MAC Token Authentication

While standard PowerAuth authentication codes are suitable for requests where a high degree of authenticity and integrity is required, for high-volume common access requests, the strong sequentiality caused by the use of a counter might be too restricting. Signed requests must be sent one by one, and a request needs to wait for the previous one to complete. This causes both data processing to be slow and the programming task related to request synchronization to be unnecessarily difficult.

This is why PowerAuth also supports simplified MAC Token-Based Authentication. As the name suggests, the authentication is achieved by computing a MAC (also called a “digest”) using a pre-shared token.

Security Considerations

There are a couple of very important things to keep in mind while using MAC Token-Based Authentication in your APIs:

• Data Integrity - Since the resulting digest does not include any request data, it does not prevent data from being modified.
• Single Factor - While the token has information about the factors used while the token was created, which is handy while distinguishing different grades of information (for example, some more sensitive info may require a token that was created using 2FA), the authentication as such uses only a single factor. It does not include PIN/password or biometric information at all.

As a result, MAC Token-Based Authentication is intended for read-only operations. Typical use cases include f.e.:

• MAC Token-Based Authentication: Accessing simple information about the account, such as account name, balance of the account, and last three transactions, from Apple Watch.
• PowerAuth 1FA Authentication Codes: Creating a quick, low-value payment from an iPhone app.