We all dutifully endure the user ID and password on the hope that it will preserve our privacy, money and identity. As we need more and more user IDs and passwords we begin to reuse them and write them down, making them easier for friends, hackers or fellow train passengers to find. Also, snooping software such as key loggers can read them as we type them in or as they are transmitted.
Thus the need for stronger ways of identifying and proving who we are, something us techies call authentication. The fact that we are using software on our own phone, laptop or other device is a proven way to make it more difficult for others to use our user ID and password, so apps store information on the phone that it can read later to prove that you are using the same device . An even more powerful (and complementary) technique is the single-use password, where a password is generated that only works once, rendering it useless to anyone finding, guessing or snooping it.
Strong (customer) authentication is defined by the European Central Bank (ECB) as:
“a procedure based on the use of two or more of the following elements– categorized as knowledge, ownership and inherence:
(i) something only the user knows, e.g. static password, code, personal identification number;
(ii) something only the user possesses, e.g.token, smart card, mobile phone;
(iii) something the user is, e.g. biometric characteristic, such as a fingerprint.
In addition, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other(s). At least one of the elements should be non-reusable and non-replicable (except for inherence), and not capable of being surreptitiously stolen via the Internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.”
“Strong authentication” is generally accepted to mean a type of multifactor authentication (MFA). MFA is required or strongly recommended by:
- European Central Bank (ECB) as specified above
- Federal Financial Institutions Examination Council (FFIEC) in the US
- Regulations in MEA such as those issued by Banking Regulation and
Supervision Agency (BDDK) in Turkey and others in UAE and Qatar - Monetary Authority in Singapore (MAS) in its Technology Risk
Management Guidelines.
Most mobile apps have a user ID and password. The user ID is used for identification and sometimes may be stored so that the user doesn’t need to enter it. The password (or a shorter pass-code) is the first factor of authentication and represents something that the user knows. Both are things that the user knows.
To meet the above ECB requirement a mobile app could also validate the mobile device (something the user has) and use the device as a token to produce a one-time password (OTP).
For example, Monitise/Pozitron SoftKEY uses a value stored on the device to generate a OTP to provide strong authentication that complies with the ECB definition.