Strong authentication without user identity validation will render PSD2* a failure. Why? It’s simple. Passwords never equal identity!
One may say that the big debate, and misconception, around the “strong authentication” concept — what it is, to whom it applies, how to implement it in modern enterprise architectures etc. — started with the PSD2 regulation pushed forward by the European Union. We would argue that it is actually a natural concern, in line with the advancements of the web and the tidal wave demanding easier yet more secure access to data and information. But strong authentication without a proper validation of the user’s identity will not bring the extra level of security that is needed and desired as part of this big regulatory effort.
We will elaborate on some key aspects related to the strong authentication topic, explaining and detailing them, in an attempt to bring deeper insights to other practitioners across the world struggling with the same concern. Our team has worked with digital identity for many years; we are experts in API security, and we’re happy to share our knowledge.
So what is strong authentication? The European Central bank defines it as the following:
“strong customer authentication’ means a procedure for the validation of the identification of a natural or legal person based on the use of two or more elements categorised as knowledge, possession and inherence that are independent, in that the breach of one does not compromise the reliability of the others and is designed in such a way as to protect the confidentiality of the authentication data.”**
In this definition a) knowledge means something only the user knows, b) possession is something only the user possesses, and c) inherence is something the user is. Knowledge, in its most widely spread understanding is a password or a code, a string of characters known by the user and provided when attempting to access protected websites/accounts/information. Possession usually refers to a device, in the form of a mobile device, e.g. on which the user can receive a second set of credentials (a code, a push notification, etc.) to be used in an authentication process. Inherence factors are the ones associated directly with the user, i.e., fingerprints, facial scans, iris scans, and so on.
An important note here is that all these factors, taken together, are used in order to validate and strongly authenticate a user’s identity! And only when you — with a high degree of confidence — know who the user is will he or she be granted access to confidential data.
Strong Authentication and Identity
The demand for strong authentication in regulations such as PSD2, stems from the need to ensure easier access to confidential data in a much more secure manner, and also in a way in which the identity of the user is cross validated in multiple ways. This is why a user’s identity should be understood as being a lot more than the 2FA enabled on the mobile device via an app or an SMS code. For example, adding one more authentication factor does not automatically equal stronger authentication and increased security.
An example of strong authentication achieved by bootstrapping a user’s identity via separate channels could be the Swedish & Norwegian BankID. It works like this:
· The user opens a bank account, using a real-life, valid identification document (national ID, passport, etc.).
· Once the bank opens the account, the user also obtains the possibility to have an internet banking type of service/contract — which comes with the BankID service as well.
· With the BankID service activated, the mobile BankID app (for mobile devices such as phones or tablets) also becomes available.
· Providers of digital services, either public or private, enable BankID as an authentication method.
· Upon request for strong authentication on certain web locations/data, the users enter a string of characters (password, personal number, etc.) and open the mobile BankID app — for completing login and obtaining secure access
Usage of various BankIDs (mobile, smartcards, desktop) in Sweden, Jan 2015 — Nov 2017 [out of Sweden’s 10M total population](***)
BankID authentication can, in turn, be coupled with other authentication methods depending on the level of security desired by the provider of the digital services.
As the internet landscape keeps changing, it will be interesting to see what turn the online behaviour will take. Right now, enterprises are faced with pressing issues, such as smooth and efficient users on-boarding, robust and scalable architectures, etc. However, the strong focus on identity cross-validation, as part of the strong authentication, should not be discounted.
Key Takeaways on Strong Authentication
Strong authentication has to be secure from Time Zero until login, and it has to correlate with the strong validation of the user’s identity! Disregarding these concerns will lead to a brittle and porous authentication subject to frequent compromises and security leaks.
Modern enterprise architectures must be designed using a flexibility-first approach, where registration and authentication flows can be customised down to the pixel-level. It must be possible to use for multiple authentication methods depending on the needs of each organization/provider, specific applications and the type of data being accessed by the end users.
(*) PSD2, acronym for Payment Services Directive 2