Reliable Identity Proofing
on the Web

Strong Authentication


What is Strong Authentication?

Authentication is the procedure used to check whether you are the person you claim to be.

Authentication mechanisms in computer systems can take on many different forms. The best known of these is the combination of username and password. You can use a specific username to access a system if you know the correct password for this specific username.

MFA (multi-factor authentication) is conceptually a part of the comprehensive topic of authentication, in the same way as adaptive authentication and risk-based authentication.



Supported authentication mechanisms

Curated Credentials

Something that only the user knows:

  • Passwort
  • Device-specific password
  • Context-specific password
  • FIDO UAF PIN-code authenticator

Something that only the user has (token):

  • Temporary strong password (SSHA256)
  • URL ticket
  • PUK (Personal Unlocking Key)
  • Recovery code
  • RSA SecurID and Safeword
  • mTAN (SMS)
  • OATH (HOTP, TOTP) – used by Google and Microsoft authenticators, for example
  • OTP with raster map support
  • Mobile signature (Swisscom MobileID)
  • Kerberos tickets
  • X.509 certificates
  • FIDO UAF private device key
  • FIDO2 / WebAuthn private device key
  • FIDO2 / WebAuthn security key (Yubikeys, etc.)

Something that only the user is:

  • FIDO UAF platform biometrics (fingerprint, facial recognition)
  • FIDO2 / WebAuthn platform biometrics (fingerprint, facial recognition)


Detection and Risk Signals

Passive behavioural biometrics:

  • Typing behaviour – BehavioSec

Context-specific data:

  • IP address
  • IP reputation
  • Geolocation
  • Device fingerprint
  • Threat signals (Arxan Threat Analytics)

Selected security questions:

  • Security questions

Modular Authentication Service

blue-plus blue-minus

Nevis supports many authentication mechanisms. However, these are rarely used in isolation. They are often combined for greater security or used in parallel for different user groups or application scenarios. Some examples:

  • A user is asked for their username and password. They are then requested by a notification sent to their smartphone to open the Nevis Access app and approve the access. This procedure is suitable for banks and other highly security-critical application scenarios and is a 3FA combination of:
    • (Username, password) – something that only the user knows
    • (Private FIDO UAF key on the smartphone) – something that only the user possesses (digital token)
    • (FaceID/TouchID) – biometric trait – something that only the user is or does
  • A user is asked for their username and password and then receives an SMS code on their mobile phone. This would be a 2FA combination of:
    • (Username, password) – something that only the user knows

(OTP / one-time code that is sent to the user’s mobile phone) – something that only the user possesses (the code is a digital token)

Thanks to the authentication engine, you can combine the authentication and federation mechanisms supported by Nevis:

  • Support for multi-step authentication workflows
  • Implement multiple independent workflows within an authentication engine
  • Integrate identity federation protocols such as SAML2, WS-Federation and OpenID Connect
  • Support for various token formats, such as SAML-Assertion, the X.509 user certificates or JWT token
  • Preconfigured templates for typical authentication steps
  • Support for completely customer-defined authentication steps in Java and Groovy
  • Support for end-to-end encryption
  • Dynamic adaptation/upgrade of the authentication strength for improved security
  • OOTB integration of authorisation information such as roles and authorisations in the token for the purposes of setting up a detailed and highly differentiated authentication system
  • API for simple integration with third-party systems

FIDO Authentication with Passkeys

blue-plus blue-minus

Passkeys, combined with Nevis, stand for strong authentication, where a user uses a unique key instead of a password to verify their identity. See our blog post for more information on the passwordless future with Passkeys.

How Does Strong Authentication With Nevis Work?

During the login, Nevis automatically collects and analyses different signals from the current user context – for example:

  • Your current location (geo-location)
  • Your travel distance (geo-speed) if you previously logged in from other locations
  • Your device with an advanced fingerprint
  • Your intended action
  • Your source-IP reputation, based on external IP reputation services

Based on these different inputs for every authentication, Nevis continuously creates a risk profile for the user. React to specific events and risk scenarios – for example, a login from a new device or an impossible journey (a login within a few hours from Berlin as well as from San Francisco) – and decide whether to notify the user or provide additional means of authentication with the help of multi-factor authentication.

Reacting to Events

In addition to the sophisticated and advanced Nevis risk profiling, which can be coordinated down to the finest detail to your specific application scenarios, we have also developed a slightly simpler yet highly effective rule-based risk engine.

Simply choose from a range of predefined events and specify the required behaviour to be triggered using «if-then» rules, and you’re all set.

React with Risk Profiles

Nevis gives you complete freedom to configure your adaptive risk engine as you see fit. You can decide which of the context-based and/or time signals the risk engine should take into consideration and how these signals are weighted. You specify which threshold values are defined and which actions to trigger if an authentication attempt is flagged as risky.

Advanced Device Fingerprint

Adaptive authentication is based on different user signals in order to detect suspicious authentication attempts. One of these signals is based on a fingerprint from the user device. To strike a balance between accuracy and stability, we’ve implemented a procedure with multiple fingerprints in our adaptive authentication solution. Multiple fingerprints improve the detection of suspicious authentication attempts and reduce the number of false-positive results. Both help bring about a better customer experience.


Do You Have Questions About Customer Identity and Access Management?

We’re here to help – with personal consultations, reliable support and smart solutions. We would be happy to show you the advantages of the Identity Suite from Nevis in detail.

Contact Us!

The Advantages of Passwordless Authentication

Increase security through passwordless authentication

Strong passwordless authentication, for instance, using FaceID or fingerprint is extremely secure and FIDO2-compliant thanks to cryptographic key pairings.

Reduce the incidence of fraud by up to 99 per cent and prevent the use of stolen login data to attack web applications.

Prevent identity theft and the reputational damage caused by data theft.

Cut costs and free up resources

Support requests and password problems are eliminated. Your IT employees can focus on other more important tasks.

Expensive transaction charges for SMS-TAN are no more.

Create a unique customer experience with passwordless authentication

Customers expect user-friendliness and security. The login process must be quick, convenient and intuitive.

A seamless customer experience ensures a low cancellation rate during the login process.

Enhance the user experience with ease of operation and logins on mobile devices.