Overview

This page describes the main services offered by MIRACL Trust, a managed solution that you can use to secure your authentication flows. Whether you are looking to improve your current authentication solution or build a new one, this overview can help you make an informed decision on how to utilise the platform for your specific use case. This document lays the foundation and points you in the right direction so you can complete your integration from start to finish in the most efficient way possible.

MIRACL Trust is a service designed to provide fast, simple and secure multi-factor authentication (MFA). It offers a solution that prioritises ease of use without compromising security. The authentication service is easily accessible through browsers and mobile applications, making it a versatile option for everyone. Due to the provided web and mobile clients, you can take advantage of the authentication with minimal integration. However, If you need a seamlessly integrated solution, use the configuration options available through the MIRACL Trust Portal. Using the MIRACL Trust platform, you can build the best authentication experience for your end users.

In addition to end-user authentication, MIRACL Trust offers a document signing service with which you can create an irrefutable record of any action your end users perform. This record can prove that the authenticated end user is the only one who could have signed the document.

# Authentication

The MIRACL Trust authentication employs a PIN-based, single-step, multi-factor, zero-knowledge protocol. For successful authentication, both a possession factor must be present and a knowledge factor must be known. Authentication can begin only if all factors are present at the same time. This is essential for multi-factor protocols and distinguishes them from multi-step protocols. All authentication factors are established directly on the end user’s device and are never transmitted through the network. The platform has no knowledge about them and they cannot be derived from the communication between the client and the platform. This makes the protocol zero-knowledge.

The PIN is the knowledge factor of the protocol. When the end user chooses the PIN during registration, it is immediately discarded and never leaves the device. It is valid only on the enrolled device and not stored anywhere on the platform or client. The end user enters the PIN for every authentication. These features of the PIN distinguish it from a password.

To authenticate, end users need a device enrolled with the platform. This can be any device - desktop or mobile. Users usually go through an identity verification flow that establishes trust and allows the platform to use this trust to authenticate them in front of third-party systems later. End users can have multiple enrolled devices at once and enrol a device from another one that has already been registered. They can also use enrolled mobile devices to authenticate unregistered desktop devices using a QR code.

The secret used in the authentication protocol is established during the device registration process. This secret is immediately cryptographically “subtracted” with the PIN chosen by the user. The PIN chosen by the user is cryptographically subtracted from the secret, and then both the secret and the PIN are discarded. The token is the result of this operation and is stored on the device. The secret can be recreated only by cryptographically combining the token and the PIN. This operation happens during authentication, after which the secret is discarded again. The token is the possession factor of the protocol. Once the device is enrolled, it can authenticate the user multiple times until revoked. MIRACL Trust automatically revokes a device after three invalid authentication attempts. An admin of the MIRACL Trust project can also revoke a device manually from the MIRACL Trust Portal. When a device is revoked, the end user must go through the identity verification process before enrolling the device again.

The identity verification process usually precedes the device registration process. It can be as simple as email verification or as complex as required for a particular use case.

At its core, the platform utilises a multi-factor zero-knowledge authentication protocol called M-PIN. For more information about it, see M-PIN Authentication Protocol.

# Digital Signing

MIRACL Trust offers an identity-based designated verifier signature (DVS) scheme for digital signing. Unlike a classic digital signature scheme, a Trusted Authority (TA) is responsible for issuing secret signing keys to all participants and designating the verifier of the signatures. To learn more about the protocol for signing, see Designated Verifier Signature.

You can sign any data blob because the signature is produced for the hash digest of the data rather than the raw data itself. This means the actual value of what is being signed is never transmitted to the MIRACL Trust platform. On top of what is traditionally considered a document, you can also initiate signing for any type of transaction or user operation.

# Applications

To use the MIRACL Trust authentication and signing protocols, certain cryptography operations must be performed on the client side. Although MIRACL Trust provides its MIRACL Core Cryptographic Library and other tools that can be used to create custom clients, ready-to-use applications are available for web and mobile platforms. They allow you to try or use long-term all the functionalities of the platform.

The best way to experience all pre-built applications is by trying the login process on the Developer Portal. You don’t need to set up a payment method or provide any information besides your email address. This is your first step in exploring the world of MIRACL Trust, and it will help you transition smoothly to the Low-Code Integration section for your first integration.

# MIRACL Trust PIN Pad

The MIRACL Trust PIN Pad is the web client for the platform. This client is one of a kind, as it is the only way to have a single-step, multi-factor authentication right within the browser without requiring any special hardware.

With this web client, end users get access to several useful functionalities, such as email verification, device registration management (including PIN reset), enrolling the current device from another already enrolled device using QuickCode, enrolling unenrolled devices from the current device by generating a QuickCode, and delegating authentication to the MIRACL Trust Authenticator app.

It is important to note that the token for this client is stored in the browser itself, and it is not shared between browsers. Therefore, a device registration created using a particular browser can only be accessed using that same browser. If you create multiple device registrations in different browsers, they will be considered distinct devices in the platform. This is especially important for the verification process, as the browser in which the verification finishes and the registration happens is the only browser that can be used for authentication.

# MIRACL Trust Authenticator

The MIRACL Trust Authenticator is a mobile application available for the two major platforms - iOS and Android. It provides the same set of functionalities as the web version, allowing you to authenticate your desktop and mobile web sessions, as well as other mobile apps.

# Low-Code Integration

You can leverage the benefits of using MIRACL Trust with minimal development. MIRACL Trust is an OpenID Connect (OIDC) Identity Provider, so integration with any system that supports OIDC is a matter of configuration. OpenID Connect is a well-known protocol implemented by many open-source and commercial products. For more information about OIDC, see How OpenID Connect Works.

If your web application supports OpenID Connect, you can easily integrate it with MIRACL Trust in just a few minutes. To get started, follow the step-by-step instructions outlined in the Getting Started guide. Then, refer to the Integrate Through OIDC guide for help setting up the OIDC client in your application. You can find tutorials for popular application frameworks in the Tutorials section.

If you are building a new solution, you can find many open-sourced and proprietary solutions for OIDC integration. A list of libraries officially certified by the OpenID Foundation is available at Certified Open ID Developer Tools.

This integration may seem simple, but it serves as a foundation for any further system configuration. Whether you’re just starting out or need to create a more complex solution, you can use this integration as a starting point and add custom flows as needed. Refer to the Advanced Integration section for more information on customising the authentication and signing experience.

# Email Identity Verification Flow

MIRACL Trust provides a pre-built email verification flow as part of the platform. This feature enables low-code integration. No additional configuration is required as this flow is the default option for any new MIRACL Trust Project. The end user’s email address serves as the User ID for this verification method and is verified through a verification link sent to the email address. End users need to simply open the verification link to prove ownership of the email address. For added security, the verification links automatically expire after a certain amount of time and become disabled upon use.

# Signing

If you have integrated MIRACL Trust authentication through OIDC, you can use the stand-alone DVS JavaScript library to roll out signing for your end users. For more information, see Sign Documents With DVS.

# Security

The level of security of any system is determined by the component with the lowest one. In this case, this component is the verification flow. The security of an email verification flow depends on the email provider, which is out of MIRACL’s control. That’s why this configuration is considered a low-security configuration. Its primary purpose is to enable quick implementation for low-security use cases. Thus, you can experience the system before implementing a custom verification flow for use cases requiring higher protection.

# Advanced Integration

At MIRACL Trust, we strongly believe that security is paramount. However, we also understand that user experience should not be at the expense of good security. That is why the platform allows for complete customisation of the verification, authentication and signing flows, empowering you to create secure solutions tailored to your specific needs while ensuring an excellent user experience.

# Custom User Verification

For use cases where email verification is impractical, MIRACL Trust offers Custom User Verification as an alternative. This mechanism allows you to create a personalised verification flow tailored to your use case. This is the best first step if you require a more secure verification flow than an email one.

With Custom User Verification, you can implement any verification flow that suits your needs. Examples of such flows include:

  • SMS verification, where the end user is provided with a one-time token via SMS. You can try this flow with the MIRACL Trust Lottery Demo.
  • Document verification, when the end user provides a picture of their ID, which, after verification, initialises the device registration process.
  • Offline verification, where the end user must provide their personal ID to an authority. This authority can then permit and initiate the device registration process.

For more information, see Add Custom User Verification.

# Client-Hosted PIN Pad

The Client-Hosted PIN Pad integration allows you to seamlessly integrate the authentication client within your website. With this integration, you can host the authentication client on your domain with your unique design and implementation. MIRACL Trust provides all the necessary tools you need to achieve that quickly.

By implementing a custom PIN Pad, you can fully customise the authentication clients’ functionality and user experience. You have endless possibilities, such as:

  • Custom design and deep integration with the website
  • Custom rules for PIN selection
  • Integrated device management
  • Conditional logic when the device is not enrolled
  • Easy invocation for signing whenever necessary.

# Security

The MIRACL Trust PIN Pad, provided by the platform, is built following the best security practices in its architecture and implementation. It is carefully vetted to provide and maintain the best protection possible. It works on a dedicated domain controlled by MIRACL, which segregates the client from other scripts that might be malicious or might affect the authentication client in a way that makes it less secure. A strict Content Security Рolicy also protects it. It is built using minimum external dependencies, which undergo a strict security review process. This architecture makes all Cross-Site Scripting attacks impossible by design. It also protects against many other popular and less-known attacks.

You naturally take ownership of the solution’s security by implementing the authentication client. MIRACL strongly recommends that you follow similar architecture and practices to achieve the same or better security.

For more information, see Implement Custom Browser Authentication Client.

# Custom Mobile App Integrations

The MIRACL Trust authentication can be integrated directly into your mobile applications. The platform provides rich mobile SDKs, allowing you to implement the verification, authentication and signing flows. The SDKs are implemented using native technologies to provide the best possible security and compatibility with other frameworks.

You can customise the authentication and verification to your liking using these SDKs. They even allow integration with the biometric authentication of your mobile device. For more information, see Integrate in Mobile Apps.

For non-native technologies, you can check our React Native Integration Tutorial, our MIRACL Trust MFA JS Library or contact us at support@miracl.com.

# Enterprise Solutions

For help integrating MIRACL Trust with your enterprise solutions, contact us at support@miracl.com.