- 1. Credential-free authentication
- 2. Circle-of-Trust
This demo shows two separate but intertwined functionalities:
- Circle Credential-free Authentication – as it can be used when integrated with Auth0 for Federated Identities (e.g. Google/Gmail);
- Circle-of-Trust Basic – a delegated distributed method of identity verification + authentication that works independently but in concert with Auth0.
1. Credential-free authentication
The Auth0 Integration enables integration with the Circle REST API and Circle Service. Right now, we support these Identity Providers. Simply pick the one you prefer. The user is authenticated by Auth0 using the API and then the following process commences:
- The user requests and securely receives the Access Token and Refresh Token;
- The Access Token is used to log the user in; and
- The Refresh Token is securely stored in a Circle Secure Capsule on the device for future frictionless logins.
After this process, the user no longer needs to provide credentials, including passwords or any other information, to authenticate with the Identity Provider for all future sessions.
This is because the user has been identified by Auth0, which in turn has authenticated against Circle using the Refresh Token so that both parties are satisfied with each other’s identity prior to issuing an Access Token.
Resetting the Refresh Token from Circle Secure Capsule
The reset button deletes the refresh token from Circle Secure Capsule. The user must now re-authenticate through Auth0 with the selected Federated Identity Provider (in the case of Google).
The Log Out button is used to log the user out of the Web page, but the refresh token remains stored in Circle Secure Capsule. The user can then log in again using this stored token.
Re-authentication: See below.
Adding New Devices
In this demo, you can also invite your other devices to the secured capsule.
- First, you will need to navigate to your profile icon.
- If you are inviting a new devices, click add device and you will be given an Invite ID and an Auth Code. Take note of these.
- Sign into the demo using the device that you wish to add.
- Navigate to your profile icon again and click Accept Invite and input both the Invite ID and the Auth Code.
If the codes match, your new device will be added to the secure capsule.
This part of the demo demonstrates the basic mechanisms of Circle-of-Trust distributed human-in-the-loop identity verification and authentication. To do so, it combines both end user and administrator / Circle-of-Trust Owner functions and UI.
This can be confusing until you understand the roles, functionalities and how they interact.
For this demo, you have to assume 3 different roles:
- Demo user – the person testing the platform.
- Email authenticator – The first authenticator who receives an authentication code via email.
- SMS authenticator – The second authenticator who receives an authentication code via SMS.
For the sake of pedagogical efficiency, it would make sense for the demo user to assume all 3 roles, or delegate the email authenticator and SMS authenticator roles to persons within close proximity.
What Does Circle-of-Trust Do?
With Circle-of-Trust, the identity verification and authentication process is entirely separate – delegated by Auth0 to Circle and executed in Circle’s patented, distributed peer-to-peer process. When triggered using the Re-authentication option:
- Circle Service locks the Secure Capsule; and
- Sends two codes via separate channels (email and SMS) as set by the demo user in the demo admin panel.
- The Secure Capsule will remain locked until the demo user receives and inputs the authentication codes from the person to whom they were sent.
Since the demo user in this case is both the administrator and end user, the application does not actually ‘lock’ the user out of the page – but it could. Rather, the application presents the user with a dialogue box to input the codes to unlock the Secure Capsule, which is required for any other operations with the Auth0 token (such as Reset and Log Out / In).
To prevent any scenario with unrecoverable lock-out for this demo purpose, the user can close the dialogue box and access and update the Re-authentication settings as needed.
Using the Settings Panel
The demo user can:
- customize the text copy of messages that are sent;
- input the email and mobile number to which the codes will be sent; and
- use Circle’s E2EE Web video conferencing if desired for visual confirmation of identity and transmit codes completely out-of-band.
Notice that a video conferencing option is also available as an added precaution to verify the identity of your authenticators. When that is selected, the Demo User and 2 Authenticators will all be sent a link to a unique, one-time encrypted p2p video conference as well as their respective codes.
Notes on Secure Video Conference Option
Circle creates and provides a URL for unique, one-time end-to-end encrypted video conferencing room. To use this, the demo user must have the link sent to them by the recipient / authenticator. In a more advanced application, of course, the link could be shared automatically with all participants.
By doing a video conference, the person that is being authenticated can now be visually seen and identified directly by the person that is authenticating him or her.
The authentication codes can also be transmitted verbally – or otherwise (e.g. QR code) – in the session, avoiding all vulnerable communications such as SMS and email.
The Demo User initiates re-authentication by selecting that option on the menu. Before doing that, however, the demo user should click on the settings panel to make sure the settings are well defined, especially the email and number for the two authenticators.
After defining the settings, the Demo User needs to click Save Settings to save them.
The Demo User initiates re-authentication by selecting that option on the menu.
Once re-authentication is initiated, the Demo User is locked out of the page until both Authenticators have verified the identity of the Demo User and provided the codes that were sent to them by Circle-of-Trust. To do this, they can meet in the encrypted video conference room using the link that was sent.
Unlocking The Capsule with Authentication Codes
The Demo User inputs the codes into the screen and clicks on the Check button. If the codes match those stored in the Circle, this proves that the Demo User’s identity was verified by the Authenticators. This unlocks the capsule and access to the site; the page is restored. Other options include:
- Settings. Returns Demo User to the Settings panel if any updates are needed for that (e.g. wrong email or phone number).
- Resend. Sends a new set of codes if for some reason the first set was not received. Note – the previous codes will no longer work.
After the demo user inputs the 2 codes from the authenticators, the demo user will be logged back into the secure capsule.
- The demo user can customize the text copy of messages that are sent.
- The demo user will be locked out until at least one authenticator has received and authenticated him/her in order to provide a code for unlocking the Secure Capsule. The only way to unlock the capsule is with both authentication codes provided.
- The Demo User can choose to use Circle’s E2EE Web video conferencing if desired for visual confirmation of identity and transmit codes completely out-of-band.
- The Authenticators can meet in the encrypted video conference room using the link that was sent, after receiving the 2 authentication codes via email and SMS. The demo user can input the authentication codes into the screen and click on check.