12.5.8. Reverse Authentication

Reverse Authentication

Reverse Authentication is an extra safety step that allows a Client to verify the identity of an XSTRA staff member (on the phone or in person) using the Client’s own XACCESS token. This helps eliminate imposters and social-engineering attempts.

How it Works

  1. The Client opens their XACCESS authenticator app on their phone and views their current XACCESS token.
  2. The Client asks the XSTRA staff member to provide the last 3 digits of the Client’s XACCESS code.
  3. The staff member states the last 3 digits.
  4. The Client checks that those 3 digits match the last 3 digits of the code showing in their app.
  5. If the digits match, continue the conversation. If they do not match, stop immediately and contact XSTRA through an official channel.

Scenarios

Phone

  • Before discussing account details, the Client asks for the last 3 digits.
  • If verified, proceed. If not, hang up and call the published XSTRA number.

In Person

  • Before granting access or discussing sensitive items, the Client requests the last 3 digits.
  • Only proceed if the digits match the Client’s token.

Security Principles

  • Client-controlled check: Verification is based on the Client’s token, not information about the staff member.
  • Minimal disclosure: Only three digits are spoken; never reveal full codes or passwords.
  • No one-way trust: The Client challenges XSTRA — not the other way around.

What XSTRA Staff Will Never Ask For

  • Your full XACCESS code or QR seed
  • Your passwords or recovery codes
  • Remote access or software installs before identity is verified

If the Check Fails

  1. End the call or conversation.
  2. Report the incident to XSTRA via the official contact number or your XCARE portal.

Tips & Edge Cases

  • If your XACCESS code is about to change, wait for the next code to appear and repeat the check.
  • Perform the check before sharing any sensitive information or granting access.
  • If you cannot access your authenticator app, use a known XSTRA contact method to reschedule the discussion.

Privacy

Reverse Authentication uses only the last 3 digits of your current XACCESS code and does not expose your full token or any secret material.

Related: XACCESS – Overview

Need more help with this?
© 2021–2025 XSTRA Group Pty Ltd (Australia). All rights reserved.

Thanks for your feedback.