Skip to main content
Skip table of contents

Multi-Factor Authentication methods

TrustBuilder supports several Multi-Factor Authentication (MFA) methods to verify the authentication factors.

Authenticator app (mobile and desktop)

The following authentication methods are supported by TrustBuilder Authenticator application (mobile or desktop).

Push notification

Users receive a push notification trough TrustBuilder Authenticator app. Push notifications can be sent automatically or triggered manually, depending on configuration. Users should then approve or reject the authentication request. Each approval operation is protected by PIN code or biometric (except for services without PIN). See TrustBuilder Authenticator User guide

To set up push notifications, depending on your needs, you can:

  • set the Default URL to Authenticator app in the connectors settings, if available

  • set the Push notifications parameter to Yes in the connectors settings, if available

See Integrations

QR code scanning

The authentication page displays a QR code that users should scan with TrustBuilder Authenticator app. Users should then approve or reject the pending operation. Each approval operation is protected by PIN code or biometric (except for services without PIN).

Users may be unable to scan the QR code for any reason, for example when the QR code is displayed on the same device that has the camera. In such cases, we propose alternative authentication methods that appear as links below the QR code:

  • Open Authenticator. This is a deeplink (direct link) to Authenticator app on the same device (mobile or desktop) to approve or reject the authentication request. It requires to have Authenticator installed on the same device.
    ⚠️ The deeplink alternative is not displayed on mobile in a webview as it is not supported by common commercial applications.

  • Sign in by entering a code (OTP) provided by Authenticator. This alternative method works in all situations.

Although not a very common scenario, when the QR code is displayed on a phone it is also possible to use another phone to scan it.

Using IE11 may affect the QR code scan user experience. We strongly recommend upgrading to the latest version of Microsoft Edge, Google Chrome or Mozilla Firefox.

QR code authentication is only available for OpenID Connect and Microsoft Azure AD connectors. This feature can be used with Authenticator versions 6.31 and higher.

To configure QR code authentication method:

QR code scanning is recommended to ensure that user initiating the request is the one validating it thanks to device binding method. It is a great solution to avoid notification spamming attacks and to protect users against Push Bombing attacks. The QR code authentication method does not use push notifications, therefore it does not enable a push bombing scenario.

More information about protecting users from Push Bombing attacks

Generate an OTP

Users generate a One-Time-Password (OTP) in TrustBuilder Authenticator app. The generated OTP should be manually entered in the TrustBuilder MFA authentication page. Users have 30 seconds to input the OTP before it generates another. Each OTP generating operation is protected by PIN code or biometric (except for services without PIN).

You can configure OTP in Service Parameters.
See Administration Console

Web Browser token authentication

TrustBuilder MFA allows a web browser based authentication with its browser tokens Virtual Authenticator and Helium. Both consist of a JavaScript iframe that is called directly from within your html logon page. To authenticate users should enter their PIN in Virtual Authenticator or Password in Helium.

To integrate TrustBuilder MFA browser tokens into your site, you'll need some basic HTML knowledge and a little JavaScript.

See Browser-based authentication

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close