Ask us anything  

Afrilas is an end-to-end authentication solution designed to avoid the need to store passwords for user accounts. It primarily focuses on security and user experience.

Our solution relies on strong authentication based on public key cryptography  -  a technology developed by nextAuth -  instead of  one-time passwords based on symmetrical encryption.

From a user perspective, the experience consists in installing an app and scanning a QR code to confirm a push notification. The app itself is protected by the user's fingerprint or Face ID.

The difference with many other solutions is that users won't need to maintain a separate account on our platform. This means they can access secured systems from any new device just by scanning a QR code without the need to provide an initial username or id.

The main benefit for users is that they no longer have to remember and enter user credentials to access secure resources, even when using a new device or browser. To make a connection from a new device, users just need to scan a QR code and confirm a push notification.

Other solutions often require users to enter and remember credentials the first time they make a connection, which is impractical and often experienced as inconvenient.

A smartphone & the Afrilas app. New users will receive an email with clear instructions.

1. Search for Afrilas in the App Store and install the app.

2. Click on the link in the email.

3. Scan the QR code to activate the account.
   

In most scenarios, users will be part of an Active Directory (AD) database. Simply create a dedicated "Afrilas" group and add new users to this group to allow them to make use of Afrilas. Depending on the user and group settings, an email with instructions will be sent automatically to each new user, e.g.

1. Search for Afrilas in the App Store and install the app.

2. Click on the link in the email.

3. Scan the QR code to activate the account.

The Afrilas service consists of 2 components, the Afrilas cloud and the on-premise directory services integration.

The cloud component has built-in redundancy and was designed to be fully scalable.

The on-premise component, which consists of a virtual or physical appliance, has a high-availability option to duplicate critical services and functions in order to increase the reliability of the system.

Nowadays , people rely more than ever on mobile phones for personal communication, entertainment, banking and various other applications such as strong authentication. In many cases, losing your phone is like losing your wallet. So, the question remains: How to access accounts protected by Afrilas if you lost or forgot your phone?

Allow us to answer this with another question. Would you jeopardize your security by implementing a less secure authentication method for exceptional cases? While it is technically possible to add account verification mechanisms to our platform, such as SMS or email verification, we chose not to do so in order not to weaken the overall security.

However, this does not mean there is no solution, but it relies on human interaction and verification rather than on automated identity verification methods:

• A user calls the IT service desk to report a lost, stolen or damaged phone. 

• A system administrator temporarily adds his/her phone to the user’s Afrilas profile.

• The user navigates to the secured application which prompts the user to scan a QR code.

• The user then sends a screenshot of this QR code to the system administrator. This can be done by email, by setting up a video conference or by using any other messaging application, e.g. Slack.

• The system administrator then scans the QR code with his/her own phone to securely log in the user.

• The system administrator then removes his/her phone from the Afrilas profile of the user, who will be automatically notified of this and any subsequent removals.

  This procedure has the following advantages:

• The identity of the user is always verified in person by a trusted source (system administrator).

• The identity of the user can be verified in multiple ways (video conference).

• There is no compromise in security.

  We feel that it is much safer to have these procedures in place instead of implementing additional account verification methods, which could potentially be exploited.

Afrilas supports Microsoft Active Directory and POSIX LDAP.  Users can also be added manually via the on-premise appliance.

The on-premise appliance uses HTTPS to communicate with the Afrilas cloud servers. System administrators are required to allow traffic towards TCP port 443 on the internet.

Afrilas is an IDP which relies on SAML 2.0. There are two components to be configured:

First, there is the SAML 2.0 link with the online application, e.g. Office 365, Google Enterprise services or SFDC. Note that your can also secure firewalls, VPN services and reverse proxies which support the SAML 2.0 standard. The online application must be reachable by the end user and requires a secure connection to the Afrilas cloud.  The configuration parameters are obtained through a SAML 'metadata' exchange.

Secondly, LDAPS is used for the integration on the local network. Both Microsoft Active Directory and POSIX LDAP are supported. This allows system administrators to manage users and groups as usual. The AD/LDAP integration is handled by a small Virtual Appliance or Docker image running on your network.

End users need a mobile phone with the Afrilas app and internet access (WiFi or 4/5G) to access your SAML-enabled applications.

There is no limit. You can add as many application service providers as needed, as long as they support the SAML 2.0 standard. For example, you can use Afrilas to secure your VPN server and your Office 365 accounts at the same time.

As an agile company, we welcome and value all feedback.  
Contact us  so that we can evaluate your needs together.