Transaction Signing (Three-Factor Authentication)
The ability to use Three-Factor Authentication is becoming even more critical when performing high risk tasks. When “something you know” and “something you have” simply isn’t enough, Authlogics allows for “something you are doing”. Some vendors think that using two lots of “something you know” with a “something you have” provides three factors of authentication, however it is still only two.
Including a “something you are doing” factor into the equation ensures that the One Time Code you supply can only be used for the purpose it was intended for and can’t be used by somebody else pretending to be you for some other purpose. There have been many attacks on banks in recent years where valid One Time Codes are “stolen” from a user and used maliciously to move money to the bad guy’s account – Three-Factor Authentication / Transaction signing stops this attack in its tracks. Some banks have introduced hardware based card readers or tokens with keypads to provide protection however these are highly expensive solutions and are not user-friendly.
The Authlogics Three-Factor Authentication Transaction Signing solution is different. It is built directly into our Authlogics Authenticator app enabling “something you are doing” any time you need it with the award-winning PINgrid and PINpass technologies – and is included in our single-user licence cost to all customers with no custom hardware or expensive roll-out costs.
- No hardware tokens
- No more passwords
- Authlogics Authenticator soft token all mobile app stores
- Soft Token works 100% Offline
- Seamless step-up from 1.5 & 2 Factor when needed
- Patented, award-winning technology
- Rapid deployment
- Simple to use
- Risk appropriate security for high value transations
Our Transaction Signing Technologies
Transaction ID entry screen of the
Authlogics Authenticator App
- Pattern based graphical technology.
- The user enters the transaction code, looks at the grid and recalls their pattern, enters the One Time Code.
- Enhanced standards (OATH) numeric technology.
- The user enters the transaction code, reads the One Time Code from the token, enters the code along with a PIN/password.
Frequently Asked Questions
Why is “something you are doing” so important?
When you need to authorise an action you are doing, it is critical that the authorisation code you are using has some relation to what you are doing. This is why “something you are doing” is used as a 3rd factor. Many Internet banking systems, for example, send you authorisation codes to perform tasks, but they don’t have any relation to the task you are performing.
Hacks like Operation High Roller (and many more) exploit codes that are meant for one thing but the bad guy uses the code for something else. For example, maybe you want to send $100 to your savings account and you are sent a code to authorise it, however malware in your browser has changed the request being sent to the bank to send $10,000 to their account. You then enter the code provided to authorise it and it goes through. Transaction signing prevents these types of attacks.
How would I use PINgrid to authorise a financial transaction?
PINgrid is ideal for authorising mobile payments with transaction signing. An example of how to use it is as follows:
On an Internet banking session, you create a new payee and add their account number via the browser. The bank needs to ensure that the code entered by you in the browser is the one they receive and it hasn’t been tampered with. To do this you enter the bank account number into the Bank Mobile App and a three-factor PINgrid challenge is displayed which is unique for the transaction, the device and the time. The user then uses that grid with their pattern to enter a One Time Code. That code will only be able to authorise the correct account number and if malware modifies the account number received by the bank then the code will not be able to authorise the transaction.