Utilizing apps to smoothly and securely authenticate users has long been a challenge. A standards-based way to address this is to use Client Initiated Backchannel Authentication (CIBA) from the OpenID Foundation. It defines a decoupled flow where authentication can be initiated on one device and carried out at another. It lets people use their mobile devices to authenticate and approve transactions.
Pushed Authorization Requests (PAR) is an enhancement in OAuth and OpenID Connect to initiate the authorization flow from a client using request objects. It provides security and privacy improvements without implementing costly cryptography at the client-side. The client needs only minimal changes to be able to use PAR instead of a standard authorization request.
JWT Authorization Request functionality is very useful in implementations that require high security. Using signed request objects can help when request parameters get too large to send them in the query string or where there is a need to maintain the consistency of request parameters. Additionally, it's possible to encrypt request objects where you also need to maintain privacy.
JWT Secured Authorization Response Mode for OAuth 2.0 adds another level of security to handle responses from the Authorization Server. The Curity Identity Server supports this draft specification without any specialized configuration required. Customers can thus easily implement JARM in their clients.
The Curity Identity Server supports the use of Hardware Security Modules (HSM) for storing keys. Use the HSM with the Curity Identity Server to sign tokens, encrypt SSL/TLS communication, and perform other sensitive operations.