Page 33 - ITU-T Focus Group Digital Financial Services – Recommendations
P. 33

ITU-T Focus Group Digital Financial Services
                                                      Recommendations







                Title of recommendation       Mobile Devices
                Working Group                 Technology, Innovation and Competition

                Workstream                    Security
                Audience for recommendation   Mobile Device Manufacturers, MNOs





                The use of mobile devices that allow for the use of strong authentication mechanisms to demonstrate ownership
                of the device is recommended.


               DFS Providers should recommend the use of mobile devices that support such strong authentication
               mechanisms. Because the key space of PINs allows them to be brute-forced, consider the use of longer PINs
               or alphanumeric PINs, such as easily remembered passphrases as arbitrarily long random sequences can lead
               to password information being written down. However, caution should be exercised before mandating complex
               PINs and ensure that any such adoption goes hand-in-hand with user education, as overly complex PINs are
               likely to be written down or entered by others, thus degrading their security.

               Also consider how biometrics may aid with authentication and provide a second factor if they are stored
               securely within the device. Additionally, back-end analytics systems providing services such as IP velocity,
               geolocation, and time-of day access expectations, can act as authentication factors for the mobile device user.
               Device manufacturers and MNOs should ensure that regular security updates are pushed to devices.
               Because security updates are critical to ensuring that mobile operating systems running on mobile devices
               are properly functioning and secure against exploits, potentially rendering DFS applications vulnerable, there
               should be mechanisms in place to ensure that security patches are made easily accessible to user devices.

               Device manufacturers and MNOs should ensure that the handset operating system is configured in a
               way that reduces the size of the trusted computing base and the attack surface. Hardware and software
               mechanisms within mobile devices, such as secure elements and trusted execution environments can aid in
               the reduction of the TCB and help to ensure device integrity. Mobile devices that are so equipped should be
               promoted for use in DFS.



































                                                                                                       27
   28   29   30   31   32   33   34   35   36   37   38