This page describes the main services offered by MIRACL Trust, a managed solution that you can use to secure your authentication flows. Whether you are looking to improve your current authentication solution or build a new one, this overview can help you make an informed decision on how to utilise the platform for your specific use case. This document lays the foundation and points you in the right direction so you can complete your integration from start to finish in the most efficient way possible.
MIRACL Trust is a service designed to provide fast, simple and secure multi-factor authentication (MFA). It offers a solution that prioritises ease of use without compromising security. The authentication service is easily accessible through browsers and mobile applications, making it a versatile option for everyone. Due to the provided web and mobile clients, you can take advantage of the authentication with minimal integration. However, If you need a seamlessly integrated solution, use the configuration options available through the MIRACL Trust Portal. Using the MIRACL Trust platform, you can build the best authentication experience for your end users.
In addition to end-user authentication, MIRACL Trust offers a document signing service with which you can create an irrefutable record of any action your end users perform. This record can prove that the authenticated end user is the only one who could have signed the document.
# Authentication
The MIRACL Trust authentication is a secure identity verification method designed to enhance online security and user convenience. It uses a PIN-based, single-step, multi-factor, zero-knowledge proof protocol, requiring users to present two factors simultaneously for successful authentication. All factors are established directly on the user’s device and are never transmitted over the network.
The PIN acts as a knowledge factor and is discarded immediately after selection during registration, remaining valid only on the enrolled device. The end user enters the PIN for every authentication. For devices with a biometric sensor that unlocks a secure vault, it is possible to allow the user to select a preference for biometrics instead of the PIN. In this instance, the biometric sensor will release the PIN from the respective device’s vault.
Authentication requires an enrolled device and usually follows an identity verification process that establishes trust. Multiple enrolled devices are allowed, and users can authenticate an unregistered device by scanning a QR code with an enrolled mobile device.
The secret used in the authentication protocol is established during the device registration process. The PIN chosen by the user is cryptographically subtracted from the secret, and then both the secret and the PIN are discarded. As a result of the subtraction of the PIN from the secret, a token is created and stored on the device. The token is the possession factor of the authentication protocol. During authentication, the token and PIN are cryptographically combined to recreate the secret, after which the secret is discarded again. The user can authenticate repeatedly until revoked, either manually or automatically, after three failed attempts. If a device is revoked, the user must undergo identity verification to re-enroll.
At its core, the platform utilises a multi-factor zero-knowledge authentication protocol called M-PIN. For information about it, see M-PIN Authentication Protocol.
For additional information, see Authentication.
# Digital Signing
MIRACL Trust offers an identity-based designated verifier signature (DVS) scheme for digital signing. Unlike a classic digital signature scheme, a Trusted Authority (TA) is responsible for issuing secret signing keys to all participants and designating the verifier of the signatures. To learn more about the protocol for signing, see Designated Verifier Signature.
You can sign any data blob because the signature is produced for the hash digest of the data rather than the raw data itself. This means the actual value of what is being signed is never transmitted to the MIRACL Trust platform. On top of what is traditionally considered a document, you can also initiate signing for any type of transaction or user operation.
# Applications
To use the MIRACL Trust authentication and signing protocols, certain cryptography operations must be performed on the client side. Although MIRACL Trust provides its MIRACL Core Cryptographic Library and other tools that can be used to create custom clients, ready-to-use applications are available for web and mobile platforms. They allow you to try or use long-term all the functionalities of the platform.
The best way to experience all pre-built applications is by trying the login process on the Developer Portal. You don’t need to set up a payment method or provide any information besides your email address. This is your first step in exploring the world of MIRACL Trust, and it will help you transition smoothly to the Low-Code Integration section for your first integration.
# MIRACL Trust PIN Pad
The MIRACL Trust PIN Pad is the web client for the platform. This client is one of a kind, as it is the only way to have a single-step, multi-factor authentication right within the browser without requiring any special hardware.
With this web client, end users get access to several useful functionalities, such as email verification, device registration management (including PIN reset), enrolling the current device from another already enrolled device using QuickCode, enrolling unenrolled devices from the current device by generating a QuickCode, and delegating authentication to the MIRACL Trust Authenticator app.
It is important to note that the token for this client is stored in the browser itself, and it is not shared between browsers. Therefore, a device registration created using a particular browser can only be accessed using that same browser. If you create multiple device registrations in different browsers, they will be considered distinct devices in the platform. This is especially important for the verification process, as the browser in which the verification finishes and the registration happens is the only browser that can be used for authentication.
# MIRACL Trust Authenticator
The MIRACL Trust Authenticator is a mobile application available for the two major platforms - iOS and Android. It provides the same set of functionalities as the web version, allowing you to authenticate your desktop and mobile web sessions, as well as other mobile apps.
# Low-Code Integration
You can leverage the benefits of using MIRACL Trust with minimal development. MIRACL Trust is an OpenID Connect (OIDC) Identity Provider, so integration with any system that supports OIDC is a matter of configuration. OpenID Connect is a well-known protocol implemented by many open-source and commercial products. For more information about OIDC, see How OpenID Connect Works.
If your web application supports OpenID Connect, you can easily integrate it with MIRACL Trust in just a few minutes. To get started, follow the step-by-step instructions outlined in the Getting Started guide. Then, refer to the OpenID Connect guide for help setting up the OIDC client in your application. You can find tutorials for popular application frameworks in the Tutorials section.
If you are building a new solution, you can find many open-sourced and proprietary solutions for OIDC integration. A list of libraries officially certified by the OpenID Foundation is available at Certified Open ID Developer Tools.
This integration may seem simple, but it serves as a foundation for any further system configuration. Whether you’re just starting out or need to create a more complex solution, you can use this integration as a starting point and add custom flows as needed. Refer to the Advanced Integration section for more information on customising the authentication and signing experience.
# Email Identity Verification Flow
MIRACL Trust provides pre-built email verification flows as part of the platform. The end user’s email address serves as the User ID for this verification method and is verified through a verification code or verification link sent to the email address. End users need to simply enter the code or open the link to prove ownership of the email address. For added security, the codes and links automatically expire after a certain amount of time and become disabled upon use. For more information, see Built-in User Verification.
# Signing
If you have integrated MIRACL Trust authentication through OIDC, you can use the stand-alone DVS Web Plugin to roll out signing for your end users. For more information, see Digital Signatures.
# Security
The level of security of any system is determined by the component with the lowest one. In this case, this component is the verification flow. The security of an email verification flow depends on the email provider, which is out of MIRACL’s control. That’s why this configuration is considered a low-security configuration. Its primary purpose is to enable quick implementation for low-security use cases. Thus, you can experience the system before implementing a custom verification flow for use cases requiring higher protection.
# Advanced Integration
At MIRACL Trust, we strongly believe that security is paramount. However, we also understand that user experience should not be at the expense of good security. That is why the platform allows for complete customisation of the verification, authentication and signing flows, empowering you to create secure solutions tailored to your specific needs while ensuring an excellent user experience.
# Custom User Verification
For use cases where email verification is impractical, MIRACL Trust offers Custom User Verification as an alternative. This mechanism allows you to create a personalised verification flow tailored to your use case. This is the best first step if you require a more secure verification flow than an email one.
With Custom User Verification, you can implement any verification flow that suits your needs. Examples of such flows include:
- SMS verification, where the end user is provided with a one-time token via SMS. You can try this flow with the MIRACL Trust Lottery Demo.
- Document verification, when the end user provides a picture of their ID, which, after verification, initialises the device registration process.
- Offline verification, where the end user must provide their personal ID to an authority. This authority can then permit and initiate the device registration process.
For more information, see Custom User Verification.
# Client-Hosted PIN Pad
The Client-Hosted PIN Pad integration allows you to seamlessly integrate the authentication client within your website. With this integration, you can host the authentication client on your domain with your unique design and implementation. MIRACL Trust provides all the necessary tools you need to achieve that quickly.
By implementing a custom PIN Pad, you can fully customise the authentication clients’ functionality and user experience. You have endless possibilities, such as:
- Custom design and deep integration with the website
- Custom rules for PIN selection
- Integrated device management
- Conditional logic when the device is not enrolled
- Easy invocation for signing whenever necessary.
# Security
The MIRACL Trust PIN Pad, provided by the platform, is built following the best security practices in its architecture and implementation. It is carefully vetted to provide and maintain the best protection possible. It works on a dedicated domain controlled by MIRACL, which segregates the client from other scripts that might be malicious or might affect the authentication client in a way that makes it less secure. A strict Content Security Рolicy also protects it. It is built using minimum external dependencies, which undergo a strict security review process. This architecture makes all Cross-Site Scripting attacks impossible by design. It also protects against many other popular and less-known attacks.
You naturally take ownership of the solution’s security by implementing the authentication client. MIRACL strongly recommends that you follow similar architecture and practices to achieve the same or better security.
For more information, see Client JS Library.
# Custom Mobile App Integrations
The MIRACL Trust authentication can be integrated directly into your mobile applications. The platform provides rich mobile SDKs, allowing you to implement the verification, authentication and signing flows. The SDKs are implemented using native technologies to provide the best possible security and compatibility with other frameworks.
You can customise the authentication and verification to your liking using these SDKs. They even allow integration with the biometric authentication of your mobile device. For more information, see Integrate in Mobile Apps.
For non-native technologies, you can check our React Native Integration Tutorial, our Client JS Library or contact us at support@miracl.com.
# Enterprise Solutions
For help integrating MIRACL Trust with your enterprise solutions, contact us at support@miracl.com.