The Authentication settings page allows you to define various aspects of your application's authentication requests and limitations.
You must choose the one of the available authentication mechanisms between these three options:
Furthermore, you will choose one or more authentication methods, depending on the desired level of security.
UNLOQ currently offers 3 authentication methods: via PUSH, OTP or E-mail login. PUSH authentication is enabled by default and will always be available for the user. You can choose secondary optional authentication methods for each of your applications.
When a user authenticates to your application using his phone via push notifications (the default login method, called UNLOQ), he is required to have his phone connected to the Internet and at his side. Once he enters his credentials (e-mail and additional device token, see above), a push notification will be routed to his device, describing the authentication request.
Once the user verifies the request, he may chose to approve or deny it. An approved request will generate an authentication access token.
This method allows users to authenticate with UNLOQ, using only their e-mail and their associated device token. It is best used when the user has no Internet connection on his device. It may be considered an offline login solution.
The device token is a time-based one-time-password, based on RFC-6238, reset once every minute. As this is an offline authentication method, users will not be able to perform remote logout.
This method is used by UNLOQ to authenticates users by sending an e-mail containing a unique URL. Once the user enters the URL, an authentication access token is generated and the user is redirected to the login url. As this should be the final resort of a user, the generated link is only available for 2 minutes, after which it expires. This method is exclusive to applications and cannot occur in a server-to-server authentication call.
Although this authentication method does not generally require users to have their device with them, to prevent spammy requests, the first time the user logs in from a new browser, they are requested to enter his device token. Once a successful authentication occurs, any subsequent login from the browser will not require the user to enter any additional information.
Both the title and the message of an authentication action can contain variables that can be used in tandem with the authentication endpoint. Whenever we want to use variables in the authentication request we will always provide them inside the POST data.
The text you provide here will be sent out on each authentication request to the user's device, so that you can specify a customizable message for each of your applications. You can specify the text for the Push notification and the Authentication.
The text you provide here will be sent out on each authentication request to the user's device, so that you can specify a customizable message for each of your applications.
Have a question? You can always send us an email at firstname.lastname@example.org, or contact us on chat.
For security related concerns, please visit our Security page.