Transaction authorisation

Creating a safe cyber-space and ensuring proper cyber security is a joint responsibility, and our team here at UNLOQ is working hard to create the optimal multi-factor authentication product.

Companies can send push notifications on a user's mobile phone for approval before an action is performed. This can be used to protect sensitive actions on applications such as financial transactions or access to a different part of the application.

Authorisation actions

An authorization action defines how an authorization request will look and how the user will interact with it. You can create as many authorization actions as you wish for an application, by selecting the Authorizations tab under your application and clicking on the New authorization button

When creating an authorisation action, you can customize the following fields:

• Action code - an alpha-numeric string that is the your authorisation's identifier. This code will be used when performing the API call to send the approval request.
• Action title - you can use this field to summarize what are you requesting approval for.
• Message - use this field to describe the approval request. You can also include variables such as $name or $myVar (see below)
• Approval button text - a short text that will be used instead of the default Approve text, essentially allowing you to rename the approve action
• Deny button text - a short text that will be used instead of the default Deny text, essentially allowing you to rename the deny action

A preview on how the authorization request will look in the user's device is shown on the right side of the create form. You can also view all authorization actions of an application and what variables it may contain.

Both the title and the message of an authorisation action can contain variables that can be used in tandem with the authorisation endpoint. As an example, we have defined an action represented in the image below. Whenever we want to initiate an authorisation request using this action, we will also provide the name, user and date variables inside the POST data, to replace the variable name with its value.

Note: since authorisation requests should be unique both on your end and on our end, whenever you initiate one, we will ask for a reference code, resembling a foreign key and tying the authorisation's result with it.

The authorisation process

The first thing you must do is to establish which actions your user performs that need to be protected against unwanted malicious intrusions and define the corresponding authorisation actions in UNLOQ's admin panel. You can personalise the notification message, security options and implement the API calls after reading our documentation.

Once you've established your application's sensitive actions, you can use them while calling the authorisation API endpoint. When you do so, a push notification will be sent to the user's device, describing the authorisation action and asking them to either approve or deny it.

If the user approves the authorisation request, an authorisation id will be generated and returned in the API's response. You can now safely execute your sensitive actions, knowing that the user has approved them.

A short node.js authorisation request based on the example action above can be viewed below:

const request = require('request');
request.post({
   // URL contains the remove-log action code
   url: 'https://api-authenticator.iwelcome.com/v1/authorize/remove-log',
   // Our application's credentials
   headers: {
      'Authorization': 'Bearer YOUR_API_KEY'
   },
   form: {
      email: 'john@doe.com',     // Specify to whom we send the request. Either this or an unloq_id
      reference: 'abc123',       // The reference number of our own application
      name: 'Monday logs',       // The log entry name to display in the notification's message
      user: 'Tim C',             // The user that added the log entry
      date: 'May the 1st'           // When the log entry was added
   }
}, (err, res, body) => {
   var result = JSON.parse(body);
   console.log(result); // if result.error , an error occurred or the user denied the request
});
// The displayed notification message would be:
// Are you sure you want to remove log entry Monday Logs added by Tim C on May the 1st ?
      

Have a question? You can always send us an email at support@unloq.io, or contact us on chat.

For security related concerns, please visit our Security page.