On a mission to innovate their customer login by strengthening its security and user convenience, the SAP Universal ID team chose Hanko’s developer-friendly WebAuthn implementation, and built seamless passwordless authentication within just a few days.
One of SAP’s latest products is SAP Universal ID (UID), a unified account that allows customers to access all SAP services in one place and to have a seamless user experience across all SAP products and services. The company refers to it as the "Apple ID for everyone in the SAP world". Thereby, SAP customers are able to link their SAP accounts under one UID, represented by an email address, and use it to login to SAP services with a single password.
Even though using only one set of login credentials offers great advantages for SAP customers, it also means that if this password is compromised, the attacker possibly gains access to multiple SAP services and accounts at once. That’s why SAP UID developers were searching for a more secure solution that prevents fraud but doesn’t impact the usability.
Authenticating with biometrics has been proven to be the most secure way to protect user accounts and devices without impacting user experience and conversion rates. But until now, biometric authentication could exclusively be used in native apps on mobile devices. This recently changed with a set of brand new web standards called "WebAuthn" and "FIDO2" that makes it possible to use biometrics on websites. But the development of a biometrics-based authentication process, combining it with a secure cryptographic challenge-response 2-factor authentication protocol, and the integration in an existing tech stack takes a lot of time, knowledge, and developer resources.
That's why SAP decided to realize this project together with Hanko. The young Authentication-as-a-Service provider was invited to participate in their 3-month startup accelerator program SAP.iO. In a joint proof-of-concept (PoC), the SAP team tested FIDO-based passwordless authentication with Touch ID, Windows Hello, and FIDO Security Keys for SAP Universal ID.
With their managed Cloud API, Hanko enabled SAP developers to access a fully-fledged and certified WebAuthn infrastructure right from the beginning of the project. Hanko accompanied the SAP team, providing demo code and ready-to-use client and server SDKs. To create an optimal user experience, Hanko also supported the UID's UX team in the development and implementation of the new user flows for the passwordless authentication methods.
The result of the PoC is a fully-functioning SAP Universal ID test environment supporting passwordless two-factor authentication with WebAuthn Authenticators such as Windows Hello, Apple Touch ID and Face ID, as well as FIDO Security Keys. Since Hanko supplied the main code components, SAP was able to integrate the passwordless technologies into UID with a small team in just ⅓ of the estimated time. The test environment will be leveraged for further user testing until the feature will be released to SAP customers.
Thilo Brandt, IT Senior Manager SAP Universal ID confirms that internal tests have produced a consistently positive response, from developer and QA level up to top management. "The development effort for introducing passwordless authentication was significantly reduced through the use of Hanko and the team helped us to successfully navigate implementing passwordless authentication into our application stack and user interfaces."
Michael Braun, IT Chief Product Owner of Identity & User Management at SAP, is happy with the outcome of the project: "With the help of Hanko, we were able to prove the feasibility of our vision for a passwordless login at UID in terms of technical implementation as well as usability on all major operating systems such as Windows, macOS, iOS, and Android."
Felix Magedanz, Founder and CEO of Hanko, is pleased to see that Hanko’s Authentication-as-a-Service solution is so well received at SAP and that the deployability of Hanko’s API has been successfully proven. "Our project with SAP demonstrates the power and the benefits of our passwordless API. Seeing our solution being used by one of the largest software companies in the world makes us proud and strongly validates our approach. Through the close cooperation and feedback from SAP developers we were able to improve our solution to make it even more convenient for future customers."