Privakey CX

Privakey CX is a licensable product that allows services to deploy Privakey’s core passwordless authentication and authorization technology in their existing mobile and desktop applications.

By employing simple platform libraries and a centralized Auth Service, existing end-user applications are transformed into consistent, user-friendly, omni-channel authenticators and process authorizers.

Privakey CX Components

Privakey’s architecture is comprised of Mobile and Desktop Libraries (available for Android, iOS and Windows) and an Auth Service that interacts with services’ pre-existing processes (Request Origins).
null

Request Origins

The Request Origins are the current processes and workflows of an application or service that would benefit from strong and definitive user authorizations. Any authorized, internet-connected service can behave as a Request Origin. Examples include user initiated actions like logins, rules triggered challenges like fraud detection, or 3rd party queries perhaps from IVRs.

null

App Libraries

The Mobile and Desktop Libraries are leveraged to develop apps or, more likely, extend the capabilities of existing apps to enable Privakey Authentication and Authorization. Once employed, the libraries handle device registration, cryptographic key generation and secure storage, request/challenge receipt and handling, revocation, and suspension.

null

Auth Service

The Auth Service is a simple headless web app that exposes an API. It is a RESTful service that acts as a central hub that can be called by any Request Origin to invoke user-specific challenges. It also federates those challenges to registered user devices and brokers the interaction between the Privakey enabled devices and the services that initiated requests/challenges.

Privakey CX Request Flow

A request is sent from its origin to the Privakey CX Auth Service which federates notifications to the user’s devices.
null

How Do Companies Use Privakey CX?

Companies can deploy Privakey CX in a variety use cases to eliminate passwords and interrogations from customer initiated actions, rules triggered challenges and 3rd party initiated queries. The use cases illustrated below are for a fictional “Bank of Tomorrow” that has deployed Privakey CX technology throughout its entire customer experience, thus creating a consistent and secure experience for its users, no matter what channel they’re interacting with.

null

User Initiated Actions

The Bank of Tomorrow has enabled Privakey CX in order to provide password-free logins for users, regardless of if they are on a browser or mobile app.

During a login with a Privakey CX enabled service, a user simply identifies themselves via a username or email address. The user then receives an instantaneous alert, on all of their devices with the Bank of Tomorrow app, prompting them to complete the authentication transaction.  The user then simply provides either a pre-chosen PIN or registered biometric to complete the authentication.

Other examples of user initiated actions that the Bank of Tomorrow could deploy include payment confirmations, wire transfers, document signing and more.

Rules Triggered Challenges

Privakey can be leveraged anytime a service needs a secure response to a challenge. In the case of a rules triggered challenge, Privakey will send an automated notification to the user’s registered devices with a custom message that describes what the customer needs to authorize.

In this case, the Bank of Tomorrow has enabled Privakey to send a notification to users’ devices if a fraud risk engine is triggered. The user will then assert a strong yes or no respond back to the sender without the need for phone calls, interrogations or SMS messages. If the user did in fact spend $1,500 at BadActor.com they would be asked for a second factor to authorize the transaction. If they didn’t, all they would have to do is press “deny”.

Other examples of when a rules triggered authorization would be enabled include: if a user triggers a protective threshold, such as adding a new shipping address to a retail account or if a user is attempting to access sensitive information on a shared, voice-controlled computing device (i.e. Amazon Echo or Google Home). In all cases, the same Privakey-enabled, consistent, and user-friendly process can be leveraged to verify your user’s intent and protect them from unauthorized access and transactions.

null
null

3rd Party Queries

In the same way that customers are accustomed to authenticating, Privakey can be used to strongly and securely assert one’s identity during offline transactions. For example, a user has placed a call to the Bank of Tomorrow’s customer service line. Before accessing the user’s sensitive account information, the customer service representative must ensure they are speaking to the appropriate person.

With a Privakey empowered system, the IVR can be configured to notify the user with an identity verification challenge. And just like when authenticating, the user would receive a notification on their Privakey-registered devices. In this case, there would be context-specific messaging, such as, “Please confirm you’re on an active call with the Bank of Tomorrow.” If appropriate, the user would click “Approve”, then assert a second factor, such as a fingerprint or a PIN.

Other examples of 3rd party initiated requests include in person authentication and non-automated phone system authentication with a customer service representative.