Authentiq Connect is an easy-to-use Identity Provider built on top of OpenID Connect that makes it easy for websites and apps to move beyond usernames and passwords while safeguarding the end-user’s privacy.
- is built on top of OpenID Connect, supporting many open standards;
- leverages scopes to request identity scopes from end users;
- supports both passwordless authentication (Authentiq ID) and two-step verification (TOTP); and
Authentiq Connect is based on OpenID Connect and a growing list of supplementary standards to support integrating any type of application with the best possible user experience.
|OAuth 2.0||Supported||Authentiq supports all classic OAuth 2.0 flows.|
|OIDC Discovery||Supported||The Authentiq Connect Provider Configuration can be found here, with WebFinger support on the road map.|
|OIDC Dynamic Client Registration||Supported||Authentiq Connect’s Client Registration Endpoint is described in the API Reference.|
|OIDC Back-Channel Logout||Supported||As an alternative logout mechanism, simply enter the URL of your app’s logout endpoint in the Authentiq Dashboard.|
|OAuth 2.0 Multiple Response Types||Supported||Fine tune your users’ authentication experience by using these response types for hybrid (server+browser) apps.|
|OAuth 2.0 Form Post Response Mode||Supported||Authentiq Connect is able to POST back the authentication response in case your app requires that. Contact support to learn how to enable it.|
|Proof Key for Code Exchange||Planned||Mitigate some attack vectors for your native app. Contact us for more details.|
|Security Event Tokens||Planned||Respond to authentication events in a customized fashion. Contact support if you are interested in participating in the beta.|
Authentiq Connect leverages predefined and custom scopes to request identity details from the end user.
||N/A||Required to indicate support for OIDC|
||A user’s typical profile, including name|
||A user’s verified email address|
||A user’s verified phone number|
||A user’s home address|
||A user’s full name|
||A user’s current location|
||A user’s preferred username|
||A user’s preferred locale|
||A user’s preferred timezone|
||N/A||To enable one-click sign in|
Requested scopes are optional by default, leaving the choice of providing any of the details to the end-user, who will be able to opt out of the requested scopes on the Authentiq ID consent screen.
It is possible to mark essential scopes as required by appending
Individual scopes are concatenated in a space separated list. A typical scope parameter might look like:
openid profile email~r aq:locale aq:zoneinfo aq:push
The Authentiq ID mobile app (available on Android and iOS) are the key to your end-user’s privacy. It acts as a mobile identity wallet that can be used to identify to websites. A user’s Authentiq ID can be seen as their personal cryptographic passport that holds profile information.
When signing in, the user decides what information will be shared. Phone number and email address will already have been verified by Authentiq so that the website doesn’t have to.
Authentiq ID is also a TOTP secret manager, like Google Authenticator, but with many extra features, such as backing up TOTP secrets online and on paper.
One click Sign-In
One Click Sign-In lets users sign into your website by just tapping a notification on their phone on subsequent logins.
To enable it, simply include the
aq:push value in the scope parameter.
On intranets authentication is often synchronized between applications. Contact us to configure Authentiq Connect for Single Sign-on to support this.
Dashboard support for Single Sign-on is planned. In the mean time, let us know how you would like to configure your apps.
When a user signs in with Authentiq ID, the website’s authentication session is linked to the mobile app. Authentiq lets you sign out from a website remotely, and in the future just by walking away from a computer.
To enable this feature, either
- use the Authentiq JS snippet;
- include OIDC-compatible RP iframe on your website; or
- enter a Backend Logout URL for your client in the Authentiq Dashboard.
Create rich integrations by listening to Authentiq’s Security Event Token webhooks. Use a webhook, for instance, to add new users to your newsletter easily. Coming soon!
By enabling Authentiq you make the following authentication methods available to your site’s users.
|Passwordless||Authentiq ID||QR code, PN, Handle||Supported|
|Virtual 2FA||Authentiq ID, Google Authenticator||TOTP||Supported|
|Physical 2FA||YubiKey||USB Token||Coming soon|
|One-time authentication||Magic link||Coming soon|
These methods can work in addition to or conjunction with your existing login system.
We often see sites that already integrate with social login providers adding passwordless authentication via Authentiq ID, this way providing their users with a privacy-aware alternative to signing in with Google or Facebook.
Another common pattern is to use Authentiq Connect to effortlessly add two-step verification on top of usernames and passwords that are kept in-house.
Your favorite OAuth 2.0 or OIDC client library should work out of the box with Authentiq Connect. Do let us know if this is the case, or not.
Below is a list of frameworks that we have native integrations for, or that are otherwise known to work well.
|Nginx / Jenkins||LUA|
|WordPress Social Login||PHP|
Also check our GitHub pages for supported integrations and examples.
What do you think?
A penny for your thoughts… Get in touch with us on firstname.lastname@example.org.
Please report security issues to email@example.com.