Strong Authentication

«Clavid gives his SAML, OAUTH and OpenID customers the possibility to move from weak username and passwords to strong authentication»

«Security and flexibility without a compromise in usability!»




NIST Levels


Username / Password

OTP Generators (OTPs)

Certificates (Swiss Post Certificate)

Biometrical Methods (finger print)



There is no global authentication standard appected by every service provider or web site. Many service provider, ecpecially big firms in the financial or insurance industry have set up a own PKI (Public Key Infrastructure) to provide every user a unique access mean to access IT systems.


There are three credentials for verifcation a link between a physical person and a digital identity:


Knowledge - Something the user knows (password, pass phrase, PIN-Code)

Assets - Something the user has (ID-card, cell phone, security token)

Biometric feature - Something the user is (fingerprint, eyes, DNA)


Clavid allows unified digital identity exchange between application service providers and end users without loosing data protection. Depending on the strength of authentication, Clavid supports the following authentication methods (combinations are possible).


NIST Levels


NIST (National Institute of Standards and Technology) is a non-regulatory agency of the United States Departement of Commerce (USA). The recommendation provides technical guidance to Federal agencies implementing electronic authentication. The recommendation covers remote authentication of users over open networks. It defines technical requirements for each of four levels of assurance in the areas of idenitiy proofing, registration, tokens, authentication protocols and related assertions.


NIST - Electronic Authentication Guideline provides you more information about this topic.






NIST Level

Authentication Method


User got verified by a password



OTP 1 Factor

User got verified by an OTP (One Time Password) such as:

- SMS Mobile



- Google Authenticator



OTP 2 Factor

User got verified by a password an OTP (One Time Password) such as:

- SMS Mobile



- Google Authenticator



YubiKey 1 Factor

User got verified by a YubiKey


YubiKey 2 Factor

User got verified by a password AND a YubiKey



User got verified by TiQR



User got verified by a MySyferLock OTP



User got verified by a AGSES card (biometric fingerprint, previously called AXSionics)


x509 Soft Certificate

User got verified by a x509 soft certificate (inclusive self signed certificates)


Swisscom MobileID

User got verified by Swisscom Mobile ID


x509 Hard Certificate

User got verified by a x509 certificate stored on a hardware token



User got verified by a x509 certificate stored on a hardware token



Username / Password




The 'classic' authentication method based on username/password allows a user to freely choose a username/password pair. Such a combination gets created when signing up for a password based user account. Even though this method is due to its easy-of-use very popular to end users, lacks this method in security. However, this authentication method can be a good entry point to OpenID using the platform allowing to increase the security at a later time/stage by getting to a more secure authentication method such as OTP, SSL client certificates or even biometrical authentication.


One Time Password (OTP)




A One Time Password is a password that can only be used once and is usually used in addition to a username / password pair. A OTP is only valid for one single authentication transaction and can not be used a second time. Every authentication using OTP is therefore 'unique'.


The general methods for generating and transferring OTP's are:


• E-Mail

• Cross-off list or TAN list (e.g. transaction number list used for online banking)

• One-time password generators (RSA-Token, YubiKey, RFC 2289, RFC 4426, OATH HOTP, OATH TOTP, Mobile Phones, etc.

• Mobile SMS (Short Message Service to mobile phones)


SSL Client Certificates


SSL Certificate


If you own a SSL Client Certificate, you can add the certificate to your clavid

account and use it for user authentication to the clavid server . Look for the SSL certificate logo.

Using a certificate avoids the need for entering sensitive data such as your password. The certificate is like your username and password: Protect it!



Digital certificates confirm the relationship of electronic key pairs to a person, company, institution or system and associate a physical relationship to digital identities. Digital certificates allow the protection of confidentiality, authenticity and integrity of data to third parties using the correctness of the electronic key


• The structure of digital certificates is defined based on standards (e.g. x.509 standard)


• Secure Sockets Layer (SSL) protects service providers as well as end users


• SSL certificates allow encryption of confidential data in online transactions


• Every SSL certificate contains unique, validated information of the owner of the certificate


• Every SSL certificate is issued by a specific issuer that validates the identity of the certificate owner

Certificates contain usually the following information:


1. The name (or unique identification) of the issuer of the certificate

2. Information on rules and policies under which the certificate has been issued

3. Information on validity duration of the certificate

4. The electronic key of the certificate

5. The name (or unique identification) of the owner of the electronic key

6. Additional information of the owner

7. Information on policy and validity

8. A digital signature of the issuer across all information


Accredited providers of qualified certificates according to Swiss signature regulation ZertES/ETSI are the Swiss Post, SwissSign, QuoVadis Trustlink AG as well as the Federal Office for Information Technology, Systems and Telecommunication.


More Information about SSL Client Certificates you will get here


Biometrical Method (Fingerprint)




Biometric fingerprint identification is one of the most famous Authentiserungs methods in the field of IT security. Because of their uniqueness, and consistency over time, are fingerprints for the identification of people in the computer industry has become imperative.

One of the most innovative producer of biometric security tokens, the company AGSES with its AGSES card .