Page 13 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 13

Table 1 – NIST SP 800-63-3 Authenticator Assurance Levels


             Authenticator Assur- Description
             ance Level
             AAL1              AAL1 provides some assurance that the claimant controls an authenticator bound to the sub-
                               scriber’s account. AAL1 requires either single-factor or multi-factor authentication using a wide
                               range of available authentication technologies. Successful authentication requires that the claim-
                               ant prove possession and control of the authenticator through a secure authentication protocol.
             AAL2              AAL2 provides high confidence that the claimant controls authenticator(s) bound to the subscrib-
                               er’s account. Proof of possession and control of two distinct authentication factors is required
                               through secure authentication protocol(s). Approved cryptographic techniques are required at
                               AAL2 and above.
             AAL3              AAL3 provides very high confidence that the claimant controls authenticator(s) bound to the
                               subscriber’s account. Authentication at AAL3 is based on proof of possession of a key through
                               a cryptographic protocol. AAL3 authentication SHALL use a hardware-based authenticator and
                               an authenticator that provides verifier impersonation resistance; the same device MAY fulfill both
                               these requirements. In order to authenticate at AAL3, claimants SHALL prove possession and con-
                               trol of two distinct authentication factors through secure authentication protocol(s). Approved
                               cryptographic techniques are required.

            5�3  eIDAS Regulation                              •  The user’s cryptographic material must be pro-
            The  Regulation (EU) N°910/2014  on electronic       tected from unauthorized disclosure
                                            1
            identification and trust services for electronic trans-
            actions (eIDAS Regulation) provides a regulatory
            environment to European Union members to enable    5�5  The ID2020 Alliance
            secure  electronic  interactions between  businesses,   The ID2020 Alliance [7] is a public-private partner-
            citizens and public authorities. An important aspect   ship committed to improving lives through digital
            of the eIDAS Regulation is that it describes electron-  identity. The Alliance brings together multination-
            ic identification assurance levels. Assurance levels in   al institutions, non-profits, philanthropy, business,
            eIDAS fulfil the same function as those in Recom-  and governments to set technical standards for a
            mendation X.1254 and NIST SP 800-63-3.             safe, secure, and interoperable digital identity that is
                                                               owned and controlled by the user. It funds high-im-
            5�4  Payment Services Directive                    pact  pilot  projects  that bring digital identity to
            The Payment Services Directive (PSD2) is in force   vulnerable populations, and uses the data generated
            in Europe, and Strong Customer Authentication      to find scalable solutions and inform public policy.
            (SCA) will be required to access bank accounts for   The overall objective of the ID2020 Alliance is to
            information aggregation or payment initiation. The   empower individuals, enable economic opportuni-
            “Regulatory Technical Standards on strong custom-  ty and advance global development by increasing
            er authentication and common and secure commu-     access to digital identity.
            nication” (RTS), published by the European Banking   By 2030, the Alliance aims to have facilitated the
            Authority, describe the principles and requirements   scaling of a safe, verifiable, persistent digital identi-
            of multi-factor authentication and authentication   ty system, consistent with UN Sustainable Develop-
            code generation.                                   ment Goal 16.9: “By 2030, provide legal identity for
               The RTS include the following requirements:     all, including birth registration”. From 2017 to 2020,
                                                               the Alliance’s work will focus on two areas: develop-
            •  Users must be authenticated using a minimum of   ing and testing the best technological solutions for
               two-factor authentication                       digital identity; and, working with governments and
            •  The authentication of a user should result in the   existing,  established  agencies  to  implement  these
               generation of an authentication code, a cryp-   solutions.
               tographic signature of the transaction. The       The ID2020 Certification Mark [8] is an initiative by
               authentication code must, in the case of remote   the ID2020 Alliance to create a Trustmark for digital
               payments, be linked to the amount and payee     identities that meet our technical requirements. The
               approved by the user                            Certification Mark is based on the ID2020 Technical
                                                               Requirements document which is regularly updated



                                             Implementation of Secure Authentication Technologies for Digital Financial Services  11
   8   9   10   11   12   13   14   15   16   17   18