the importance and usage of Trusted Device Authentication technology. We have also looked at how SAWO is on par with this technology and is helping create a safe passwordless environment. I hope you learned a lot, and maybe you’ll give this type of SDK a try in your next project.

This blog post was created as part of the Mattermost Community Writing Program and is published under the CC BY-NC-SA 4.0 license. To learn more about the Mattermost Community Writing Program, check this out.

Read more about:

security

Sayanta Banerjee is an electronics and communication engineer who is keen to try out new technology and contribute to research and development.

Read More Engineering Articles