WhoToken

What is WhoToken?

WhoToken is a Multi-Factor Mutual Authentication ( MFMA ) service, we provide a means by which two or more individuals can verify the identity of each other using a unique WhoToken.

What is Multi-Factor Mutual Authentication ( MFMA )?

Multi-Factor Mutual Authentication ( MFMA ) is a combination of Mutual authentication and two-way authentication (sometimes written as 2WAY authentication) which refers to two parties authenticating each other at the same time. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity. When describing online authentication processes, mutual authentication is often referred to as website-to-user authentication, or site-to-user authentication. Multi-Factor Mutual Authentication ( MFMA ) is a method in which you allow two or more individuals to share a common token that can produce multiple token cards ( enough to support ten ) and each token card contains a unique set of codes and words that when read by that individual the other participating individuals can see the same codes and words on their screen and can be confident that the person they are communicating with is authorised with the same WhoToken.

When would you need WhoToken?

Classic examples of when you would need WhoToken is when your bank or other financial institute cold calls you and demands that you provide them with your full name, date of birth and residential/postal address so that they can be sure you are who you should be so that they can discuss personal details with you... but whats wrong with this picture?... do you know who they are? are they really your bank? or are they a false prince from a foreign land pretending to be your bank so that they can collect your personal information only to then use that information to perform identity theft etc...

How does WhoToken Work?

1. Generate a unique link with WhoToken ( Click here for example WhoToken Link )
2. Share this link only with those whom you wish to perform your mutual authentication ( typically this is only one other individual or company but it can work in groups of people but still only in an individual to individual challenge )
3. Wait for a moment when either of the individuals participating in the WhoToken relationship needs to verify the identity of the other individual.
4. Both individuals open the WhoToken link they originally shared with each other and proceed to use the two parts on screen to challenge each other to confirm the details within each part.
5. Individual One reads part "One" of the WhoToken to Individual Two.
6. Individual Two confirms the information provided by Individual One matches part "One" of the WhoToken as seen on Individual Two screen.
7. Individual Two reads part "Two" of the WhoToken to Individual One.
8. Individual One confirms the information provided by Individual Two matches part "Two" of the WhoToken as seen on Individual One screen.

Both individuals now have confirmation of each others identity and a trusted communication can proceed.

Remember that both individuals should be looking at the exact same information, a slight variance in the WhoToken string will cause two completely different WhoTokens and both individuals will fail to verify each other. this would be a good thing if someone was trying to impersonate one of the individuals.

The purpose of having two parts in the WhoToken is so that once Individual One has identified them self to Individual Two, The reverse can be performed with Individual Two by sharing the other part of the WhoToken back to Individual One thus completing the mutual authentication.

The WhoToken changes every 90 seconds so you can be sure that if anyone overheard or was able to see your chat transcripts then the communicated tokens will no longer be of any use once the 90 seconds have lapsed... it is also impossible to reverse engineer the unique WhoToken link with just this information as the algorithm used to generate the WhoToken is centralised within our service and not visible to the public... so keep the WhoToken link safe and stored away from your computer, typically on your mobile phone but try to keep your mobile phone locked with a pass code else a lost phone can suddenly become a valuable tool to a hacker or identity thief!