Deployment Options¶
Relock Invisible MFA can be integrated in three different scenarios. The choice depends on your use case, the desired user experience, and how often you want to verify users.
Prerequisites¶
Before you begin integration, make sure that you have:
Relock account and access to the Relock Admin Panel.
Administrative access to the web application or authentication system.
Valid SSL/TLS certificate configured on your domain.
Redirect-Based Integration (Login-level)¶
Two integration modes rely on simple redirects. These require no code changes in the protected application, but they do display a spinner/loader to the user (so the process is not entirely invisible):
Simple Deployment (Third-party cloud)¶
The application redirects the user to the relock.host cloud domain for device verification. The user sees a simple spinner/loader and is then returned back to the web application.
SameSite Deployment¶
The application uses a proxy or load balancer rule to mask the redirect, making it appear as though verification is taking place on your own domain. Cryptographic keys are stored securely within your domain’s browser data.
JavaScript Agent Integration (Request-level)¶
A request-level integration requires deploying a lightweight JavaScript library (JS agent) into the protected application. In this mode, verification occurs entirely in the background, without the user ever seeing any part of the process or a redirect event.
Brief Summary¶
The first two modes are suitable for authentication at sign-in flow or during sensitive actions where displaying a separate screen with spinner/loader is acceptable. The Agent-based integration is best for both sign-in verification and on-demand request confirmation during an active session.
Simple verification is limited compared to the SameSite and Agent-based approaches. It cannot handle any information about the authenticated user, since it functions as third-party authentication without the ability to notify Relock Cloud about sign-in success or sign-out events.