BindID Concepts 101
Learn more about BindID from the key concepts below.
Authentication
BindID provides a secure, frictionless authentication experience across all end-user devices and use cases—whether they are logging into your website or mobile app, confirming a transaction, performing a step-up authentication, or contacting your Call Center for support.
With BindID, users authenticate using FIDO-based device biometrics (or native biometrics for mobile apps). These biometric authenticators, such as fingerprint scanners, are already built into the desktop or mobile device. If their desktop device doesn’t support FIDO2, they can authenticate using a mobile device that does. For mobile devices that don’t support FIDO2, you can choose an alternative authentication method like email verification code or verification link. Ultimately, users will authenticate using the strongest authentication method available for their device.
The authentication experience itself is branded to the look and feel of your business. You can easily customize the logo, company name, colors, primary message, email templates, and more. An app banner can even be added to mobile-web authentication screens to encourage usage of your native mobile app.
User Registration
With BindID, you don’t need to manage the registration status of users or devices, and explicitly request registration. All you need to do is request user authentication, and BindID will handle all the logic to determine if to initiate a registration, authentication, or account recovery flow.
When a user authenticates with BindID for the first time, a registration process automatically takes place to register the user, along with their device. In addition to authenticating the user, the user’s email is collected and verified since it will be used to identify their BindID account across all their devices and application/web services (for example, for account recovery).
When a user authenticates to your application for the first time, you’d also want to confirm their identity. This involves running your own authentication process to identify the user in your system, and setting a user alias in BindID that will be returned for subsequent authentications. This means that you don’t need to manage the mapping between BindID users and your user identifiers.
While user registration is implicitly initiated for new users that authenticate, you can also send new users an email with a link that explicitly initiates the registration flow. This can be used to promote user registration, as well as gradually transition users to passwordless authentication.
Account Recovery
BindID allows users to securely regain access to their account from a new device. An account recovery flow automatically begins any time an existing BindID user (identified by their email address) tries to authenticate using a new device. This flow is used to securely register the new device to the existing account by first requiring authorization from a previously registered device.
This can be done in one of two ways. A device-based recovery flow allows the user to register their new device only once they authorize recovery using a device they previously registered. A contact-based recovery flow allows them to get this authorization from their recovery contact—an existing BindID user that they trust and added as their recovery contact from their MyBindID app. In both cases, authorization must be provided using a device that was registered with biometrics since account recovery is a sensitive operation that requires strong authentication.
Note: Aside from recovery flows, users can link devices to their account directly using the MyBindID app. In addition, a desktop device can be linked simply by enabling biometrics on this device upon completing an authentication using a mobile device.
Registered Devices
A user can have multiple devices that are bound to their account. This list includes any device that they used to authenticate, which is not necessarily the device they used to access their account. For example, a user can log into your website from their desktop device after using their mobile device to authenticate.
For web applications, each browser represents a different device, and is registered separately. In addition, devices may vary in their support for FIDO2 biometrics (based on device model, device OS, browser, etc.). Therefore, the authentication experience may vary across devices.