This article may be too technical for most readers to understand. Please help improve it to make it understandable to non-experts, without removing the technical details. (August 2017) (Learn how and when to remove this template message)
Strong authentication is a notion with several unofficial definitions. However, since January 2013, it has been defined by regulation and incoming legislation within the European Union and the SEPA payment zone for remote payment transactions. Strong authentication and strong customer authentication are used interchangeably in banking and financial services, particularly where access to an account must be linked to an actual person, corporation or trust. It is typically considered to require at least two forms of verification, selected from secrets a user knows, devices or tokens a user owns, and biometric information connected to what/who a user is.
Strong (customer) authentication definitions
Strong authentication is often confused with two-factor authentication or more generally multi-factor authentication. However, strong authentication is not necessarily multi-factor authentication. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor authentication. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."
Another commonly found class of definitions relates to a cryptographic process, or more precisely authentication based on a challenge response protocol. This type of definition is found in the Handbook of applied cryptography. This type of definition does not necessarily relate to two-factor authentication, since the secret key used in a challenge-response authentication scheme can be simply derived from a password (one factor).
A third class of definitions says that strong authentication is any form of authentication in which the verification is accomplished without the transmission of a password. This is the case for example with the definition found in the Fermilab documentation.
The fourth class, which has legal standing within the EU28 and SEPA zone countries, is that as defined by the European Central Bank for remote (online or mobile) authentication. On 31 January 2013, the European Central Bank (ECB) issued mandatory guidelines that require all payment gateways, issuing, joint issuing/acquiring, and acquiring institutions, who jointly form the group defined as payment service providers (PSPs), to adopt 'strong (customer) authentication' by 1 February 2015. These requirements are for remote (online, mobile and internet) credit card transactions including and extend to e-mandates, eWallets, stored value cards, and credit transfers.
The ECB mandatory guidelines are applicable within the Single Euro Payment Area (SEPA), which includes the EU28 member states, plus Switzerland, Norway, Liechtenstein, Iceland and Monaco. Of particular note is that PSP's that do not implement strong authentication will be liable for credit card and other fraud on their networks, with the e-merchant released from liability.
The European Commission released a draft version of the Second Payment Services Directive (PSD2), which requires all online transactions to use strong authentication in accordance with the ECB guidelines. Articles 85-87 of the draft legislation mandate the requirement for strong authentication, with Articles 65 & 66 providing the liability shift mechanism. This is a major change to the operation of online transactions within the SEPA zone, and a global first, as EU legislation will replace what was once the domain of the Card Scheme PSD2 is making passage through the European Parliament at present.
The ECB definition of strong customer authentication is
|“||a procedure based on the use of two or more of the following elements– categorised as knowledge, ownership and inherence:
(i) something only the user knows, e.g. static password, code, personal identification number;
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.
Where the ECB differs in its application of strong customer authentication from the two factor authentication recently deployed by Twitter, Apple and Google, is that the ECB's strong authentication is always traceable back to an individual (or company), that has been identified in accordance with anti-money laundering / counter-terrorism funding (AML/CTF) laws applicable to an account being opened with a financial services provider. Thus, whilst is possible to open an account under a pseudonym with Twitter, Apple, Google etc., and add in layers of different factors such as mobile phone, biometrics, other email addresses or knowledge-based authentication, it is not possible to open a bank account or credit card account without first having been identified in accordance with AML/CTF legislative requirements. Subsequent factors are added to the account after it has been opened and the person identified.
The ECB's requirements are technologically neutral, in order to foster innovation and competition. The public submission process to the ECB has identified three solutions, two of which are based on reliance authentication, and the other being the new variant of 3-D Secure which incorporates one-time passwords.
The ECB requirements apply to the following card schemes in operation in the EU /SEPA: 4B, American Express, Bancomat, Bancontact/Mister Cash, Banque Accord, BNP Paribas Personal Finance, Carrefour Banque, Cashlink, China UnionPay, Cofidis, Cofinoga, Cogebanque, Pagobancomat, Crédit Agricole Consumer Finance, Debit card's, Diners Club International, * Red interbancaria's Euro 6000, Servired and Telebanco 4B, Franfinance, girocard, JCB International, Korean BC, LaserCard, MasterCard Europe, PIN, Quikcash, SIBS’ Multibanco, and Visa Europe.
Thus, the term strong authentication can be used as long as the notion strong is defined in the context of use.
- Board of Governors of the Federal Reserve System. "Frequently Asked Questions on FFIEC Guidance on Authentication in an Internet Banking Environment, August 15, 2006" (PDF). Retrieved 22 May 2012.
- "Handbook of Applied Cryptography". Cacr.math.uwaterloo.ca. Retrieved 2014-07-17.
- "ECB: ECB releases final Recommendations for the security of internet payments and starts public consultation on payment account access services". Ecb.eu. Retrieved 2014-07-17.
- "2013/0264(COD) - 24/07/2013 Legislative proposal". Europarl.europa.eu. 2013-07-24. Retrieved 2014-07-17.
- "fatf-gafi.org". fatf-gafi.org. Retrieved 2014-07-17.
- "ECB: Public consultation". Ecb.europa.eu. 2013-01-31. Retrieved 2014-07-17.
- "FIDO Alliance Passes 150 Post-Password Certified Products". InfoSecurity Magazine. 2016-04-05. Retrieved 2016-06-13.