The MIRACL Trust authentication employs a PIN-based, single-step, multi-factor, zero-knowledge proof protocol. For successful authentication, the user must present two factors simultaneously. Authentication can begin only if all factors are present at the same time. This is essential for multi-factor protocols and distinguishes them from inferior multi-step protocols. All authentication factors are established directly on the end user’s device and are never transmitted through the network. The platform has no knowledge about them, and they cannot be derived from the communication between the client and the platform. This is the essence of a zero-knowledge proof system.
The PIN serves as a knowledge factor of the protocol. When the end user chooses the PIN during registration, it is immediately discarded and never leaves the device. It is valid only on the enrolled device from which it was chosen and not stored anywhere on the platform or client. These features of the PIN distinguish it from a password.
The end user enters the PIN for every authentication. For devices with a biometric sensor that unlocks a secure vault, it is possible to allow the user to select in the application a preference for biometrics instead of the PIN. In this instance, the biometric sensor will release the PIN from the respective device’s vault.
To authenticate, end users need a device enrolled with the platform. This can be any device - desktop, mobile, smart TV, wearable, etc. Users usually go through an identity verification flow that establishes trust and allows the platform to use this trust to authenticate them in front of third-party systems later. The identity verification process usually precedes the device registration process, but it doesn’t need to.
The system can accommodate many different ways of verifying a user’s identity, but the best option will typically depend on the use case. It can be as simple as email verification or as complex as required for a particular use case.
End users can have multiple enrolled devices at once and enrol a device from another one that has already been registered. They can also use enrolled mobile devices to authenticate unregistered desktop devices using a QR code.
The secret used in the authentication protocol is established during the device registration process. The PIN chosen by the user is cryptographically subtracted from the secret, and then both the secret and the PIN are discarded. The token is the result of this operation and is stored on the device. The secret can be recreated only by cryptographically combining the token and the PIN. This operation happens during authentication, after which the secret is discarded again. The token, unique to a particular device, is the possession factor of the protocol. Once the device is enrolled, it can authenticate the user multiple times until it is revoked either manually or under a configurable policy. MIRACL Trust automatically revokes a device after three invalid authentication attempts. An admin of the MIRACL Trust project can also manually revoke a device from the MIRACL Trust Portal. When a device is revoked, the end user must go through the identity verification process before enrolling the device again.
At its core, the platform utilises a multi-factor zero-knowledge authentication protocol called M-PIN. For more information about it, see M-PIN Authentication Protocol.
Authentication can be performed through several methods/integrations:
-
Integration with the OpenID Connect (OIDC) implementation provided by MIRACL Trust
This integration is easy to use and almost zero-code1. Its main advantage is that MIRACL Trust controls the whole authentication process and its security. Additionally, it can be integrated with a third-party system.
-
Using the MIRACL Trust Authenticator
This authentication option has limited customizability but offers many advantages. It can be used on various devices and lets you authenticate simultaneously on a desktop and a mobile device with just one registration. Furthermore, it has a high level of security and works with all MIRACL-enabled applications.
-
Custom browser authentication using the MIRACL Trust Client JS Library
This integration gives you full control over all aspects of the authentication client.
-
User authentication on a mobile application (using the MIRACL Trust Mobile SDKs)
This authentication option requires more integration effort, but it allows you to implement the MIRACL Trust authentication capabilities on your mobile application.
The table below summarises the features available for the authentication methods:
| OIDC | MIRACL Trust App | Client JS Library | Mobile SDKs | |
|---|---|---|---|---|
| Zero-Code Integration | yes1 | yes | no | no |
| Customizability | limited | limited | full | full |
| Seamless Integration | via redirect URL | via deep link/QR code | custom | custom |
| Client-Side Security Considerations | no | no | yes2 | yes2 |
# Biometrics Integration
Mobile platforms provide biometrics-unlocked access to a secure storage area. MIRACL Trust can be integrated with this secure storage by storing the PIN within it. In this scenario, a biometric scan retrieves the PIN from the secure storage instead of asking the end user to input the PIN manually. During registration, an end user can select a PIN or have a random one generated for them. If they select their own PIN, they can use it as a fallback in case of a failure with the biometric sensor.
