Back to Blog

Implement Multi-Party Approval with Authy OneTouch


2016-04-04_1015Authy OneTouch is the easiest 2FA solution today; users love it!

Before OneTouch, two-factor authentication was a drag, and users complained. Security officers compromised security with usability by only requiring 2FA at login every 30 days, or when a new device was detected. Other more frequent uses for 2FA would be rejected by users. In many cases, protecting your online identity and your accounts was optional… and people opted not to.

Now with Authy OneTouch, 2FA is easy.

Easy enough for decision makers to opt in to using it in a variety of scenarios, including:

  • Authorizing any transaction, or one that exceeds a limit
  • Proving the legitimate user is still in front of the logged in application
  • Providing individual user accountability when using a shared or privileged account
  • Manager approvals or overrides (no matter where the manager is located)
  • Parent approvals of a childs online or in-game purchase
  • Joint account holder transaction approval
  • Buyer and Seller approval to release escrow
  • Management chain approvals (sequential or in parallel)
  • Quorum approvals (such as at least 3 out of 5)

How does it work?

Let’s take the quorum approvals as an example. More specifically, let’s say there is an approval process in a financial system that requires at least two fund managers to allow a transfer of money when the value is over $100K. Because of the high value, the application needs more than one person to look at the details of the transaction.

In your application, a user requests a transfer of money and provides some justification text to be included in the approval. First, confirm that user via 2FA by sending the user a OneTouch approval request. When the user successfully ‘approves’ using their device, your application will retrieve the list of potential approvers (using logic and data you’ve selected), and send a OneTouch approval with detailed information on the request to each potential approver simultaneously.  

In the example above, lets imagine that at least two approvers out of the full set of five, will be required before the high-value money transfer can be completed… You control all logic; Authy provides the proof of each users response:  

  1. Approver 1, the fund manager, is speaking at a conference and has their phone turned off.  
  2. Approver 2, another fund manager on the same account, is in the audience of the conference and also is not answering their phone.
  3. Approver 3, the client account manager, receives a push notification, which brings up the details of the request.  After reviewing the details, Approver 3 presses “APPROVE,” and your application receives this response.  
  4. You might display progress to the account owner, showing 1 out of 2 required approvals, and who approved it.  
  5. Approver 4, the chief financial officer at the company, also receives this message. Her approval of the request is sent back to your application, which then proceeds to approve the transfer of money.  
  6. The other approvers subsequent approval (or lack of response) can be noted, but is not required.

a1ce6162-fefd-46b2-af1b-6669ab9018caIt’s really very simple.

Your developers Authy service interactions for everything above is accomplished with six identical API calls (one for each approval request) and a callback listener. This listener is just a web API endpoint exposed on your application for the Authy service to notify your application when responses happen from approvers. You can apply the same principles from this example to any of the scenarios above, and to others we haven’t even thought of yet. It’s all in your hands!

Please feel free to reach out with any questions or to show us examples of new scenarios that benefited from two-factor authentication! We’d love to see them.

Stay secure!

About the author Dan Killmer

Dan is the Lead Solutions Architect at Authy, and manages the Authy Sales Engineering team. Dan spends a great deal of time listening to customers, and helping them understand how our security products fit their business needs, along with helping customer technical teams succeed. Dan actively participates in identifying and specifying new features, as an outcome of customer and user comments and requirements.

We can text you a link to get started:

Close