Recommendations / algorithm / approach for implementing a temporary transaction password for a banking / financial site

What are the best methods to use the Temporary Transaction Password feature for a website?

For example, in banking / finance scenarios, for example - When transferring funds from one account to another, a transaction password is required - When making a transaction, a transaction password is required - etc.

The password should be temporary and time-based, i.e. this password should not work after x minutes have passed.

Which algorithm would you recommend? You suggest keeping track of the passwords used, i.e. Store the used password in a store?

Some websites use the OneTimePassword device. Beyond that, please look at any other strategy you think might be appropriate.

Any other ideas / suggestions / algorithm would be appreciated.

Edit: based on the question from 'lassevk'

  • The password will be sent by email / phone / sms.
  • The third site is not involved.

I require this for an extra layer of security at critical points in the application. This can also be called "AuthenticationCode".

+1


source to share


2 answers


Edit after updated question :

Well, one way would be to just store it in a session variable which would force it to leave when the service restarts.

Also, you will need to have a timer on it, basically you are storing the expiration time + password somewhere and whenever you check the password, if the elapsed time has passed, you have no password and just clear it.

If you encapsulate this in some basic code that not only checks to see if the password is correct, then it should be able to answer both yes, no, and no password saved so you can give the appropriate user message.




A few questions:

  • How would you tell the user the temporary password? SMS?
  • Is the password for the same site, or is it generated for a different, linked site? (i.e. your main bank site generates or receives a password and you use it to log in or authorize a transaction on another linked site?)

If the answers are:

  • Through the website
  • No, the same site

Then what is the point? What do you hope to learn from this? What are the specific criteria or purpose for this function?

0


source


Well, it really differs from institution to institution.

Generating a session-based financial PIN would be a more secure strategy rather than generating an FPIN that works over a period of time.



If you have resources for SMS, FPIN, then the best practice would be to create FPIN before each transaction and SMS FPIN to the user, which will be something like 2FA.

Relationships Azim.

0


source







All Articles