Building a Secure Consumer Fintech Service from Scratch
Building a Secure Consumer Fintech
Convener: Tiffany Jung
Notes-taker(s): Garrett Schlesinger
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if
appropriate to this discussion: action items, next steps:
- Unguessable URLs to Bookmark
- SCoopFS: Simple Co-operative File Sharing (https://alanhkarp.com/scoopfs/index.html)
- Today: bake OAuth Token into the URL
- Declare to block chain that you are X. Uses an encypted, always incrementing nonce.
- Can set up many accounts against the same identifier for this.
- register once per device: handshake period for identification.
- get claim on an email address (email verification) or other channel
- other identifying steps (e.g. KBAs)
- once this is done, register with PKI (register them with a certificate authority)
- this can be a tricky UX
- Also are in the process of refining FIDO web-auth spec. It's currently per user-agent. Want to make that distributed.
- Regardless, FIDO is important here since it standardizes the protocol.
- Important consideration in this: means of delegation and revocation.
- Also important: make it so that transactions are authorized by the user, not an impersonating agent.
- At the very least, responsibility tracing.
- Web key generation. Public/private key generated in browser.
- Can also do some smarter device linking/cloud solutions.