Frequently Asked Questions
Do we write or store anything to the computers disc or memory?
We do not write anything to disk directly. We do use a secure cookie (see OWASP standards) in the browser’s storage, which based on browser security settings are not flushed to disk. The authentication tokens are all one-time use only, stored in RAM, never flushed to disk, and only stored in RAM for the minimum amount of time necessary to do it’s (the tokens’) job.
Do we use endpoint ‘typed’ authentication?
No. For authentication, the Xiid’s SSO portal recognizes a One-Time-Code, generated by the Xiid OTC app on the user’s out-of-band device, typically the user’s smart phone.
The Xiid out-of-band generated OTC does not contain ANY credential information. The end-user does not ever type in or enter their authentication credentials (such as username and/or password) on the endpoint.
Users will scan the QR code to identify the screen (window) they will use for logging into the application and the XiiD OTC app on the user’s out-of-band device generates the OTC and will be auto-populated in the SSO portal for the user.
The presented QR on the SSO portal which changes every e.g. 30 seconds (user defined), does not contain ANY credential information. The QR code ONLY identifies the window that will be ‘unlocked’ from behind the closed firewall.
All of the authentication responses are digitally signed from the Agent Daemon behind closed firewalls. We use SAML2.0 or our custom-built REST API for requests coming from client-side identity providers (i.e. O365). The request collector converts to a narrow application aware Smart Hybrid Protocol (SHyP) to communicate to the XiiD Agents. Communications to the LDAP directory service are handled by the LDAP service’s required authentication mechanism (i.e. Active Directory LDAP authentication).
All of this is done by the user’s out-of-band device (user’s smartphone), taking the endpoint totally out of the authentication path.
Do we store any of the authentication process on our servers or systems?
No. Xiid does not store, or even know, the full authentication process for customers. Xiid Zero Trust means that XiiD does not trust anything or anybody, not even Xiid itself. All of the authentication process is stored and managed on the LDAP server and accessed via the Xiid Agent Management Portal behind the firewall with all inbound ports closed. The only information we ever gather from customers is the number of active users on XiiD’s Software for billing purposes.
Is their any evidence you are using Xiid authentication in the computers programme logs?
No, Xiid does not log anything on client computers or endpoints. The Xiid Agent Daemon running on the LDAP server does not write to System or Application logs either. Xiid has their own forensic-grade logs stored within a secure database using a blockchain inspired hash function to ensure the logs cannot be modified or tampered with.
Can ‘session monitoring’ malware see you are using our authentication browser?
The only information session monitoring malware can extrapolate from Xiid sessions is the name of the secure cookie, which does not contain any authentication or identity information. The secure cookies are hashed as well so they cannot be modified. No other session data is stored with Xiid.
What Security Enhancement does Xiid RDP Provide?
Xiid does not wrap or modify the RDP protocol. This provides the benefit of utilizing any variation on the RDP protocol that may be more secure. Rather, Xiid handles the access and authentication management for the RDP session. Xiid uses a one-time-password that is only valid for 30 seconds for all RDP sessions. This credential-less session management blocks man-in-the-middle attacks and attacks from malicious software and/or actors from stealing your RDP credentials from the client machine. Connect to your remote computers with the confidence and comfort that your machine is only accessed with highly secure and safe credentials.
What Internet Browsers are supported for Xiid?
Currently Google Chrome, Mozilla FireFox, and Microsoft Edge are the only supported browsers for all of Xiid’s software. Other browsers may also work depending on their support for Angular. We cannot support Internet Explorer now or in the future.
Can I Select Multiple 2FA Methods?
Yes. You can select both XiidID and Legacy MFA if you would like. Users who have onboarded with an XiidID would then scan the QR code, whereas users onboarded with OTP would enter their username and password, and then the one-time-password. Because Legacy MFA requires users to enter credentials, Xiid Strongly recommends the use of XiidIDs over OTP for stronger security.
When Would I Create Multiple Active Directory Agents?
An Xiid Agent needs to be in the same subnet as the Active Directory it intends to communicate with. So if you have multiple domains in a forest which is properly segmented, you would need an Active Directory Agent adjacent to each directory.
What Edition of Office 365 is Required?
Xiid’s Software requires Microsoft 365 Enterprise E3 Edition at least to use the Office 365 Xiid Application. Editions below Microsoft 365 Enterprise E3 do not support the necessary authentication mechanisms for our software.
What Operating System Version Do I Need For My Phone?
For the iOS Operating System, you need version 13.3 or above. For the Android Operating System, you will need Android 11 or Android 12. To check your phone operating system version, follow these instructions for iPhone and these instructions for Android.
I don’t see all of the Tabs in the Agent Management Portal
If you only see the Authenticators tab and the Dashboard tab in the Agent Management Portal, you must create an initial authenticator before the other tabs will become available. After you have created your first Authenticator, if you only see 4 Tabs (Dashboard, Authenticators, XOTC, and Applications) then click the switch in the top right corner labeled Advanced Mode to enable all available configuration options.
What is a Tag?
Tags are used throughout the Xiid.IM Agent components to group similar components together. You can create groups of Firewalls, for example, by specifying a Tag while creating a Firewall component. The Firewall Tag can then be selected during SSO Portal creation, which would include every firewall rule sharing that Tag.