Security and cryptography expert (PhD) - CEO at nextAuth
SD Worx is Europe’s leading HR and payroll services provider at the forefront of the digital transformation of HR services. It services 80.000 companies and 5 million+ users and employs 5300+ people. Their services span the entire employee journey, from attracting to getting people paid, rewarding, and developing talent. SD Worx contacted nextAuth to provide them with a user-friendly and secure authentication process for their mobile app mysdworx, and web portal mysdworx.com. In this case study, you’ll discover:
What Were SD Worx's Authentication Needs?
SD Worx has always led the way when it comes to digitizing HR services. However, despite their pioneering activities, their 5 million users and 5300+ employees still had to access the app and portals with authentication methods that cause friction, provide insufficient protection from cyber attackers and aren’t scalable:
1. The multi-factor authentication system used by HR professionals relied on old-fashioned hardware tokens creating issues for provisioning and supporting this setup in a post-COVID remote working world.
2. Their 5 million+ end users could log in using a password, which 81% of data breaches, username and an OTP, but most users chose SMSes to deliver the OTPs. SMSes are expensive, unreliable and prone to social engineering.
3. The authentication factors weren’t user-friendly, hampering widespread adoption and making end-users opt for a username and password-based login.
4. The authentication mechanisms were often country-specific, making it increasingly difficult and costly to scale the setup toward 5 million+ users in 19 countries.
Gert Beeckmans, Group Chief Risk & Security Officer at SD Worx, knew he needed to prioritise authentication:
What Were SD Worx's Goals?
Gert Beeckmans aimed to “ensure multi-factor authentication for every user with true passwordless multi-factor authentication as the default and:
- Provide a frictionless user experience, i.e. enable users to log in quickly and seamlessly.
- Protect all users – both employees and end-users – from credential theft and data breaches.
- Implement a scalable authentication system in terms of cost and support for up to 5 million+ users across 19 countries.”
Why Did SD Worx Choose nextAuth?
SD Worx embarked on a long journey that led them to numerous MFA providers they considered before partnering up with nextAuth. According to Beeckmans, those vendors didn’t move the needle in terms of security. They merely added a layer of complexity and friction. “We chose nextAuth for a myriad of reasons”:
- Firstly, nextAuth’s passwordless MFA solution is mobile-first: “That was paramount for us. We wanted a solution where our users could use their mobile device as an authentication factor. That we could embed nextAuth’s solution into the user’s device was a big plus.” nextAuth’s mobile SDK enabled quick integration into mysdworx, the SD Worx app, which could then be embedded into the user’s device. “This cancels the need for additional hardware like hardware tokens or smartcards.”
The mobile SDK has other positive implications. It allows SD Worx to scale further and increase the use of its mobile app and guarantees an easy, frictionless rollout. “We needed a universal solution that was easy to roll out to all our users across all countries we’re active in. With the integrated solution, our users don’t need to install a separate and additional authenticator app. It’s just an additional feature in the SD Worx app that allows them to log with MFA into all our web and mobile applications.”
- nextAuth’s superior user experience was also a significant factor: “We were impressed by its user-friendliness and frictionless authentication experience,” Beeckmans continued. “nextAuth’s solution requires a minimal number of interactions to work. It also provides sufficient context to allow our users to make informed decisions. But more importantly, it’s completely passwordless while guaranteeing a true MFA setup.”
The SD Worx-nextAuth collaboration will further boost SD Worx’s security posture: “Their advanced public key cryptography ensures that the private key never leaves the user’s device. At the same time, SD Worx servers only need to store the public key, drastically reducing our attack surface.” nextAuth’s cryptography allows the server to verify and protect the secret online without learning or storing it. “Both keys are thus verified in zero-knowledge; meaning that, if we get breached, we don’t risk leaking any password hashes, private keys etc.”
- nextAuth also got bonus points for its capability to integrate with SD Worx’s IDP provider, TrustBuilder, who delivers the solution as a managed service to SD Worx: “We have a longstanding relationship with TrustBuilder as a trusted partner. The ability of nextAuth to work closely with TrustBuilder to provide a solid authentication experience seamlessly integrated into our IdP setup makes a big difference and is a win-win for all parties involved.”
What Solution Did nextAuth Provide?
Here’s what we provided SD Worx with:
- 5 million+ end users and 5300+ employees now log into SD Worx’s app, web portal and kiosk with just a fingerprint or face scan on their phone and a PIN as a backup. The private key -which is securely stored on their mobile device (something you have)- is combined with the device’s built-in biometrics (something you are) in the SD Worx mobile app. The users’ mobile phone accounts as a full-fledged factor of the authentication method. The PIN code comes into play if the biometric scan fails.
- The HR data of those users are now protected by a more secure authentication method. On top of that, nextAuth’s technology minimises the risk of unauthorised access and guarantees non-repudiation of all authentications and transactions.
- nextAuth provided the mobile SDK and helped implement it into the SD Worx app, allowing SD Worx to provide a unified multi-factor authentication experience for their users across their web and mobile applications.
- The nextAuth IdP enabled SD Worx to seamlessly implement our software into their IAM platform provided by Trustbuilder. This allows SD Worx to manage all their authentication processes frictionlessly.
The End Result In Numbers
5 million+ end benefit from our mobile passwordless MFA solution.
We service these end users in 17 European countries.
5300+ SD Worx employees authenticate themselves in a frictionless and secure way.