BLOG - Why Multi-Factor Authorization Makes More Sense

Almost all of us have been touched by identity theft of some sort – if not a credit bureau breach, then perhaps a compromised credit card. What may not be so obvious is the fact that the breaches and compromises are the unintended consequences of a broken system in which everyone – financial services firms, brokerages, customers – conduct their business every day.

Today, institutions that want to conduct business with their customers must maintain vast databases of Personally Identifiable Information (PII). This enables them to authenticate those customers when they request a transaction.

Data breaches occur because of the simple fact that those PII data are eminently useful to a criminal. It can be used to establish credit in the victim’s name, tap existing credit, improperly claim tax refunds, commit insurance fraud, and so on.

Three Core Concepts

Let’s take a look at the three core concepts in play during a typical transaction: Identification, Authentication and Authorization.

Identification is straightforward, and we all have a good idea of what it means - it is something that we identify ourselves with - our name, our street address, an email account, an online account userid.

Authentication is how you prove you are who you say you are. That capability is well established with today's technology. Today, authentication is done though a password for an online account, or by receiving – and then resubmitting! – a code that shows you can access a device that only you should possess (such as your phone). Authentication can also use behavioral analytics and biometric techniques processed by your login device, such as scanning your fingerprints or using camera-based facial recognition.

The important part though – in fact, the reason for the authentication - is to provide authorization of the transaction. So, to understand what we’re really after, let’s step back and make a clear distinction between authentication and authorization.

Authorization is the process of allowing your authenticated information to permit a desired activity. For example, say someone tries to open a fake credit card account using your social security number. The stolen SSN is their identification. They may be able to authenticate by finding answers to your personal questions online. Now introduce authorization into this scenario. Even with authentication, they won’t be able to authorize setting up the account without your personal approval.

A Target for Thieves

We use this same basic process whenever we want people to authorize something – release of a credit report for a loan, release of medical records. All of these depend on the verification of your credentials – your bank card number and PIN, your online account userid and password – against your personal data stored in the firm's database.

However, if you are a typical client in today’s digital world, your personal data is stored in many, many databases. This presents a rich variety of targets for identity thieves.

The problem is that when knowledge of your PII is used for authentication – Social Security Numbers, the numbers associated with a credit card, online account IDs and their passwords – and are in someone else's hands, they can continue to be used to authorize things without the true owner's consent. This is the reason that identity theft is so profitable for the bad guys.

There is a better way. Why don’t we just let people authorize their needed transactions directly? Multi-factor authorization, instead of multi-factor authentication. With that simple flip of the model, we can turn the process upside down. Instead of authenticating ourselves to some entity in order to authorize a function, we, the clients, have the control to issue the authorization directly.

Authorize Transactions by Authenticating Ourselves

Here is how we made that happen – we developed the ability to authenticate ourselves every time we use our phones. Once authenticated, we can use an app that generates a smart PIN that specifies exactly what activity we want to authorize. We can specify the type of transaction, the amount, the time, and the location.

Significantly for preventing theft, once that token has been used to authorize the transaction for which it was generated, it cannot be used again. It is truly a one-time, one-use authorization generated by the end-user.

We call it the Authoriti Permission Code™. The Permission Code resolves issues faced by those on either side of any given transaction. The client keeps control of the whole process – you authenticate to your own device and generate the Permission Code authorizing an activity right on it. You can be sure that the transaction that you are authorizing will be the only thing that takes place.

The business side of the transaction is freed of many constraints as well. The financial institution has confidence that every given activity is truly authorized. They don't have to risk refusing transactions that they are unsure about.

Most important is the elimination of the requirement for companies to use PII to authenticate clients in order to transact business with them.

At Authoriti, we think this is an outstanding weapon against fraud. Institutions no longer have the need to maintain vast databases of PII to authenticate their clients. After all, both the institutions and their clients simply want safe, authorized transactions.