Biometric security, FIDO, WebAuth, CTAP and security keys.

Green Screens 5250 terminal is the only such product on the market with web and mobile biometric authentication for 5250 protocol.

Technology specification was not cooled down yet, but we are ready and bringing you extremely safe online and cloud solution.

Here we will not write in details what FIDO, FIDO2, WebAuth, CTAP1, CTAP2 and security keys are. Instead, we will give you a short introduction to what is available in the latest version of our product. There is a lot of websites with beautiful explanations like these below which we highly recommend gaining some knowledge about FIDO based security...

and technical details for techies

The most important part of new security technology is to awake people that this is the future which will probably become mandatory over the time as it greatly protects you online.

Passwords only are not enough to protect online accounts for quite a long time now. That's the reason why various schemes are in use today as OTP, SMS confirmation etc. All those techniques belongs to 2FA (2nd factor authentication) group of features. But with WebAuthn, FIDO and biometric, OTP will become obsolete.

Even our product already supports OTP which is generally very safe, it is not without concerns. However, we will not remove OTP feature to be able to support older environments. Yes, there are still clients using MS Windows XP with old browsers which does not and will not support new technologies. We will keep OTP support to ensure increased security for older environments as much as possible. However, it is highly recommended switching to new biometric mode.

This new biometric security brings 2 major protection levels:

Level 1 (CTAP1, U2F) - used to digitally sign credentials upon login which are verified on server side before allowing access
Level 2 (CTAP2, FIDO2) - used to pass wordless login, only authenticator is needed (biometric, security key or pin)

Level 2 is in final draft (March 2019.) and very soon all modern browsers will support it. Currently, Chrome, Firefox and Android 7+ supports Level 1. But have no worry, Level 2 is back compatible and nothing will break. As soon as level 2 will be released, we will publish a server update with unlocked features.

What all that means for end user?

With Level 2 - browsers will be able to use fingerprint readers installed on many laptops and smartphones as a way to login to online services without need for passwords.

As an alternative, there are so-called security keys as Google Titan and Yubico products.

https://cloud.google.com/titan-security-key/
https://www.yubico.com/

They are little devices with BT, NFC or USB connectivity. Browser and Android can communicate with those devices to integrate online logins. They are also a good alternative to support devices without embedded fingerprint readers, for example.

Android devices from version 7 already has support with fingerprint readers, screen patterns etc.

No other requirements needed as drivers, installation procedures etc. except security keys in a form of fingerprint readers, security keys, smartphones and supported browsers.

For the end user, this is ultimately a simple procedure. Just plug in security key, open registration form and enter required data, confirm, and that's it. For smartphones, it is even easier, as there is no need for additional hardware.

When user tries to log in, browser will ask for security key as shown on images below.

NOTE: We added biometric support in our latest product release for April 2019.

Let us show you new biometric options available in the latest release ...

Web Admin console is also possible to protect. If biometric security is enabled, different login screen will show up. Clicking on Authorize, the browser will ask for security key confirmation.

New view is added to the web admin console showing a list of registered tokens / user / IBM i server.

To activate biometric security, select Register Biometric option from main drop down menu. Later, switch to biometric inside Admin Login options.

Conclusion

Web terminal, web admin console and mobile application now fully integrates FIDO1 support. Server side integrates FIDO2 support. With this new security features, Green Screens Terminal service become the most secure option as a mediator between online Internet users and IBM I servers.

Green Screens Terminal service isolates your IBM I from direct access so system admins, and companies having Internet remote access requirements to the IBM I now can sleep peacefully without fear of security breach.