Passwordless Login

This particular use-case is of a multinational bank and financial services company headquartered in the US. offers a wide range of Net Banking services and personal banking services like Cards, Loans, Accounts, etc. The importance of Digital Security in the Banking Sector is unparalleled, and miniOrange brought their A game. 

In order to maintain confidentiality and integrity, the identity of the institution cannot be disclosed. We would refer to the bank as ‘Z Bank’ throughout the document for convenience.

miniOrange has partnered with a number of enterprises and educational institutes, but the role we play in the banking sector is highly crucial. Banks undoubtedly require uncompromised security, and we at miniOrange ensure they receive it. 

Overview:

Z bank was struggling with ensuring that the user or administrators logging in to the website are verified, authenticated and authorized for the operation they request to perform. Alongside, they wanted to get rid of passwords as a whole and authenticate the users against more secure alternatives like possession factors (one-time passwords [OTP], registered smartphones) etc. instead. Truly Passwordless Login process.

miniOrange made certain that the institution was made absolutely passwordless yet unfailingly secure. The solution was delivered on an insanely ambitious timeline. 

There are multiple other methods that the miniOrange passwordless login module offers to authenticate the users, other than passwords it allows OTP over call, OTP over SMS and email, OTP over SMS, etc. 

Although it is possible to configure other passwordless methods especially using TOTP methods like Google or Microsoft Authenticator, but since it makes use of third-party applications and had to be avoided in case of Banking institutions. 

Challenges:

• One of the biggest challenges was enabling the 2FA service, in a completely private environment, when the 2FA service was going to be used worldwide. 
• One of the key requirements that were put forward and the one which makes the most sense is ensuring that the data of the institution is stored on-premise whatsoever.
• The next challenge was the range of users using the 2FA service. An administrator would be using a different 2FA service - and the regular user would be using a different 2FA service. 
• And the final challenge - Skipping the Second Factor Authentication for the Super Administrator. 

Implementation: 

The entire transaction system of Z, was dependent on this module. The 2FA service was to be invoked for authenticating every transaction, for every login attempt, for every access request to the user Database.

This was accomplished by 

• miniOrange Drupal 2FA module

The Login process would be different from the traditional Drupal Login. Instead of providing the username and password combination, the user is only required to type in their Username/Phone number. 

For a registered user, the 2FA is invoked after submitting the Username/Phone number, and the OTP is sent out via the configured 2FA method be it - OTP over SMS, OTP over Email, OTP over Phone Call or on both SMS and Email at the same time etc. As per the configuration, 2FA invocation can even be a combination of 2 methods, for even a higher tier of security. 

And for the unregistered users, there is a simple 5-Step - with configurable length - inline user registration flow, using which the users can set their preferred 2FA method, at the time of their first login. This eliminates the need for the administrator to configure the 2FA for all the users - also gives the users a degree of freedom to choose their own preferred 2FA method. 

A few of the users and administrators also wanted a login link sent to their email IDs, clicking on which logs them into the system. A handful of others also opted for hardware based authentication. 

Outcome:

A truly passwordless experience was set up for the Finance Mogul, without cutting any corners, giving the users of the system the satisfaction of secure login and the reducing the chances of unauthorized access, thus reducing the headache of the admins.