Frequent Asked Questions
What is RemAuth?
Authentication service for businesses
The RemAuth authentication service is defined by the following characteristics:
- RemAuth is exclusively based on passwordless authentication.
- RemAuth is a cloud based service which does not require any installation.
Why proposing passwordless authentication?
To simplify the user experience
For most users, managing passwords is a necessary evil that they would like to avoid. RemAuth meets this need by allowing businesses to provide services with simplified access regarding registration and login.
To improve the security of services
By definition, RemAuth eliminates password related risks such as fraud, theft or hacking.
Why proposing authentication as a service?
To reduce costs and to accelerate the development of new services
Implementing registration, user authentication and session management functions always requires significant efforts when developing or maintaining services.
RemAuth drastically reduces this effort as you can see in the Quick start page.
How does passwordless authentication work?
User email at the heart of the system
All over the Internet, a user's inbox is deemed reliable and confidential. This is the reason why almost all Internet services rely on users' email addresses to register, to reset their accounts or to perform any sensitive operation.
RemAuth shares the same hypothesis and systematically relies on user inbox or any other media certified by user email address such as the RemAuth Control application.
For each authentication request, a single-use and limited lifetime link is sent to the required media. Using this link from a reliable source (e.g. email inbox) represents the act of authentication.
Real time authentication and optional biometric checking
Regardless of their reliability, email or SMS do not have guaranteed delivery time. Frequently receiving email or SMS messages takes several seconds or even more. With RemAuth Control, authentication data is exchanged in realtime and biometric checking may be required if the device supports it.
What are authentication strategies?
Ways to customize access to business services
The general concept of multi-factor authentication has theorized a de facto practice of using one or more secondary identification resources when the main resource does not work.
RemAuth follows this logic and extends it to meet all kinds of needs:
- as main factor with a unique source (e.g. inbox)
- as main factor with concurrent sources (e.g. inbox + cellphone + app)
- as second factor of an existing system
- as alternative factor in parallel with an existing system
How to authenticate an existing service with a user base?
Expose a resource to ascertain the existence of a user in your database
You can define an email verification URL in the integration parameters of the Customer Center SERVICES section. If this field is not empty, RemAuth will try to use it for each authentication request of the associated service.
Why cannot we import a user base in RemAuth?
RemAuth must ensure the validity of every email address
By design, RemAuth cannot trust an address that has not been verified by its own means, the issue being the service reliability.
Why RemAuth Control does not receive visual or audible notification?
Unlike other mobile applications that receive unexpected notifications, RemAuth Control is supposed to be notified only on events which have been generated by the user himself/herself.
There is no need to alert the user (and even less his/her entourage), knowing that he/she will open the application if it is not already open.
Why the HTTP API does not strictly respect a REST architecture?
To resist spying of networks
Even though server communications are secured with SSL/TLS, the request URLs (not their contents) themselves are transmitted unencrypted over the Internet. It is also the case of the HTTP error messages that are also carriers of meaning and therefore of information.
For these reasons, RemAuth adopts a technical policy to maximize the service privacy:
- To not incorporate business resource identifier within the parameters of URLs, unless it is not sensitive or ephemeral data.
- To favor the POST method and to limit the GET method to single-use links.
- To not use HTTP status for service errors, but to include them in standard HTTP responses.
Is RemAuth compatible with the OAuth protocol?
Yes, but that's not the issue!
Like the OAuth specifications, RemAuth implements a data flow that chains access token, authorization, even checking or refresh.
The comparison stops there because even if OAuth is a protocol specification, it is not more:
- OAuth is not a standard and is not interoperable. To be convinced, just try to integrate several OAuth providers data flow in one application to discover how there implementations are different. To such an extent that a company proposes the OAuth.io service to address the gap between more than one hundred of providers.
- Even some OAuth authors do not assume their work!
- RemAuth is a service wholly dedicated to businesses which want to control their security chain. It is not a protocol to exchange data with third party services which may take advantage of these data for their own benefit.
How does RemAuth compare to FIDO, UAF and U2F?
The objectives are the same but the approach and the costs are different
Whether FIDO, UAF or U2F, all of these acronyms are about interoperability protocols for hardware manufacturers and software editors in the field of strong authentication.
RemAuth is neither hardware nor software. RemAuth is a full-fledged service which uses its own applications on the main market device platforms (Android, iOS, MS Windows, MacOS). RemAuth has no interoperability issues about authentication.
With such as approach, RemAuth enables passwordless authentication, with or without biometric verification and/or 2nd physical factor for the tenth of the commonly used prices with other approaches, without compromise on security and with a greater simplicity.