Authentication vs authorization in financial data access

Unpacking one of the two components of financial data exchange, which impacts OAuth and beyond

In Plaid’s recent whitepaper on financial data access methods, we discuss the two key elements of financial data exchange: authentication and data transmission.

For the sake of simplicity, our whitepaper treats authentication as a single concept. Authentication actually involves two steps: identity validation and authorization.

The details of each step are integral to industry discussions around consumer data sharing. The failure to share data required for either proper identity validation or authorization can undermine the ability to deliver robust authorization.

A refresher on authentication

At a high level, authentication refers to any “permissioning flow” in which a user allows an application to access his or her data that resides somewhere else. Authentication isn’t unique to financial services; in fact, social media firms such as Twitter, Facebook, and LinkedIn were early adopters of OAuth, one of the more popular authentication standards today.

In one example familiar to many consumers, Airbnb uses Facebook to validate consumers’ online identities prior to taking an action (such as renting or posting a rental listing) on its platform.

airbnb

While it’s tempting to think about authentication as one fell swoop, let’s tackle each step of this process in order.

Step 1: Identity validation

The first step in authentication is validating that a person or business is, in fact, who they claim to be. In the Airbnb/Facebook example, Airbnb authenticates by linking to a Facebook account. While a Facebook account is often closely tied to an individual’s identity, requiring a Facebook login alone is not a foolproof means of validating one’s identity.

Best practices across the digital ecosystem for identity validation typically require a user to provide at least two of three pieces of information. These components are:
(i) something a user knows (such as a username and password, or answer to a secret question)
(ii) something a user possesses (such as confirmation via text message of a smartphone in their possession, or passage of a known device token by a trusted intermediary)
(iii) something a user is (such as biometric data like fingerprints).

Requiring two of the three above components is known as two-factor authentication.

For crucial functions in financial services, such as opening a new online account, identity validation is often performed at a deeper level of scrutiny. Brokerage account applicants are often required to upload additional documents to establish identity such as driver’s license or social security number. Applicants may also need to answer security questions for which only the true applicant should know the answer.

Step 2: Authorization

The second step within authentication is authorization. Authorization refers to the granting of permission to access specific data within a given platform. In the earlier example, a user might grant Airbnb the right to view their Facebook profile photo, current city, and friend list.

In digital financial services, companies must disclose within their privacy policies and terms of use that they are accessing data on behalf of a consumer. A best practice is to go beyond this and provide users explicit notice of the category (such as “transactions” or “account information”) of data that an app intends to use.

This disclosure-based approach balances user transparency and control against apps’ need to innovate on behalf of their users — including the flexibility to use new types of financial data in their products.

Why does this all matter?

Authentication is important for managing permissions within the digital ecosystem. For financial services, strong identity validation is a crucial tool to fight against fraud. While the ramifications of undetected fraud can be serious for a platform like Airbnb, they can be even more harmful in a financial services context.

Fortunately, most financial institutions—particularly banks—have strong protections in place to confirm their customers’ true identities (remember signing up for your bank account? You likely presented your driver’s license at your local branch). By enabling user-permissioned access to data fields that can help confirm one’s identity—such as phone number, home address, or email address — banks can help to fight against fraud in the broader digital financial services ecosystem.

Without this data, however, third-party applications and trusted intermediaries have fewer tools to fight fraud. Thus, enabling user-permissioned access to a variety of identity-related data fields is a key tool that financial institutions can employ to create a more secure financial ecosystem.