2 Factor Auth for physical transactions with Service Worker and Push Notifications

Paul Kinlan

I will always have a soft spot for Fraud Detection, it was my first “big corp” software engineering role and I learnt a lot about building scalable systems and “intelligent” systems.

One of the areas that I researched at the time was connecting a person’s online location to their application, in this case it was simply making sure mortgage applications where tied to the UK (simple IP address check-ups worked pretty well). When I moved to a telecom’s service company, we were researching out-of-band auth and geo-location for credit card transactions. The idea was simple, send the user an SMS when a purchase happens and get them to click on a link to validate 1) they agreed to the transaction, 2) roughly locate the user to their IP location, or if we were lucky use the geolocation API’s (we also tried to do cell tower lookups, but they were astonishingly expensive).

That’s why I was interested when I saw Visa’s Mobile Location Confirmation

I am not yet sure if this is all done in the background (i.e, no user prompt), however if it requires a user gesture, this system is entirely possible to build on the web especially with Service Worker and Push messaging.

The way that I imagine it working:

  1. User is on their banking site. It registers a ServiceWorker and requests access to push you notifications and also requests access for their Geo location.
  2. Bank registers user on the back end with the Visa system
  3. Any transaction that occurs on the card, it sends a push notification to the phone.
  4. Service Worker sends a fetch to the server, the IP address is picked up and Geolocated.
  5. Service Worker posts a notification to the phone to alert the user
  6. User clicks on it and opens up a page (for the bank), confirms transaction, geo-location is picked up and sent through to Visa to corroborate the IP address look-up and the physical location of the point of the transaction.
  7. Transaction is either accepted, declined, or put into a queue for further checks.

I think this process is pretty cool, the user gets two factor authentication (or maybe it is three factor when you combine in location).

Image by Håkan Dahlström

Paul Kinlan

Trying to make the web and developers better.

RSS Github Medium