Questions

Is the authentication key used for passwordless authentication or two-factor authentication when logging into an account on the Internet.

VinCSS FIDO2^® Authenticator (Touch 1, Fingerprint,…) works like a USB, requires no additional software download, requires no charging or attached batteries. The authentication key will operate immediately, logging in with a single touch.

Customers who purchase the authentication key can send product needed warranty through distributions, or send the products directly at the VinCSS center in Hanoi and Ho Chi Minh City.

All popular browsers and operating systems now support VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…), specifically refer to browers as
Edge, Chrome, Firefox, Opera, Safari and Operating system as Windows, Windows / MacOS / Linux / ChromeOS / Android, Windows / MacOS / Linux, Windows / MacOS / Linux, MacOS / iOS 13.3 (trở lên)

There is no limit to the number of accounts registered on the same VinCSS FIDO2® Authenticator in case of using the key for two-factor authentication, and limited to 50 accounts in the case of using the key for passwordless authentication.

Users self-register with required service accounts, can use a VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…) security key to register many different services and accounts.

In case of losing VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…), you can use the backup methods registered during the first key registration process to log in to your account, and unlink the lost key. The backup methods can be one-time recovery code, SMS OTP or Authenticator applications on mobile devices.

When a VinCSS FIDO2® Authenticator is lost, the user will not lose an account, because this key does not contain all the information necessary for logging in. For backup, users are encouraged to have two authentication keys registered with the service, and store the backup key in a secure location. In case of loss, users can use the backup key to log in to their accounts and unlink the old key, or use the backup methods mentioned in question 7.
For Enterprise customers using VinCSS FIDO2 Server provided by VinCSS, when the VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…) is lost, VinCSS FIDO2 Server can handle in the following ways:
Users can register a backup key or use an Android / iOS smartphone as a backup key. These spare keys will be disabled while the primary key is active.
When the user notices that the security key is lost, the administrator will disable the user’s primary key through the central management system, and at the same time activate the registered backup key. In case users do not have a backup key, the administrator can register and activate another temporary key then give it to users.

VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…) is designed not connected to centralized password storage service, so the password change policy does not affect the key.

Most online services now support authentication with the VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…), for example:
– Microsoft Account (Outlook, Office, Skype, OneDrive, Xbox Live, Bing…)
– Google Accounts (Drive, Google Cloud, Hangout, Gmail, Play, YouTube…)
– AWS Web Service
– Facebook
– GitHub
– Dropbox
– Salesforce
– Gitlab
– Jira
– Owncloud

During the entire login process, the authentication key only functions to authenticate the user, does not store any other information, ensuring privacy. The authentication key requires the user to directly impact the key so it cannot be remotely attacked, the key that applies FIDO2 standard should protect users from phishing attacks on the internet, MITM ( man-in-the-middle attack), skimming, etc. The key’s hardware is designed to protect the data in the authentication key from being tampered with.

Please see instructions below:
https://github.com/VinCSS-Public-Projects/FIDO2-Public-Documents/blob/main/VinCSS-FIDO2-Touch-1/CSS-IP-EXT-UG-201209-029_Huong%20dan%20su%20dung%20VinCSS%20FIDO2%20Touch%201%20v1.2.pdf

No, because VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…) is not a USB storage, there is no risk of malware infection.

Users can use the Windows key management application or the Chrome browser settings to reset the PIN or restore the original settings of VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…).

We have many internal applications integrated with passwordless authentication, and the outcomes is improving user experience a lot, they never want to use password again.

From 4 to 63 numeric character

VinCSS FIDO2® Authenticator does not support digital signature for now

No. VinCSS will calculate the appropriate hardware specification for each specific number of users

Yes. The private key and the public key are unique

No. You can’t extract any data from VinCSS FIDO2® Authenticator (Touch 1, Fingerprint,…)

The physical using chip (secure), Aris/Aris pro using quantum chip (secure), mobile app (depend), not secure if generated by software or running on jailbreak/rooted smartphone

VinCSS FIDO2® Touch 1: No. You just need to buy it once.
VinCSS FIDO2 on iOS, Android: Free for standard subscription, purchase for premium subscription (more additional functions).
VinCSS FIDO2 VOS: No need to buy license.

No, we have specific ecosystem, built by VinCSS

It needs FIDO2 server as keystore, actually platforms/applications may have and support already, for example Microsoft, Google but usually support only their own applications or some use-case (Microsoft supports passwordless but Google only support U2F). VinCSS FIDO2 ecosystem look forward to support any application with the best options for integration (passwordless, OAuth2).

Of course not, SDK just development kit to help quickly develop application that integrate with FIDO2, could any other source code or develop themselves (but need more effort)

Use another key for backup (VinCSS FIDO2 Touch 1: primary key – VinCSS FIDO2 application on smart mobile: backup key)

The Single Sign-On function will be updated in the next version. You just need one authenticator to login to many applications.

– VinCSS FIDO2 Fingerprint / VOS: Use fingerprints to verify the identity of the owner, so the keylogger cannot collect anything during the authentication process.

– VinCSS FIDO2® Touch 1: Use PIN code (entered from the keyboard) to verify the owner, so the keylogger can collect the PIN during authentication. However, without the authenticator, the attacker cannot log in to the system.

– The time to delete old keys, create new keys will depend on the system administrator / user operation speed / spare part quantity. If these elements are available it just takes from one to two minutes.

Same issue as other infrastructure/system => need HA for hardware, service; or it’s better to have fallback login authentication method, could keep this as additional login option

FIDO2 offers expanded authentication options. However, we are developing VinCSS Authenticators to do more functions, for example: End-to-end mail encryption.

VinCSS FIDO2® Touch 1 cannot be cloned or data extracted.

A private and public key pair is generated that is unique for each time a user registers a security key (Touch 1, Fingerprint, …) for services

FIDO2 works best for web and mobile applications. However, VinCSS is trying to integrate FIDO2 with other type of applications, for many other purposes.

Registration flow: there are 2 ways as follows
– User contact admin to register
+ With hard key: After the system requires to plug the hard key into the machine, plug and enter the PIN code
+ With soft key: FIDO2 Server will generate a QR code, the user opens the VinCSS FIDO2 app and scans the QR code, then proceeds to register and use fingerprint/FaceID to complete the registration.
User self-registration (requires FIDO2 Server connect to AD, LDAP)

– User enters username/password if registering for the first time, or using the existing key to log into the system, then self-register.
+ With hard key: After the system requires to plug the hard key into the machine, plug and enter the PIN code
+ With soft key: The system will generate a QR code, the user opens the VinCSS FIDO2 app and scans the QR code, then proceeds to register and uses fingerprint / face to complete the registration.

Login flow: The user accesses the system and presses the FIDO2 login button, then the system will redirect the login to the FIDO2 system. Then the user enters the username and presses Login
– If using hard key: A PIN will be required on the screen. Proceed to enter the PIN and touch the yellow logo on the key
– If using QRcode: The screen will display a QR code. Open VinCSS FIDO2 application on your phone and scan the QR code, then verify with your fingerprint / FaceID to login.

Yes. You can forward FIDO2 device through RDP.

According to Circular No. 35/2016 / TT-NHNN, in Article 4, Section 9, point “d” in the Specific regulations for technical infrastructure of the Internet Banking system: Two-factor authentication must be used when sign in. The VinCSS FIDO2 ecosystem can completely integrate with applications to be able to use two-factor authentication login.

Public-key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption. The purpose of a PKI is to facilitate the secure electronic transfer of information for a range of network activities. A PKI system consists of at least two components, CA (Certificate Authority) and RA (Registration Authority), in which the CA generates and signs digital certificates.
FIDO (Fast ID Online) uses standard public key cryptography technology to provide stronger authentication (end-user authentication solution). When subscribing to an online service, a user’s device generates a new key pair. It retains the secret key and registers the public key with the online application. Authentication session is performed by the user’s device using a secret key to sign a request. To use the secret key, users must enter a PIN, or other forms of biometrics such as fingerprint, voice.

If your app support OAuth2, it’s very easy to intergrate with VinCSS’s solution.

You can disable account on AD, LDAP, or even on VinCSS’s solution (disable key, delete key)

If you want to use VinCSS’s solution, it’s easy to integrate (through OAuth2 standard protocol).
Customer need to provide:
– Which application need to intergrate passwordless authentication? Type of application (Web Application / Native Application (software) / Mobile Application / Single Page Application)? Is source code available? – What programming language/library does the app use?
– Describe the flow of user registration (How to register new account for application/service)
– Describe the flow of granting permissions for user access application/service. What roles does the application/service have? How does authorization and access control by role?
– Describe the authentication flow. How does user login?
– Describe the revoke permission, disable/remove account flow when users no longer need to use application/service.
– Application/service system architecture (system design? High availability? Number of servers per type?)

– When using VinCSS FIDO2 application on iOS, it is required to grant permission to use camera, TouchID/FaceID.
– When using VinCSS FIDO2 application on Android, it is not necessary to set up fingerprint authentication, it is possible to set up an alternative PIN (this PIN is different from the PIN/passcode to open the device).

– For iPhone/iPad devices, changing FaceID/TouchID (delete – change Face ID, delete 1 of the registered TouchIDs, add TouchID), the FIDO2 security key information will be lost, requiring re-registration.

– For Android phones:
+ If choose to protect VinCSS FIDO2 application with a PIN code, changing fingerprints (deleting – changing, deleting 1 of the saved fingerprints or deleting all fingerprints, changing fingerprints) does not affect the saved FIDO2 security key.
+ If choose to protect VinCSS FIDO2 application with the fingerprint, changing (deleting – changing, deleting 1 of the saved fingerprints or deleting all fingerprints, changing fingerprints) the registered FIDO2 security keys will be lost, users must re-register these FIDO2 keys.