User:NajemRaja/sandbox

= inWebo Technologies =

inWebo Technologies (inWebo) is a privately held cybersecurity vendor. Founded in 2008 in Paris, inWebo provides organizations with multi-factor authentication (MFA) software solutions that successfully block user impersonation and account takeover attempts.

The company’s software is used in a wide range of sectors including banking, financial services, healthcare, public transportation, pharmaceutical industry, hospitality, aerospace and defence, chemical industry, retail, freight, real estate... As of April 2018, the company as about 20 clients in the Fortune Global 500 list.

History
inWebo was founded in April 2008 by Didier Perrot, its current CEO. Olivier Perroquin joined the company as its Sales VP in September 2010.

The commercial launch occurred shortly after, early 2011. In April 2012, inWebo passed and received a “CSPN” security certification by the French Cybersecurity Agency. In April 2013, Olivier Perroquin was appointed General Manager.

Between November 2009 and June 2014, inWebo has received several rounds of seed funding from private investors. Bruno Abramatic who had been appointed CTO in April 2013 stepped down in January 2017. Gilberto Alves Ramos is the current CTO.

Operations
As of April 2018, inWebo operates in Europe and North America. Its R&D is located at the company’s headquarters in Paris. Its 3 sales offices are located in Paris, San Francisco, and Frankfurt.

These offices handle technology and channel partners globally. Technology partners consists essentially of Identity and Access Management (IAM) software vendors, while channel partners are systems and security integrators. inWebo has an indirect sales model.

Products
When inWebo’s authentication solution was first launched early 2011, it offered a SaaS authentication server, an administrative webconsole,  and 2 user authentication methods: inWebo nCode (applet for java phones and Blackberry; mobile app for iOS, and Android smartphones) and inWebo Toolbar (webbrowser extensions and PC/Mac local servers). These were among the first soft-tokens ever developed. This first version of the authentication server already supported radius (for VPN authentication), SAML 2.0 (for authentication to cloud applications), and a web services SOAP API (for authentication to web and mobile portals, but also for user profile provisioning).

In 2012 and 2013, inWebo introduced several major improvements to the solution:


 * inWebo Authenticator, a mobile app for iOS, Android, and Windows Mobile (later, Windows Phone) smartphones. inWebo nCode’s initial offline mode of operation (no signal was needed for the app to issue a one-time password) has been completed with an online and a push notification modes. Temporarily, the app has also supported also a QR code mode, but it required a change in the sign-in page to display a code, for which clients have shown little or no interest; QR codes are still used but only during the initial enrollment of the app (pairing). Also, a transaction sealing mode has been added to protect transactions against Man-in-the-Middle attacks. This mode happens to be required in the PSD2 specifications released by the EBA in November 2017.
 * inWebo mAccess, an SDK (software development kit) allowing for the implementation of MFA and transaction sealing in any third-party mobile application or fat client
 * inWebo Helium, which was the first full-html5 browser-based OTP (one-time password) generator, requiring nothing but a small change in a sign-in page to “add” secure authentication to that page, with no installation required in the browser.
 * IWDS (inWebo Directory Synchronization), a java utility to easily provision user profiles to the authentication server from any LDAP or .CSV source.
 * inWebo also introduced the first multi-site authentication platform based on HSMs (Hardware Security Modules). It was initially envisioned to give client organizations a direct control on the cryptographic keys used for their authentication tenant (through a key ceremony) but this feature has not found its market.

To date, these components remain the core of inWebo’s Product offering. nCode and Toolbar have become obsolete and have been deprecated.

In 2014, inWebo introduced a Password Manager protected by MFA as part of the selfcare portal. However, inWebo has kept it in a beta version and has finally decided to stop proposing it to end-users.

In 2014 and 2015, inWebo also added the support for user groups and policies, and usage reports.

In May 2016, inWebo introduced Virtual Authenticator, an html5 authentication method and a modernized version of inWebo Helium. New authentication tenants created after these date come with inWebo Authenticator and Virtual Authenticator as default authentication methods for the Enterprise market. As white-label alternatives, inWebo mAccess and inWebo Helium are authentication methods proposed for the Service Provider and ISV markets, requiring more integration but offering deeper customization. At that time, inWebo departed from its visionary user-centric model for MFA. inWebo also added the support of local biometry as a second factor in inWebo Authenticator and inWebo mAccess.

In 2017, inWebo introduced a log API enabling to retrieve logs without having to generate and export manual reports, and the support of SMS and email OTP.

For 2018, inWebo has announced new major additions to its solution, most of which are already in test with clients although no general availability date has been communicated:


 * MFA for Windows Logon
 * IWLA (inWebo Local Authentication), a security framework for local sign-in using a smartphone as a key
 * An LDAP proxy
 * The support of OpenID Connect and SCIM
 * Advanced Adaptive & Behavioral authentication capabilities
 * Authenticator 6, a completely revamped version of inWebo Authenticator, available for smartphones, tablets, and desktops
 * Easier privacy options to help clients with GDPR compatibility

Technology
Known OTP algorithms (TOTP, HOTP) have in common that they are vulnerable to a simple offline brute force attack when their implementation does not rely on a secure element. As the MFA market started to shift from hardware tokens to soft-tokens, it was necessary to design OTP algorithms that could be implemented safely in soft-tokens (e.g., mobile apps, browser extensions, fat clients). For this reason, inWebo has designed, developed, and patented two OTP algorithms, one for offline OTP generation, one for online OTP generation. They differ in their synchronisation characteristics but have in common the use of random dynamic keys that make them resistant to offline brute force attacks.

Also, it is worth noting that the FIDO specifications use signatures instead of OTP. However, to date, since most consumer-level user devices do not have a secure element built-in, the protection of the private key used for the signature still requires an external hardware token or secure element. In contrast, as long as most consumer devices do not provide such a protection, inWebo provides a secure alternative or complement to FIDO, allowing for early and hybrid deployments.