Transaction confirmation is a security level that is required for specific financial transactions and information updates. It’s used if the user needs to check and confirm specific information in addition to authentication. Transaction confirmation provides increased security against possible fraud attempts that could be caused by malware.
Examples of transaction confirmations:
The user receives the relevant information and confirms that they have read and accepted it using their fingerprint or PIN.
The Fast Identity Online Alliance (FIDO) has developed a protocol that defines and standardises transaction confirmations as well as passwordless authentication. The Nevis Identity Cloud supports these scenarios, which makes the transaction confirmation into yet another obstacle for the attackers. Even if the login has been «cracked», transaction confirmation prevents any further damage. That’s because the operation requested by the attacker will not be performed without this confirmation.
A push notification informs the user about the pending transaction. All the necessary details about the transaction are then displayed. The customer now has the option of viewing the details and correcting them, if necessary, before approving the transaction. After checking the data, the customer can then easily confirm or reject the transaction by scanning the fingerprint or face or by entering a PIN. Transaction confirmation not only enhances protection against possible fraud attempts but also protects against human error such as typing mistakes.
All that’s left to do is to prove that the person who initiated the transaction is also authorised to do so. This problem can be solved by verifying the user’s biometric features – just like the login process. The transaction-signing functionality not only implements the principle of «what you see is what you sign» but also guarantees non-repudiation of the confirmed transactions.
The process has proved itself in countless applications:
Nevis offers generic transaction confirmations in the mobile Access app. This goes beyond the confirmation of payment transactions and also include agreements of terms or consent to data usage. That enables online service to request cryptographically signed, legally binding transaction confirmations. This is required by new regulations such as the GDPR and PSD2 or for national requirements such as obtaining consent to the processing of health information.
Legally binding, cryptographically signed agreements and consent.
Friendly fraud – arising when customers assert spurious rights of reimbursement – is prevented by transaction confirmation.
The security problems that SMS OTP providers have to contend with (e.g. interception of SMS or SIM swapping) do not arise with mobile transaction confirmation.
Complies with requirements of the GDPR, PSD2 and for processing of health information.
Customers expect user-friendliness and security. The process must be quick, convenient and intuitive.
Payment can be made in real time.
Customer are protected against phishing, social engineering and data switching attacks.
«The Fast Identity Online Alliance (FIDO) has developed a protocol that defines and standardises transaction confirmations as well as passwordless authentication. Nevis Mobile Authentication supports these types of scenarios.»