Circle Access Desktop Implementation Tips

Implementation highlights using Circle Desktop

Below are few highlights of implementation of multiple use cases with Circle Desktop

1.

Install Circle Credential-free Authentication your PC or laptop is your log-in.

2.

Integration with Auth0. Frictionless log-in with Federated Identity providers through Auth0. Currently we support Google, LinkedIn and Github.

3.

Add and Manage Devices. Users can add and manage additional devices that will share the same Secure Capsule and Auth0 token, leveraging Circle's distributed peer-to-peer multifactor authentication. This is completely out-of-band and spoof-proof so long as the user personally generates the codes and inputs them directly on the new device.

4.

Cross-Browser Log-in. With Circle, the user can share the same authentication across ANY browser that is installed on their device. No need for cookies, password synchronization, etc.

5.

API Keys Protected by Circle End-to-End Data Protection. Developer API keys are transmitted and stored securely in an AES 256 Encrypted Secure Capsule, with the encryption keys created on and bound to your authorized devices. Circle Web Servers NEVER have the keys and cannot be a source of breach.

1. Credential-free Authentication

We implemented Circle Access Desktop to power credential-free authentication as an option for log-in for all customers.

When you select this, you must first install Circle Access Desktop (CAD) onto your PC or laptop. The key component of CAD is Circle Service, which manages the creation and protection of AES 256 keys, data encryption and other functionalities. The following basic steps are executed.

1.

Our Web server (via Wordpress) communicates and authenticates with Circle Service on your device with the App Key of our Wordpress Plug-in.

2.

An AES 256 encrypted Circle Secure Capsule is created on the device by Circle Service. The Secure Capsule can only interact with our Web server and can only be opened and used on the device it was originally authorized upon.

3.

The Wordpress admin creates and stores a super-complex secret, and securely transmits this via PKI to Circle Service, which stores it in the Secure Capsule on your device. The Web server can also store other PII and activity data in the Secure Capsule.

4.

Whenever you want to log-in, the Web server calls to Circle Service on your device, and authenticates with 3 very strong factors with a completely frictionless UX:

The device itself - which has been uniquely authorized and can confirm its UUID.
The Circle on the device - which can only have been created by the Web server on this device with its unique App key and has a unique AES 256 key that was created, stored and bound to your device.
The secret - which never known by or shared by the end user, and therefore cannot be lost, stolen or otherwise compromised.

While that is ultra-secure, there is still one step further that we can and will take soon: to replace the secret with the public key of a public/private key pair that can be used to cryptographically challenge and validate the device for each authentication.

2. Integration with Auth0

The Auth0 Integration enables integration Circle Service to authenticate and communicate with Auth0. The developer can add any identity provider that is supported by Auth0. For this demo, we selected Google/Gmail and LinkedIn. Simply pick the one you prefer. The user is authenticated by Auth0 using the API and then the following process commences.

1.

The user requests and securely receives the Access Token and Refresh Token

2.

The Access Token is used to log the user in.

3.

The Refresh Token is securely stored in a Circle Secure Capsule on the device for future frictionless logins.

After this process, the user no longer needs to provide credentials, including passwords or any other information, to authenticate with the Identity Provider for all future sessions.

This is because the user has been identified by Auth0, which in turn has authenticated against Circle using the Refresh Token so that both parties are satisfied with each other’s identity prior to issuing an Access Token.

Logging Out

When the user logs out of the Developer Hub, the refresh token remains stored in Circle Secure Capsule. The user can then log in again using this stored token.

3. Add and Manage Devices

With Circle Access Desktop, you can also invite and authenticate any other devices that you own or wish to use. You do this via our patented, peer-to-peer out-of-band authentication process. When completed, the Circle - and any Secure Capsules it contains - will be synchronized automatically with your additiojnal devices at all times. Here is how to do it.

1.

First, you will need to navigate to your profile icon and select to open the menu.

2.

Under My Devices, select Add New Device.

3.

You will be given an Invite ID and an Auth Code.

4.

Go to the Circle log-in page using the device that you wish to add.

https://circlesecurity.ai/login-circle

5.

Navigate to your profile icon again and click Accept Invite and input both the Invite ID and the Auth Code.

If the codes match, your new device will be authorized and the Circle on your inviting device and any Secure Capsules it contains will be synchronized to the new device. Now you can enjoy credential-free secure authentication on that device just as if it was the original.

4. Cross Browser Authentication

Circle also enables users to be authenticated and log-in to any Web site or application across any browser - without the need for any additional steps. This is because the Secure Capsule stores whatever is needed to authenticate securely on the endpoint device. Unlike a cookie, Secure Capsules are:

Totally secure (AES 256 encrypted);
Accessible ONLY by your Web server or application; and
Can contain an unlimited amount of data that cannot be messed with by the user or any attacker that gets onto that device.

To try our cross-browser functionality:

1.

Be logged in on any browser.

2.

Open a different browser. For example, if you are logged in on Chrome, open Microsoft Edge.

3.

Copy the URL from the logged in brower to the new browser.

4.

Voila! The same authentication works on any browser.