Frequently asked questions
How big is the fraud problem?
Identity theft is not only on the rise, it’s rising fast. According to Javelin Research (2017), the problem affected an estimated 15.4 million US consumers in 2016 and is currently growing at 18% year over year. The more we share our SSNs, credit cards, and account numbers with banks, motor vehicle departments, tax authorities, employers, insurance companies, brokerages, doctors’ offices, utilities, and credit agencies, the more opportunities there are for these “secret” numbers to leak out. The Authoriti Permission Code eliminates the need to keep these numbers secret.
How do Permission Codes work?
As we’ve seen, the current industry model has failed because the consumer does not have control over his or her own transactions, and financial institutions do not have confidence in the transactions. The Authoriti Permission Code enables consumers to tell financial institutions which transactions are authorized and which ones aren’t.
Consumers generate Permission Codes, which act like smart, one-time PINs. Embedded within it are consumer-defined restrictions about who can use the information and how. The consumer independently authenticates him or herself, sets restrictions, and creates a Permission Code that authorizes use.
Here's what's packed in the 10-digit Authoriti Permission Code:
How safe are Permission Codes?
If a consumer authorizes a wire transfer out of a specific account in a New York bank branch for Tuesday March 15 to put a deposit on a house, the Permission Code can’t be used for any other account, purpose, location, or time.
Then, a simple web service call to Authoriti validates that the user associated with the ID has generated the code and that the transaction is authorized for the specific type of use.
Unlike traditional PINs, Permission Codes are digitally signed using PKI (Public Key Infrastructure) to ensure that they are linked to a specific identifier (such as a SSN). This eliminates the need for a centralized decision maker to generate and remember valid PINs.
What is PKI?
PKI is a well-respected technique in security. Rather than sharing a password between someone who needs to be authenticated and someone who needs to verify authentication, PKI creates a pair of keys: one called Private and one called Public.
A private key can be used to digitally sign or encrypt information. The public key can be used to check the signature or decrypt – validating that the signature was indeed from the ID who owns the private key. The public key, however, cannot be used to create a valid signature.
How secure are Permission Codes?
The Authoriti Permission Code is safe, secure, and resilient.
The Authoriti.Net service is built on Amazon’s AWS infrastructure. We are creating multiple instances that leverage AWS East and West and can seamlessly load balance or failover as needed. The Amazon Lambda compute service is being utilized to ensure robust performance and low processing latency.
The Authoriti service does not store private keys. Indeed, as with any PKI infrastructure, the private key only exists with the user. It is generated by and contained within the Authoriti app.
Neither does the Authoriti service hold lists of currently valid Permission Codes (although it may temporarily store deprecated codes to prevent reuse).
What problem does this solve?
Today’s complex and annoying challenge/response security model hasn’t evolved much since someone first shouted “Halt, who goes there?” Passwords are too simple or easily hacked from centralized databases; answers to personal challenge questions are available on social media; One-time PINs are being intercepted and redirected.
This “one size fits none” model has been stretched to address new types of cybercrime, but it brings friction to the customer experience and has not proven effective at reducing fraud. It’s a classic catch-22: If you go too light on risk management, fraud skyrockets; if you assume too much control, you alienate your customer and may be assuming new, previously unforeseen liabilities. In short, by trying to protect the customer, we’ve broken the customer experience
What does Authoriti do?
Authoriti eliminates friction and fraud with a new approach that personalizes and simplifies transaction authorization. The Authoriti Permission Code® smart PIN allows customers to easily and securely originate trusted transaction instructions. Permission Codes are embedded with specific transaction details such as "who, what, when, and where.”
The dynamic PINs are encrypted and digitally signed, instilling confidence and enabling businesses to authenticate the customer and execute the transaction upon receipt. Authoriti’s technology simplifies transactions such as moving money, telephone traffic, sharing information, or accessing digital and physical locations.
What are the benefits of the Permission Code® Platform?
Authoriti has flipped the model from server-side, institutional control of data to a more personalized, customer controlled digital experience. Customers originate and authorize transactions on their own devices. This approach offers three benefits:
1) the customer gets a better experience,
2) the business retains a happy customer at a lower cost, and
3) all with improved security.
Using the customer’s device removes the central information database, decentralizing risk and simplifying infrastructure. Further, giving real control to customers creates flexibility for new services, including delegated transaction authorization. Authoriti focuses on what customers want to do – not just who they are.