TDL Sprint on integrating banking-grade user authentication in websites

tdloffice General

The Computer Security and Industrial Cryptography research group, COSIC, based at KU Leuven started the n-Auth project in 2014 to provide a state-of-the-art user authentication solution. n-Auth consists of the n-Auth app, which users can freely install on their mobile phones, and an n-Auth server component that needs to be integrated in the back-end of a web server. Our radically new approach, starting from strong cryptography, combined with a focus on privacy and usability, allows us to provide user-centric banking-grade user authentication, compliant with the EU General Data Protection Regulation.

The goal of this TDL Sprint was to further study integration of n-Auth with a concrete application and produce a demonstrator featuring all of the n-Auth capabilities. In agreement with TDL, the GTAC website was selected. Starting from an existing account on the GTAC website, the user can enable n-Auth and associate his mobile device with that account. From that moment on, the user can log in to his account by using the n-Auth app to scan the n-Auth code on the GTAC website and approve the login. The n-Auth app also keeps a list of currently logged-in sessions and allows for instant logout.

Integrating with the GTAC website was an interesting showcase as it is builds on the popular WordPress framework and is hosted by a web hosting provider (as are most WordPress websites). The latter usually means that one cannot execute the n-Auth server component on the same server. We opted to host the n-Auth server component ourselves, given the limited impact this choice had on the actual integration. As an additional benefit of hosting the n-Auth server component ourselves, future projects that want to integrate with n-Auth can easily test against our n-Auth server component without having to install/host it themselves.

The main task was thus to write a WordPress plugin that would seamlessly enable n-Auth. The n-Auth plugin directly queries the REST API of the n-Auth server to initiate a login and validate the current authentication status. Due to WordPress’ vague authentication framework and conflicting plugins, extensive work was needed to re-organize the n-Auth plugin to (partially) bypass erroneous behaviour.

In the coming months, n-Auth will be deployed at KU Leuven for staff and students to log in to central IT services. This was realised in collaboration with the KU Leuven central IT services team. Commercialisation of n-Auth is currently focused on a gateway solution, that can be put in front of a website that needs authentication (plug-and-play), and Shibboleth integrations. However, co-creation projects with other popular frameworks are always of interest to us. Do not hesitate to contact us at

For more information please visit: