Page 7 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 7

1  Executive Summary






            This Report is the result of contributions and delib-  detection and authentication of human users versus
            erations of the Financial Inclusion Global Initiative   the client software used by people through envi-
            Security, Infrastructure and Trust Working Group   ronmental and behavioral analysis. New approach-
            Authentication work stream.                        es  are  being  implemented  to  minimize  friction  for
               The  Digital Financial Services  (DFS) ecosystem   mobile and multi-factor use cases: many systems are
            requires standardized, interoperable, strong authen-  now built with ‘mobile first’ designs. Authentication
            tication technologies as enablers to reduce risk and   now happens at many points during a user-system
            protect assets. Weak authentication approaches     interaction: at identification time, at times when
            based on web browsers and passwords are no lon-    increased privileges are invoked (so-called ‘step-up’
            ger sufficient to support safe DFS use. This report   authentication), and even continuously during the
            is focused on implementation. It describes technol-  entire session.
            ogies and standards that can be used to implement    This  report  describes  several  widely-adopted
            strong authentication systems for DFS and provides   technical and policy standards that support strong
            examples of implemented strong authentication sys-  authentication mechanisms.
            tems.                                                The examples of strong authentication and
               Previously, the ITU Focus Group on Digital Finan-  advanced authentication systems are categorized
            cial Services, a multiparty consultative body for fos-  as either enrolment or authentication for the use of
            tering the development of safe DFS ecosystems, pro-  DFS. These two use case categories primarily impact
            duced recommendations on security, identification   users of DFS.
            and  authentication  for  DFS.  This  report  addresses   The examples presented for the Enrolment use
            several of the Focus Group recommendations.        case describe how previously-established identi-
               A primary goal of authentication systems is to   ty information can be used to create new service
            increase confidence that a previously-enrolled user   accounts and to satisfy KYC requirements. The key
            is actually that user. Access control and authorization   aspect in the examples is that the person has been
            policy can then be applied to that authenticated user.   enrolled previously with an authority: their identity
               Design decisions and technology choices for each   information collected, verified and stored. This stored
            authentication system element affect how ‘strong’   identity information is then available for later presen-
            an authentication system is: how resistant to attack   tation to service providers, controlled by the person’s
            and compromise due to common threats. ‘Strong’     authorization to release that identity information.
            authentication systems are designed to mitigate      The examples for the Entity authentication use
            threats that ‘weak’ authentication systems do not.  case describe how next generation authentication
               Typical authentication systems in use today were   mechanisms are used to authenticate an individual
            designed for the pre-mobile-device internet. They   for authorization to consume services.
            are based on a single authentication event, typically   The report describes several examples of strong
            performed at application start up, and assume that   and advanced authentication systems for access to
            the user, device and session do not change after that   financial services. Further standardization work is
            single authentication event. These elements have   needed to ensure that technologies are made to be
            proven to introduce weaknesses into authentication   fit for purpose and that different approaches can be
            systems.                                           evaluated for relative strengths and capabilities.
               In addition to ‘strong’ authentication system     In conclusion, it is clear that there exist effective
            elements, advanced authentication systems are      solutions addressing today’s enhanced threats to
            designed to address today’s threat models and      DFS. Through careful planning, strong direction and
            design patterns. Compared to ‘strong’ authenti-    sustained effort, access to DFS can be safe, low-bar-
            cation systems, there is an increased emphasis on   rier and effective.











                                             Implementation of Secure Authentication Technologies for Digital Financial Services  5
   2   3   4   5   6   7   8   9   10   11   12