Security Keys (HSMs)

On this page, we dive into Security Keys (HSMs) and how you can use them as another means to authenticate your users.

Security Keys, also called Hardware Security Modules (HSMs), are a type of physical device that can be used to authenticate users. They are a great alternative to using passwords, as they are more secure.

You can use the DevRIFT API to allow your users to login using Security Keys, manage their Security Keys, and more.

Security Keys are a phyical product an end-user must purchase. We support many different Security Keys from different vendors, but we do not sell them ourselves.

How it works

You can use Security Keys with the DevRIFT API as a method of Multi-Factor Authentication or you can use it to allow your users a password-less login. Either way, the process is the same.

When a user wants to login, they will be prompted to insert their Security Key into their computer. The Security Key will then generate a unique code that is sent to the DevRIFT API. The DevRIFT API will then verify the code and allow the user to login.

Setting up the Integration

To use Security Keys with the DevRIFT API, you will need to enable the Security Key feature in the DevRIFT API. You can do this by going to the DevRIFT API Dashboard and clicking on the Security Keys tab.

Once you have enabled the Security Key feature, you may want to configure the Security Key settings. You can do this by clicking on the Settings tab.

You will need to have a Security Key to test the process. We recommend that you obtain a Security Key yourself and test the process before enabling it for your users.

Now you should be ready to build the integration. You should begin by first authenticating with the API. And once you have authenticated yourself with the API, you can begin to add Security Key functionality. First you must add the DevRIFT JavaScript SDK to your website.

You can do this by adding <script src="https://js.devrift.co"></script> to your website.

Below this line, you will need to add the following code:

Adding your Publisher Key

<script>
    // Add your Publisher Key here
    devrift('pk_test_barfoo...');
</script>

You need this so that the DevRIFT JavaScript SDK is able to determine where it should send the Security Key input to.

The Publisher Key is safe to be exposed to the public. See the documentation for more information.

When this is done, and you need to collect a Security Key's input, you'll need to call the function hsm_start. This take an input from the Security Key. Once the Security Key input is taken, it will be sent to the URL that you specified in the DevRIFT API Security Key Settings as a POST request with the data stored in the POST parameter rift_hsm.

Creating a Security Key for an end-user

# You should use a Client Library to make this request
# As it is a bit more complicated than the other requests

Once you have created the Security Key, you can then use it to authenticate your end-users. You can do this by calling the hsm_authenticate function. This function will take the Security Key's input and verify it with the DevRIFT API. If the input is valid, the user will be authenticated.

Authenticating a user with a Security Key

# You should use a Client Library to make this request
# As it is a bit more complicated than the other requests

Going live

When you are ready to go live with this integration, you will need to switch to your live keys.

Make sure that you are ready to go live with this integration before you switch to your live keys. You will be charged for any API requests made with your live keys.

You can't use a live key with a test key; otherwise, the API Request will fail.