Authentication Best Practices?

Hey everyone! Quick question: does anyone have any best practices around how they authenticate users and validate them prior to granting them access into a journey?

For example, if I am a bank, and I have someone logging in to view their account details and make a payment, how should I go about making sure they’re the right person? What are my options and what have you all seen?

Hey David!

So there are a few ways you can authenticate a journey in Airkit, depending on what your requirements are as well as what systems you have in place.

SAML Authentication

If you have your own Identity provider, you have the ability to add SAML authentication to your Airkit app. You will have to upload the XML file that comes from your IDP and then in configuration builder of your app, you can set that from Public App to Secure App and select Custom as your Authentication Method. Once you publish your app, users will be required to sign in and redirected to authenticate before accessing your app. For more detailed information on this, see here: SAML Authentication

Authenticated/Secure Apps

If you don’t have an IDP but you want to manage the authentication using Airkit’s out of the box features, we have a concept of what we call Authenticated Apps and Secure Apps. These are two types of apps that can be configured in Configuration Builder under App Type.

Authenticated Apps are configured as a separate Airkit application that can act as the “Sign in” page for your secure app. Whether the user needs to enter in a username/password that you manage in another system, or maybe you have security questions you need to validate, the authentication app is the “barrier” before you are able to get to your “Secure App”.

The Secure App is the protected app that only if you are able to authenticate using the Set Authentication action are you able to access the secure app, otherwise you will be redirected to the Authenticated app. This is where you’d add logic to check to see if a user has met the success criteria and you can run the set authentication action to direct them to the secure app.

One Time Passcode

You can also create OTP flows to either SMS or email to provide additional security to your application. This could be used in conjunction with the Authenticated/Secure Apps as well as a part of the success criteria before routing them to the secure app.

These are just some methods that I’ve seen in Airkit, but not necessarily limited to. Hope this helps!