How Comp Portal Authentication Works

ZEFA Zero Effort Authentication® steers clear of all password pittfalls, simply by not using them. No dedicated physical token is used either.
Layered security scales between unnecessary to strong authentication

Incremental Factors

*  location by workstation IP address
* *  + email password (weak, if one-time-passcode delivered by email)
***  + mobile phone possession (strongish)
****  + mobile phone location
***** + speaker recognition (strong)

User provisioning

User role code in customer data will define the layout of the front page in Comp Portal.

Roles can be defined as borrower, guarantor, supplier and so on.
Non-secret user identification data is needed: email address, mobile phone number, postal code, country.

All postal areas from where the user needs to access Comp Portal.

User-specific security policy: one-time-passcode length, allowed reuse count, session length, secure link validity, if necessary.


Initial authentication

The user opens an anonymous web page and supplies his/her email address, mobile phone number and userid. Comp Portal will return a secure link by email.

The user is identified by one factor: workstation IP address, which determines its location on country level.

The user receives a digitally signed secure link into his/her email. When it is clicked, Comp Portal will send one-time-passcode into the user's mobile phone and the workstation prompts for that passcode. If it was given correct, Comp Portal will open the front page containing entry points for available applications.

Authentication security is strongish, based on knowledge of email account password and possession of the mobile phone.


Hardening of security

Comp Portal front page displays two additional passcodes: geokey and voicekey, by which the user can raise session security level and thus have access to more privileged applications.

The user starts ZEFA mobile application in his/her mobile phone, feeds the geokey and sends it to ZEFA web server from mobile phone.

The server determines whether the user's phone was located at that specific moment within an allowed postal area.

It also verifies whether there are any entry time constraints for that area.

Security is based on three factors, namely email address, mobile phone possession and mobile phone location.

In case the user inputs also to voicekey into ZEFA mobile application, ZEFA web server will receive the dictated code and verify it against the user's voiceprint.
In case the speaker recognition is positive, authentication will become biometric and hence strong by definition.

ZEFA web server activates new functions on Comp Portal in line with policy settings for the user's role.

The geokey and voicekey can be integrated.
It will suffice then that the user only dictates a code into the ZEFA mobile application, which uses it for both geolocation and voiceprint.

Thus the user does not need to type anything into mobile application, just to speak single code into his/her mobile phone.


Remote Graphical Desktop

Comp Financial System runs desktop applications on remote GUI desktop.

User experience is same as he/she was running the application locally, in his/her local workstation.

Logging into desktop applications from Comp Portal.takes place automatically, as machine-to-machine login, without user intervention.

Necessary thin client is installed automatically as Java plugin by the browser.



ZEFA authentication does not exhaust phone battery, since location resolution is done only on demand.

The user's location is not traced unintentionally.

Neither web browser nor mobile phone stores any interim secret information locally.

Session control is HTTP-only, managed by ZEFA web server only.


Patent applications:

PCT/FI2010/050773, WO 2011/055002

PCT/FI2011/050380, WO 2012/045908

UK 1211452.6

Finnish utility model No 9059

”ZEFA Zero Effort Authentication” is trademark of APLcomp Oy, Reg. No 009863961