Grove Information Systems

MIRACL - Passwordless Multi Factor Authentication

MIRACL helps any organisation replace insecure
passwords, complex 2FA and expensive SMS
authentication - with a simple PIN. Purpose-built
for sectors where any additional security drives
users away, it uses cryptography licensed to
Experian, Google, the USAF and Intel to block
99.9% of attacks. All done whilst reducing overall
costs.

Features

• Strong Multi Factor Authentication (MFA, 2FA, 2+FA) as a service
• Inexpensive PAYG SaaS contract with no termination notice
• Standards based API/SDK allows cross platform, OS independent deployment
• Federate and offload authentication with OIDC, SAML2.0, ADFS and RADIUS
• SAML2.0 solution allows IdP and SP initiated SSO authentication
• Hands-off access to second device browser session via Mobile App
• Python, Django, NodeJS, Ruby, PHP, Java, .NET and more supported
• Dynamically revoke and refresh user secrets without disrupting users
• Real-time reporting and control of end point devices improving admin
• Passwordless, no credentials database and no sensitive information transmitted

Benefits

• Enhance authentication security whilst improving usability
• Meet the Strong Customer Authentication (SCA) requirements of PSD2
• Improve User Experience (UX) reducing user churn and increasing retention
• Reduce GDPR and Brand risks from credential hacking and misuse
• Replace SMS two step authentication and reduce costs
• Works with all browsers and mobile apps, cross platform deployment
• Eliminate user credentials databases to reduce data breaches
• Zero-knowledge proof protocol = no sensitive information transmitted
• Renders phishing, MITM, replay and all automated attacks ineffective
• Every user-device has cryptographic secret allowing dynamic linking and signing

£0 a transaction

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

411728420432071

Contact

Philip Witheridge
+44 207 493 6741
pwitheridge@groveis.com

Service scope

• Software add-on or extension: Yes, but can also be used as a standalone service
• What software services is the service an extension to: Although the MIRACL Trust ID service can operate; independently by integrating directly with your; website/app/service, it can also be integrated to; Identity Access Management (IAM) platforms and; link to all Single Sign On (SSO) systems.
• Cloud deployment model:
  • Public cloud
  • Private cloud
  • Hybrid cloud
• Service constraints: No constraints in regards to cloud Digital Signing, which is provisioned as a service with better than 99.9% up-time. Private Cloud, Hybrid Cloud or On-Premise installations subject to final specification of customer. Federation of user authentication should be done via established standards such as; OIDC.
• System requirements:
  • MIRACL Trust ID subject to integrating the APIs and SDKs
  • Mobile app minimum version requirements: iOS 8 and Android 4.1
  • Software-only solution requiring neither a dongle nor a smartphone
  • Supports all browsers with a consistent interface cross platform

User support

• Email or online ticketing support: Yes, at extra cost
• Support response times: Will vary depending on the service level a client qualifies for/opts for. Details available in the service definition and pricing documents. The; basic service offers business hours email support within 48 hours whilst the premium plus service offers a 24/7 service within 1 hour response. No difference in the response time at weekends.
• User can manage status and priority of support tickets: No
• Phone support: Yes
• Phone support availability: 24 hours, 7 days a week
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: We offer 3 levels of support: 1) A basic free service - business hours and limited out of hours.; 2) A premium service - 24/7 standard service and shared account manager. 3) A premium+ service - 24/7 customer defined service and dedicated account manager. The level of service included for; free will depend on size of client (number of authentications). Clients can further opt to upgrade their level of support for an additional; cost and even tailor the support for their requirements of none of the described support levels fit.
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: User documentation is provided for admin users; for integration as well as user documentation for; the service. Further online or onsite training is also available depending on client size/whether; required. The MIRACL Trust ID Platform utilizes a; distributed cryptography scheme to ensure high; security for its key-generation and authentication; services. The scheme incorporates two or more; Distributed Trusted Authority (D-TA) servers, which; are the core of MIRACL’s distributed; cryptosystem. For a typical hosted service,; MIRACL provides two physically and; geographically separated D-TAs for each partner.; In some cases though, it is a requirement for a; partner to self-host one of the D-TAs, in which; case MIRACL provides an On-Premise D-TA; which can be installed on the partner’s premises; and connected to the MIRACL Trust Platform.; MIRACL provides documentation to describe how; to setup such an On-Premise D-TA on Windows-; based servers.
• Service documentation: Yes
• Documentation formats:
  • HTML
  • PDF
• End-of-contract data extraction: This is not applicable. The service has been; engineered to avoid GDPR risk associated with; client data. No data stored by MIRACL of any; value to customer or end-client.
• End-of-contract process: Standard SaaS offering is free to implement with; ongoing pricing based on PAYG invoicing in; arrears with no contract notice period. Basic; support level is included with further support levels; available at an additional cost. Some advanced; features of the service such as management APIs; are for an additional cost. See pricing document; for further details. For On Premise, Hybrid Cloud; and Private Cloud implementation is included in; the price of the 12 months contract subject to 30; day notice prior to automatic contract rollover.; Total cost of of contract is dependant on features; required, see pricing document for further details.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Service Provider as Buyer - all functions are customised from a browser. As an enterprise service we do not recommend configuring service from a mobile device. End-User as Customer - MIRACL Trust ID service is cross platform and almost all primary functions are identical. Mobile apps can support additional functions such as daisy-chaining enrolment of devices and remotely authenticating an unsecure desktop.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: Buyer admin user - all functions are customised from a browser. Admin Users can monitor authentication/signing activity and set up new points of authentication on websites and mobile apps. End-User of the Buyer - MIRACL Trust ID authentication is as easy as entering a 4-6 digit PIN code to gain access to the protected service.; Setting up new users is default by email verification but can be any process the service provider requires by setting up custom verification.; All functions and features are managed on one page.
• Accessibility standards: None or don’t know
• Description of accessibility: Buyer Admin User - service accessed via a; browser based portal with limited graphics, no; visual or audio media, use of colour or animations.; End-User of the Buyer - service providers have a; great deal of flexibility how they integrate the; service and expose it to the end clients. So they; can determine the accessibility of the system; taking into account platform and form of delivery.
• Accessibility testing: Buyer Admin User - we have tested with various; screen readers, screen magnifiers, speech input,; alternative input devices and text to speech. As a; browser based portal, most assistive technologies; are of some use. End-User of Buyer - service; providers have a great deal of flexibility how they; integrate the service and expose it to the end clients. So they can determine the accessibility of; the system taking into account platform and form; of delivery.
• API: Yes
• What users can and can't do using the API: Admin User can integrate our service with their; website/app/service by connecting to our APIs; using 3 simple function calls. APIs and SDKs can; then be used to enrol users, authenticate users to; controlled services, authenticate users to multiple; services (Single Sign On), irrefutably sign; actions/transactions/documents and monitor all; actions taken by the end-user, all services are; cross-platform and delivered to the End-User via; browsers or custom-built applications. Our APIs; and SDKs support open standards such as (but; not limited to) SAML, OIDC, ADFS and RADIUS.; We support Python, Django, NodeJS, Ruby, PHP,; Go, Java, .NET and many other languages with; our own SDKs and numerous additional; languages using open source clients.
• API documentation: Yes
• API documentation formats:
  • HTML
  • PDF
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: Admin Users have a high degree of customisation; capability given service is provisioned via APIs; and SDKs. Buyer has full control over User Flows; for Enrolment and Authentication, any service; provisioned screens such M-Pin (pin entry screen); can be customised to include customer branding.; Private Cloud, Hybrid Cloud and on-premise; installation subject to final specification of; customer and gives even more detailed control; over the operation of the underlying service such; as the distribution and revocation of cryptographic; secrets.

Scaling

• Independence of resources: Predictive auto-scaling and using elastic cloud servers that scale based on usage.

Analytics

• Service usage metrics: Yes
• Metrics types: We track all events that go through the MIRACL; Trust Proof service. The metrics we provide are; number of authentications and unique users; broken down by day, month, year, geographic; region etc.
• Reporting types:
  • API access
  • Regular reports
  • Reports on request

Resellers

• Supplier type: Reseller providing extra support
• Organisation whose services are being resold: MIRACL

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Security Clearance (SC)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations: United Kingdom
• User control over data storage and processing locations: Yes
• Datacentre security standards: Managed by a third party
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest: Encryption of all physical media
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: In-house destruction process

Data importing and exporting

• Data export approach: Data can be fetched through the API or in CSV; ; from the service admin portal.
• Data export formats: CSV
• Data import formats: Other
• Other data import formats: Not applicable. There is nothing to upload.

Data-in-transit protection

• Data protection between buyer and supplier networks: Other
• Other protection between networks: We never have access to buyers' data. For our; service: the portal access, web login access and; API access are protected using TLS 1.3.
• Data protection within supplier network: Other
• Other protection within supplier network: We have implemented Googles BeyondCorp; which means we do not have an internal network; that gives access to data. We have strong; authentication to each service and VPN for; sensitive infrastructure used only for administrative; actions - not day to day work. Those VPNs are; also protected with two factor authentication; through our own service. Access to data is given; on a needs only basis.

Availability and resilience

• Guaranteed availability: SLA depends on the level selected. As an; example for an Uptime Commitment of 99.9%, if; the availability of MIRACL Services for a given; month is less than the applicable Uptime; Commitment, MIRACL will provide Buyer with a; credit of the Fees paid for the affected MIRACL; Services for such month as follows: Availability; less than Uptime Commitment but at least 99.5%:; 5% credit. - Availability less than 99.5% but at; least 99%: 10% credit. - Availability less than 99%; but at least 97.5%: 35% credit. - Availability less; than 97.5%: 100% credit. In the event Partner is; not current in its payment obligations when an; outage occurs, remedies will accrue, but credits; will not be issued until payment obligations are up; to date. To receive service credits, Partner must; submit a written request to billing@MIRACL.com,; within 30 days after the end of the month in which; the MIRACL Services failed to meet the Uptime; Commitment, or the right to receive credits with; respect to such unavailability will be waived.
• Approach to resilience: The service is architectured in such a fashion as to be always available. Each of the multiple interchangeable nodes is distributed across multiple zones in a single data-center. Load-balancing as well as auto-scaling technology is used to ensure availability even under high demand. There is no single point of failure. Further details available on request.
• Outage reporting: The service is end-to-end monitored from a; number of places on the globe at least every; minute. An internal company dashboard is updated with the results in real-time and the; support team are notified should the service be; unavailable from any of these points on the globe.; The service is configurable to provide email alerts; to customers. Once a month the availability; information is distributed to customers with a valid; contract.

Identity and authentication

• User authentication needed: Yes
• User authentication: 2-factor authentication
• Access restrictions in management interfaces and support channels: All access secured by strong 2 Factor; Authentication (2FA) associated to each unique; User-AccessPoint combination. Where an; AccessPoint is a specific Browser-Device, Mobile; etc. Full, real time, configuration of user roles; determined on a per-user basis by admin user.; Ability to revoke user access or enable/disable; access to individual functions and groups of; functions.
• Access restriction testing frequency: At least every 6 months
• Management access authentication:
  • 2-factor authentication
  • Other
• Description of management access authentication: Description of management access authentication; ; 2-Factor Authentication tied to each User-; AccessPoint combination. Where an AccessPoint; ; is a specific Browser-Device, Mobile etc. This; enables customer to know who initiated and how; they initiated access. Service provided with; MIRACL Trust ID meaning there are no additional; charges associated with adding management; users or access points.

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: At least 12 months
• Access to supplier activity audit information: Users contact the support team to get audit information
• How long supplier audit data is stored for: At least 12 months
• How long system logs are stored for: At least 12 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: British Assessment Bureau
• ISO/IEC 27001 accreditation date: 14/07/2023
• What the ISO/IEC 27001 doesn’t cover: Not applicable
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: Yes
• Cyber essentials plus: No
• Other security certifications: No

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: We have a Security Policy and carry out regular; risk assessment to then manage the identified; risks. We also carry out internal audits that lead to; continual improvement with corrective and; preventative actions. Internal audits help in; ensuring policies are followed. Information Security is a priority of the Company Board with; regular reports being produced to keep it up to; date. All reporting is done to the Information; Security Officer who is part of the Company; Leadership.

Operational security

• Configuration and change management standard: Supplier-defined controls
• Configuration and change management approach: We follow all the good practices both for secure; software development and for infrastructure. We; aim for everything as code (software,; infrastructure, policies) approach which gives us a; number of important features of the process: -; Each change is reviewed by at least 2 people; before it is accepted. - Audit log of all changes; both code or infrastructure (infrastructure is built; with code). - We can version state of the system; and revert if needed. - We do Continuous; Integration and Continuous Delivery (CI/CD).
• Vulnerability management type: Supplier-defined controls
• Vulnerability management approach: We aim at limiting the surface that's managed by; us and could be potentially vulnerable. We; perform regular in-house vulnerability scanning; and take actions based on the recommendations.; We are able to apply patches within hours.
• Protective monitoring type: Supplier-defined controls
• Protective monitoring approach: The system generates reporting information on a; daily basis. Any unusual activity will result in a; SAR (suspicious activity report) going to the COO.; An investigation (typically within hours) will occur.; User ID's, if a compromise is suspected, will be; blocked pending further investigation.
• Incident management type: Supplier-defined controls
• Incident management approach: The user will report the service issue via email,; phone or on the user portal. The incident will be; logged in our incident management system. The; user will be notified by email of actions or progress; made towards resolution of the incident. Priority; will be given to : - Ensuring the service is not; compromised - Then ensuring the user is capable; of accessing the service - Finally determining the; ; root cause analysis of the incident No pre-; determined processes exist at present, as; ; production incidents are negligible. We will monitor; for patterns and create process as appropriate.

Secure development

• Approach to secure software development best practice: Conforms to a recognised standard, but self-assessed

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  Tackling economic inequality

  Tackling economic inequality

  The solutions and services we offer to G Cloud procurement organisations typically require new skill sets for which we provide employment and follow on mentorship training and growth opportunities.

Pricing

• Price: £0 a transaction
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: The first 1,000 transactions per month are free.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at pwitheridge@groveis.com. Tell them what format you need. It will help if you say what assistive technology you use.