In the previous post, we reviewed the CWYS (Confirm What You See) mechanism, which allows generating one-time passwords on the basis of the data being protected.
You can also see how two-factor authentication works and test the CWYS function here: Demo
Users are often faced with this question: what data should be used during the ОТР generation to ensure the best protection for the system. Let’s consider the most common situation where the CWYS function is used – verification of transactions in payment and banking systems. To ensure protection for such transactions, we recommend using the following data:
- identifier or transaction number;
- user’s current balance or balance after the transaction;
- any additional data that needs to be protected against modification or falsification from the point of view of your business processes, for example, transaction date, user’s IP address, etc.
It is important to note that at each step of working with Protectimus only the current data that the user is working with at this moment should be used, not cached data. We are talking about the situation which can happen with the balance. Sometimes the balance is recalculated on the basis of a certain system event, while the user sees its state at a certain point in time.
Using such details in the ОТР generation process protects from data replacement in a short period of time between the creation and execution of a transaction, thus protecting a user against losing money and protecting your system against reputation risks and other types of risks.