A brief introduction on Co-Auth and the philosophy behind it
Authentication can protects you by allowing only those authorized to access. But not during the session which lasts for 15-30 mins on most applications.
Moreover, If the applications are intranet based, then for the life time of logged-in session
Our Philosophy
Why we think Co-Auth should be part of your software ecosystem
Is SSO, SAML, Oauth, OpenID enough?
While these protect you with authentication, post authentication they don't affirm on certain sensitive actions. And thus everyone, instead ends up building their own x factor verification / authorization like OTP, Security questions, TOTP, etc.
Pretending, we don't share our passwords? What about screens / logged-in session?
While this is a policy, its unfortunate that we knowingly/unknowingly allow access to authenticated systems to people around us (even riskier with work from home/ anywhere). Even worst with SSO you are always logged in.
Your authorization factors should be Separate Systems?
If your core application hosting passwords were compromised. This layer separation provides added protection, by keeping it separate
Don't re-implement
If you have more than one application that authorization, why build again, when you can reuse from a centrally hosted application.
Leave it to the experts
Best practices are important. Not just a functioning module. Choose a solution which would be widely adopted built by community. (once Co-Auth is in production mode)
Bad user experience
Pluggable / Configurable
Switch the auth module if needed without having to rewrite the whole logic. e.x. Why not allow to access codes over mobile app instead of SMS / Email / a TOTP during an international travel?
Simple, modern but also secure Auth
Co-Auth modules can also be used for simple login authentication like QR Login or Whatsapp Login