2 Factor Auth for physical transactions with Service Worker and Push Notifications

I will always have a soft spot for Fraud Detection, it was my first "big corp" software engineering role and I learnt a lot about building scalable systems and "intelligent" systems.

One of the areas that I researched at the time was connecting a person's online location to their application, in this case it was simply making sure mortgage applications where tied to the UK (simple IP address check-ups worked pretty well). When I moved to a telecom's service company, we were researching out-of-band auth and geo-location for credit card transactions. The idea was simple, send the user an SMS when a purchase happens and get them to click on a link to validate 1) they agreed to the transaction, 2) roughly locate the user to their IP location, or if we were lucky use the geolocation API's (we also tried to do cell tower lookups, but they were astonishingly expensive).

That's why I was interested when I saw Visa's Mobile Location Confirmation
service.

I am not yet sure if this is all done in the background (i.e, no user prompt), however if it requires a user gesture, this system is entirely possible to build on the web especially with Service Worker and Push messaging.

The way that I imagine it working:

  1. User is on their banking site. It registers a ServiceWorker and requests access to push you notifications and also requests access for their Geo location.
  2. Bank registers user on the back end with the Visa system
  3. Any transaction that occurs on the card, it sends a push notification to the phone.
  4. Service Worker sends a fetch to the server, the IP address is picked up and Geolocated.
  5. Service Worker posts a notification to the phone to alert the user
  6. User clicks on it and opens up a page (for the bank), confirms transaction, geo-location is picked up and sent through to Visa to corroborate the IP address look-up and the physical location of the point of the transaction.
  7. Transaction is either accepted, declined, or put into a queue for further checks.

I think this process is pretty cool, the user gets two factor authentication (or maybe it is three factor when you combine in location).

Image by Håkan Dahlström

I lead the Chrome Developer Relations team at Google.

We want people to have the best experience possible on the web without having to install a native app or produce content in a walled garden.

Our team tries to make it easier for developers to build on the web by supporting every Chrome release, creating great content to support developers on web.dev, contributing to MDN, helping to improve browser compatibility, and some of the best developer tools like Lighthouse, Workbox, Squoosh to name just a few.

I love to learn about what you are building, and how I can help with Chrome or Web development in general, so if you want to chat with me directly, please feel free to book a consultation.

I'm trialing a newsletter, you can subscribe below (thank you!)