The risk of a data breach is one that no business wants to take. When it comes to consumer data, it’s critical to have enterprise-ready safeguards to protect this information. One measure you can take to ensure this necessary level of security for consumers, employers, payroll providers, and financial institutions is through oAuth, or Open Authorization.
What is oAuth?
oAuth is an open protocol that allows secure authorization in a simple and standard method from web, mobile and desktop applications. It’s commonly used as a way for internet users to grant websites or applications access to their information on other websites but without giving them their credentials.
For example, a user clicks on the Facebook login option when logging into another website such as ESPN.com, Facebook authenticates them, and ESPN logs them in using a permission token obtained from Facebook. This minimizes risk significantly — in the event ESPN suffers a breach, the user’s Facebook credentials remains safe.
Its use cases have never been more important as an ever increasing number of our online accounts are integrated, like when you link payment apps to your bank account or post photos from your phone on Instagram. Traditionally, the architecture of payroll API providers was such that a user’s device transmits credentials to a third-party system that may or may not have implemented open standards for access delegation. Now, oAuth connections are becoming more common in banking aggregation as a way to access information without consumers sharing their credentials. However, what does this outlook like like in the payroll aggregation space?
To be able to use oAuth the application must provide this functionality through building a specific API, and very few payroll providers currently have oAuth APIs to access income and employment data.
If the Payroll Provider Doesn’t have oAuth Functionality, Why do Other Payroll Aggregators Claim that they use oAuth?
There are some vendors in the space that claim that they have oAuth connections to payroll providers. In reality, they leverage mobile WebView functionality on mobile platforms (iOS and Android) to gain access over the third-party payroll provider website and intercept cookies after the login process is complete. There are several problems with this approach:
- It uses a non-secure way to intercept browser cookies from the third-party payroll provider leveraging XSS, which is one of top 10 web security vulnerabilities.
- Cookies are equivalent — from a security standpoint — to gaining access to the username and password of the user.
- When user changes their password, cookies might still be valid, which prevents user from revoking access to their data within the payroll system.
Truv is Preparing for oAuth in the Payroll API Space
Truv is currently working with several major payroll providers to establish oAuth functionality and make our processes more secure for consumers and clients. Truv is committed to protecting our consumers’ information, which leads to the highest standards in data security and privacy. That’s why we are both SOC II and FCRA compliant.