Nexus Group

WebCrypto, Invisible Token and Hybrid Access Gateway

Blog post   •   Feb 15, 2016 17:48 GMT

After following the development of WebCrypto for more then three years it is awesome to see how it now slowly becomes implemented by the larger browsers. You can test your browser here.

WebCrypto opens up for very interesting possibilities by enabling native crypto support and secure key storage for web applications (if its secure could absolutely be discussed but it is much better then what we have previously had).

One of the interesting possibilities is an update of Invisible Token. Invisible Token is an authentication mechanism that makes your browser to your second factor by deploying a seed in the browser. When this was first implemented we where limited to local storage for the seed storage. With the introduction of WebCrypto we can import the seed (HMAC key) as non-exportable. In this way it is will be hard for the user or an attacker to extract the seed adding strength to the browser as second factor.

To make use of the WebCrypto implementation of Invisible Token you first need to upgrade to Hybrid Access Gateway 5.6 and then re-create the Authentication Method. It will not be automatically upgraded.