User Authentication

The user "has" a token and "knows" a PIN code

References

For more in-depth details on the technical flow for PIN validation, check out: #flow-diagram

Introduction

A user authentication can be executed from the ReadMyCards application.

At the bottom of the page, there are 3 use cases available:

• authenticate user with browser OR operating system pin dialog

• upload a PDF document as a prerequisite to the process of performing a digital signature

• digitally sign a PDF document

Upload, authenticate and digitally sign

Pin Dialog

The Trust1Connector ask the user for a PIN when performing an authentication or a digital signature. When a user enters the PIN in a browser dialog, the Trust1Connector has the necessary functions in the SDK to encrypt the PIN sent from the browser towards the Trust1Connector instance. The reasoning behind this approach is:

• the Trust1Connector does NOT trust a local browser: the browser can be corrupted with a 'dirty' plugin for example; no pin code will be visible in the 'debug console' of the browser

• applications are not trusted, except when presenting a valid token, and when performing a key exchang prior to the use of the connector

Browser PIN dialog

When enabling the toggle 'Use operating system pin dialog', you ask to ignore entering the PIN in the browser by delegating the PIN entry to the operating system. When this option has been enabled, the Trust1Connector will ask the underlying operating system to deal with the PIN entry. This means that the PIN entry is COMPLETELY separated from the web application or browser.

Operating system (MacOS in this example) PIN dialog

This topic has different motiviations depending on the use case and security policies applied in an organizatoion. The Trust1Connector want to guarantee a safe implementation for both use cases mentioned

When the use case completes succesfully, in the top right, the following message will appear for a short amount of time:

Succesful PIN validation