Digital certificate authentication of the visitor and their web browser is part of the HTTPS protocol and is supported in all major web servers: Apache, NGINX, etc. After the TLS/SSL handshake is successfully completed, data from the certificate is make available as environment variables. Here is more information on the environment variables in Apache.
Pseudo-NYMSMs approach to authentication supports both lightweight integration, where meta data from the certificate is used to identify the visitor and allow access to their account and full FIDO level integration, where the public key identifies the visitor and is associated to their account.
Application Integration: Lightweight
Many websites are informational and do not involve high risk services or transactions. As a result, they can rely on Pseudo-NYMSMs service to replace passwords with minimal integration. The NYMSM credentials provided by Pseudo-NYMSM include the email address of the visitor. Most websites have the email address of their subscribers. After the HTTPS exchange is complete, the email address of the visitor is extracted from the credential and is available to the underlying application.
- For Apache, the environment variable is: SSL_CLIENT_S_DN_Email. This variable is easily displayed and accessible by the application. Just try our demo to see an example.
After the successful completion of the HTTPS handshake, the underlying application can identify the visitor by their email address and allow access to their account. It's that simple.
Application Integration: FIDO
For high risk sites and services, our approach also allows for FIDO level authentication, where a public key is associated to an end user and their accounts. This can be done by accessing another environment variable.
- For Apache that variable is SSL_CLIENT_CERT. This variable is also easily available and displayed in our demo.
Because a certificate contains a public key, the certificate is considered unique and, using the FIDO methodology of authentication, can be associated with the visitor's accounts. While this approach involves changing the website's identity data to include a certificate and associate it to an account, it is 'FIDO ready' and extremely secure.
Some well known open source content management systems have add on modules to support certificate authentication, including Drupal.