Building a Secure Consumer Fintech Service from Scratch

From IIW
Jump to: navigation, search

Building a Secure Consumer Fintech

Wednesday 3H

Convener: Tiffany Jung

Notes-taker(s): Garrett Schlesinger

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if

appropriate to this discussion: action items, next steps:

Old prototype:

  • Unguessable URLs to Bookmark
  • Today: bake OAuth Token into the URL
  • Declare to block chain that you are X. Uses an encypted, always incrementing nonce.
  • Can set up many accounts against the same identifier for this.
    • register once per device: handshake period for identification.
  • Another
    1. get claim on an email address (email verification) or other channel
    2. other identifying steps (e.g. KBAs)
    3. once this is done, register with PKI (register them with a certificate authority)
      • this can be a tricky UX
      • Also are in the process of refining FIDO web-auth spec. It's currently per user-agent. Want to make that distributed.
    • Regardless, FIDO is important here since it standardizes the protocol.
  • Important consideration in this: means of delegation and revocation.
  • Also important: make it so that transactions are authorized by the user, not an impersonating agent.
    • At the very least, responsibility tracing.
  • Web key generation. Public/private key generated in browser.
  • Can also do some smarter device linking/cloud solutions.