Frequently Asked Questions

Do we write or store anything to the computers disc or memory?

We do not write anything to disk directly. We do use a secure cookie (see OWASP standards) in the browser’s storage, which based on browser security settings are not flushed to disk. The authentication tokens are all one-time use only, stored in RAM, never flushed to disk, and only stored in RAM for the minimum amount of time necessary to do it’s (the tokens’) job.

Do we store or use ‘credential in cookie’?

We do store a secure cookie (see OWASP standards). However, the secure cookie does not contain any credential/authentication/identity information within it or anything that could tie back to identity. The cookie is merely used to indicate that the user has visited the SSO portal in the past or that it is their first time.

Do we use endpoint ‘typed’ authentication?

No. For authentication, the Xiid’s SSO portal recognizes a One-Time-Code, generated by the Xiid OTC app on the user’s out-of-band device, typically the user’s smart phone.

The Xiid out-of-band generated OTC does not contain ANY credential information. The end-user does not ever type in or enter their authentication credentials (such as username and/or password) on the endpoint.

Users will scan the QR code to identify the screen (window) they will use for logging into the application and the XiiD OTC app on the user’s out-of-band device generates the OTC and will be auto-populated in the SSO portal for the user.

The presented QR on the SSO portal which changes every e.g. 30 seconds (user defined), does not contain ANY credential information. The QR code ONLY identifies the window that will be ‘unlocked’ from behind the closed firewall.

All of the authentication responses are digitally signed from the Agent Daemon behind closed firewalls. We use SAML2.0 or our custom-built REST API for requests coming from client-side identity providers (i.e. O365). The request collector converts to a narrow application aware Smart Hybrid Protocol (SHyP) to communicate to the XiiD Agents. Communications to the LDAP directory service are handled by the LDAP service’s required authentication mechanism (i.e. Active Directory LDAP authentication).

All of this is done by the user’s out-of-band device (user’s smartphone), taking the endpoint totally out of the authentication path.

Do we store any of the authentication process on our servers or systems?

No. Xiid does not store, or even know, the full authentication process for customers. Xiid Zero Trust means that XiiD does not trust anything or anybody, not even Xiid itself. All of the authentication process is stored and managed on the LDAP server and accessed via the Xiid Agent Management Portal behind the firewall with all inbound ports closed. The only information we ever gather from customers is the number of active users on XiiD’s Software for billing purposes.

Is their any evidence you are using Xiid authentication in the computers programme logs?

No, Xiid does not log anything on client computers or endpoints. The Xiid Agent Daemon running on the LDAP server does not write to System or Application logs either. Xiid has their own forensic-grade logs stored within a secure database using a blockchain inspired hash function to ensure the logs cannot be modified or tampered with.

Can ‘session monitoring’ malware see you are using our authentication browser?

The only information session monitoring malware can extrapolate from Xiid sessions is the name of the secure cookie, which does not contain any authentication or identity information. The secure cookies are hashed as well so they cannot be modified. No other session data is stored with Xiid.

What Security Enhancement does Xiid RDP Provide?

Xiid does not wrap or modify the RDP protocol. This provides the benefit of utilizing any variation on the RDP protocol that may be more secure. Rather, Xiid handles the access and authentication management for the RDP session. Xiid uses a one-time-password that is only valid for 30 seconds for all RDP sessions. This credential-less session management blocks man-in-the-middle attacks and attacks from malicious software and/or actors from stealing your RDP credentials from the client machine. Connect to your remote computers with the confidence and comfort that your machine is only accessed with highly secure and safe credentials.

Can I Select Multiple 2FA Methods?

Yes. You can select both XiidID and traditional OTP if you would like. Users who have onboarded with an XiidID would then scan the QR code, whereas users onboarded with OTP would enter their username and password, and then the one-time-passcode. Because OTP requires users to enter credentials, Xiid Strongly recommends the use of XiidIDs over OTP for stronger security.

When Would I Create Multiple Xiid Agents?

An Xiid Agent is bound to one domain, meaning it’s effectively bound to one LDAP directory (not to be confused with directory service). You can have multiple Active Directory servers under one Xiid Agent Daemon, however the Agent Daemon must be able to communicate with all of those directory services. Consequently, in some cases it would be more secure to use separate Agent Daemons operating within separate domains, ideally on separate networks (using proper best practices for network segmentation).

What Are Group Filters?

Group Filters allow you to control which users in your LDAP Directory have access to which groups of external applications. They correspond to the Security Groups in your Active Directory. You cannot use the standard Microsoft-vended Security groups (such as Users, Domain Users, Domain Administrators, etc.). You can only specify one Security Group in the Group Filters.

What Edition of Office 365 is Required?

Xiid’s Software requires Microsoft 365 Enterprise E3 Edition at least to use the Office 365 IdP Consumer. Editions below Microsoft 365 Enterprise E3 do not support the necessary authentication mechanisms for our software.

What Operating System Version Do I Need For My Phone?

For the iOS Operating System, you need version 13.3 or above. For the Android Operating System, you will need Android 11 or Android 12. To check your phone operating system version, follow these instructions for iPhone and these instructions for Android.