Daon

xAuth: Multi-Factor Authentication (Biometric & FIDO-Certified Authentication)

xAuth offers multi-factor authentication with device, knowledge, biometric and FIDO-certified features. xFace offers server-side facial recognition with liveness using a selfie.

xAuth integrates seamlessly offering Biometric: Face ID, Fingerprint, Android Biometric; Knowledge-based: Password, PIN; Possession-based: Security Key, Device, Passkeys; Other features: OTP, Push Notifications, Device Signals, FIDO UAF/FIDO2

Features

• Simple, secure and seamless multi-factor authentication.
• Standards-based FIDO UAF and FIDO2-certified biometric authenticators are available.
• Industry-leading and user-friendly presentation attack defence.
• Fully customisable to fit your security and accessibility needs.
• Functionality across mobile, Android, iOS, web, kiosk, and even on-site.
• Biometric, mobile device, mobile app, web, and cross-channel factors available.
• Complete authentication control: match thresholds, attempts, device capabilities, and more.
• SaaS multi-tenant cloud, single-tenant cloud, or on-premises deployments available.
• Leverage device as token for strengthened multi-factor authentication.
• Robust encryption and security standards safeguard the sensitive data collected.

Benefits

• Creates a seamless and consistent authentication experience in every channel.
• A seamless, user-friendly experience, designed to be accessible to all.
• iBeta tested ISO 30107-3 Level 1 and 2-compliant liveness detection
• Leverage face, and fingerprint, both on-device and on-server.
• Experience at scale, scaling to populations of hundreds of millions.
• A no-code, drag-and-drop orchestration layer.
• Simple and quick integration into existing and new systems.
• Allows for separate administrators and data segregation.
• Continuously updated security and algorithms to protect against evolving threats.
• Implementation support is available from Customer Success.

£0.10 to £0.50 a user a year

• Education pricing available
• Free trial available

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales-uk-ie@daon.com. Tell them what format you need. It will help if you say what assistive technology you use.

Framework

G-Cloud 14

Service ID

965101997272725

Contact

Matthew Brawley
07702849512
sales-uk-ie@daon.com

Service scope

• Software add-on or extension: Yes
• What software services is the service an extension to: Can be integrated within customer web sites or mobile apps for authentication at login, for "step-up" or during approval of actions.
• Cloud deployment model:
  • Public cloud
  • Private cloud
• Service constraints: No specific service constraints.
• System requirements: REST API

User support

• Email or online ticketing support: Email or online ticketing
• Support response times: Response times are established in accordance with the selected service package.
• User can manage status and priority of support tickets: Yes
• Online ticketing support accessibility: None or don’t know
• Phone support: No
• Web chat support: No
• Onsite support: Yes, at extra cost
• Support levels: 1. STANDARD: Portal access with 24-hour availability.; Response times: P1 - 1 Business Day, P2 - 1 Business Day, P3 - 1 Business Day; Cost: Included.; ; 2. BUSINESS: Email support included; Portal access with 24-hour availability.; Response times: P1 - 2 hours, P2 - 2 business hours, P3 - 6 business hours; Cost: see pricing attachment for additional cost; ; 3.ENTERPRISE: Email support included; Portal access with 24-hour availability; Response times: P1 - 1 hour, P2 - 1 hour, P3 - 4 business hours; Cost: see pricing attachment for additional cost
• Support available to third parties: Yes

Onboarding and offboarding

• Getting started: Customers are provided with access to an easy to use web console to manage the system with access to our SDK and API documentation, and a dedicated customer support portal.; ; Daon's Customer Success team is available to provide further guidance through setup, configuration, integration, testing, etc. Additionally, they can provide both remote and onsite training and development support, as needed. These services are at an additional cost.
• Service documentation: Yes
• Documentation formats: HTML
• End-of-contract data extraction: Data can be extracted via the systems REST API.; Data will be deleted after a specified retention period; can be deleted by the client via the API or by asking Daon to remove all of the data.
• End-of-contract process: Access to APIs, removal of data and customer support for service queries. Further assistance if required is available from our Customer Success at an additional cost.

Using the service

• Web browser interface: Yes
• Supported browsers:
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari
  • Opera
• Application to install: No
• Designed for use on mobile devices: Yes
• Differences between the mobile and desktop service: Mobile devices can either use a mobile-based browser experience or an app-based experience via our SDKs for iOS and Android. Desktops and laptops can only use a browser experience.
• Service interface: Yes
• User support accessibility: None or don’t know
• Description of service interface: XAuth is provided through REST APIs and SDKs for iOS/Android, which include a user interface for the end-user. A web-based console is provided for organisations to manage the service.
• Accessibility standards: None or don’t know
• Description of accessibility: The service is designed to be incorporated by web or app developers, who can design accessible UIs.
• Accessibility testing: Testing should be done by web or app developers for their applications.
• API: Yes
• What users can and can't do using the API: All of the service's functions can be accessed via a secure REST/JSON API.
• API documentation: Yes
• API documentation formats:
  • Open API (also known as Swagger)
  • HTML
• API sandbox or test environment: Yes
• Customisation available: Yes
• Description of customisation: The service is designed to be embedded in an orgnisation's UI, allowing full customisation.

Scaling

• Independence of resources: Daon's systems are designed to scale and we process millions of authentications per day. We work with our customer organisations expecting high volume usage to understand their needs and plan for them to ensure consistent, reliable performance.

Analytics

• Service usage metrics: Yes
• Metrics types: Our service captures a number of transaction metrics results of process/steps and metadata that can be consumed via our user interface or API.
• Reporting types: API access

Resellers

• Supplier type: Not a reseller

Staff security

• Staff security clearance: Other security clearance
• Government security clearance: Up to Developed Vetting (DV)

Asset protection

• Knowledge of data storage and processing locations: Yes
• Data storage and processing locations:
  • United Kingdom
  • European Economic Area (EEA)
• User control over data storage and processing locations: Yes
• Datacentre security standards: Complies with a recognised standard (for example CSA CCM version 3.0)
• Penetration testing frequency: At least once a year
• Penetration testing approach: Another external penetration testing organisation
• Protecting data at rest:
  • Physical access control, complying with CSA CCM v3.0
  • Physical access control, complying with SSAE-16 / ISAE 3402
  • Encryption of all physical media
  • Other
• Other data at rest protection approach: Encryption of all sensitive data at the application layer before storage. Audit trail of access.
• Data sanitisation process: Yes
• Data sanitisation type: Deleted data can’t be directly accessed
• Equipment disposal approach: A third-party destruction service

Data importing and exporting

• Data export approach: All of the data is available via REST/JSON APIs.
• Data export formats: Other
• Other data export formats: JSON
• Data import formats: Other
• Other data import formats:
  • JSON
  • JPEG

Data-in-transit protection

• Data protection between buyer and supplier networks: TLS (version 1.2 or above)
• Data protection within supplier network: TLS (version 1.2 or above)

Availability and resilience

• Guaranteed availability: For a standard deployment, 99.9% on a monthly basis. Higher availability service levels are available with upgrades.
• Approach to resilience: Each system component is deployed in multiple availability zones. Data is also replicated to a secondary region for disaster recovery.
• Outage reporting: Email alerts/service reports

Identity and authentication

• User authentication needed: Yes
• User authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
• Access restrictions in management interfaces and support channels: Role-based Access Control. Single Sign-On (SSO) options also available.
• Access restriction testing frequency: At least once a year
• Management access authentication:
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

• Access to user activity audit information: Users have access to real-time audit information
• How long user audit data is stored for: User-defined
• Access to supplier activity audit information: Users have access to real-time audit information
• How long supplier audit data is stored for: User-defined
• How long system logs are stored for: Between 1 month and 6 months

Standards and certifications

• ISO/IEC 27001 certification: Yes
• Who accredited the ISO/IEC 27001: Certification Europe (INAB)
• ISO/IEC 27001 accreditation date: 17/10/2017
• What the ISO/IEC 27001 doesn’t cover: NA – The entirety of the standard and extensions apply.
• ISO 28000:2007 certification: No
• CSA STAR certification: No
• PCI certification: No
• Cyber essentials: No
• Cyber essentials plus: No
• Other security certifications: Yes
• Any other security certifications:
  • ISO/IEC 30107 compliant
  • ISO/IEC 27701:2019
  • ISO/IEC 27018:2019
  • ISO/IEC 27017:2015
  • AICPA SOC 2 Type 2

Security governance

• Named board-level person responsible for service security: Yes
• Security governance certified: Yes
• Security governance standards: ISO/IEC 27001
• Information security policies and processes: Daon maintains a comprehensive Information Security Management System (ISMS) and Privacy Information Management System (PIMS) which are independently audited for compliance with the AICPA SOC 2 Trust Principle for Security, plus the international standard for information security management (ISO27001:2022) and extensions for privacy management (27701:2019), cloud security (27017:2015) and management of PII in the public cloud (27018:2019). ; ; Daon’s CISO is responsible for the security and privacy compliance programs.

Operational security

• Configuration and change management standard: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Configuration and change management approach: Changes to service components are managed through a change control process that follows the ITIL4 Service Management practice of Change Enablement and is part of Daon’s comprehensive Information Security Management System. Application and system changes require security risk review with approval required from a security architect.
• Vulnerability management type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Vulnerability management approach: Vulnerabilities are identified through automated scans and manual validation. Patches are deployed based upon severity with a typical patching window scheduled monthly. Emergency updates can be expedited if required. We monitor threat feeds from US CISA and UK NCSC.
• Protective monitoring type: Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
• Protective monitoring approach: Both automated alerting and manual log review are used to identify potential compromises or anomalous events. Suspected or identified compromise response follows 5.24-5.29 of ISO/IEC 27002:2022 with the IRT alerted immediately.
• Incident management type: Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
• Incident management approach: Incident processes and procedures are written and included in Daon’s ISMS. Customers may report incidents by raising a P1 ticket in the support portal. Incident response and reporting follows the ITIL4 Service Management practice of Incident Management.

Secure development

• Approach to secure software development best practice: Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

• Connection to public sector networks: No

Social Value

• Social Value:

  Social Value

  • Fighting climate change
  • Covid-19 recovery
  • Tackling economic inequality
  • Equal opportunity
  • Wellbeing

  Fighting climate change

  Daon is committed to digital solutions, providing a climate-friendly alternative that eliminates the need for in-person authentication. This approach significantly reduces the use of paper, postage, and travel.

  Covid-19 recovery

  Daon's technology eliminates the necessity for individuals to travel to physical government buildings, facilitating swift, secure, and user-friendly authentication from the comfort and safety of their homes. This makes it an effective tool in a pandemic environment.

  Tackling economic inequality

  Daon's solution significantly aids in mitigating economic inequality by enhancing service accessibility for a broader audience through the provision of a diverse array of authentication factors. This inclusivity extends particularly to individuals with disabilities that may limit the effectiveness of traditional authentication methods.

  Equal opportunity

  Daon is an equal opportunities employer both globally and in the UK.; ; Further to this, our user interfaces are designed with inclusivity in mind, and we are constantly striving to minimise racial bias within our machine learning algorithms, ensuring that our solution is effective across different races, genders, ages, religions, disabilities, and socioeconomic backgrounds.

  Wellbeing

  Daon streamlines access to government services, enabling individuals to quickly and easily authenticate themselves. By utilising Daon's technology from a computer, mobile device, or kiosk, individuals can bypass the traditional hassles associated with authentication. This efficient process not only minimises stress but also improves overall well-being, freeing up time for other important activities.

Pricing

• Price: £0.10 to £0.50 a user a year
• Discount for educational organisations: Yes
• Free trial available: Yes
• Description of free trial: The free trial period typically consists of 100 users, available for 30 days.

Service documents

• Pricing document

  PDF

• Service definition document

  PDF

• Terms and conditions

  PDF

Request an accessible format

If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at sales-uk-ie@daon.com. Tell them what format you need. It will help if you say what assistive technology you use.