5  THE REQUIREMENT FOR STRONG AUTHENTICATION – STANDARDS AND REGULATIONS

            A primary goal of authentication systems is to     view of solutions that can be used to fulfil identity
            increase confidence that a previously-enrolled user   vetting requirements.
            is actually that user. Access control and authorization   This section describes standards that cover strong
            policy can then be applied to that authenticated user.   authentication and authentication technologies that
               Entity authentication assurance is needed in order   support strong authentication mechanisms.
            to comply with various stages of an identity manage-
            ment system. In particular, identity vetting is required   5�1  ITU-T Recommendation X�1254
            as part of the credentialing process. The assurance   Recommendation ITU-T X.1254, Entity authentication
            of achieved in the vetting process determines the   assurance framework
            nature of the issued credential and eventually can   In the entity authentication phase, the entity uses
            be used to perform access control decisions by the   its credential to attest its identity to a Relying Party
            relying party.                                     (RP). The authentication process is concerned sole-
               Initial work from NIST, ITU and ISO focused on   ly with the establishment of confidence in the claim
            defining four levels of entity assurance. The levels   or assertion of identity, and it has no bearing on or
            included identity vetting and credentialing. Experi-  relationship with the actions the relying party may
            ence in implementations revealed some limitations   choose to take based upon the claim or assertion.
            of combining authentication assurance and identity   ITU-T X.1254 section 10.3 describes threats to and
            vetting assurance which resulted in limiting cases   controls for the authentication phase.
            where all what is needed to ensure that the same
            entity is requesting access as opposed to who is   5�2  NIST Special Publication 800-63-3
            the real requester. As such newer versions of NIST   NIST Special Publication 800-63B  Digital Identity
            800-63 separated the identity vetting assurance lev-  Guidelines Part B
            els from the credentialing levels and promoted the   The publication lists the authenticator types and
            use of three levels as opposed to the initial four lev-  authentication protocols capabilities that are accept-
            els. ITU X.1254 and ISO 29115 are being updated to   able at each level of assurance.
            reflect NIST work.
               A  recent  report  from  the  Financial  Action Task
            Force (FATF) [3] provides a comprehensive over-

            Figure 2 – Recommendation ITU-T X.1254



































           10    Implementation of Secure Authentication Technologies for Digital Financial Services