Multi-factor authentication and the PSD2Over the past ten years we have seen identity theft and fraudulent account access become the primary motivators behind data theft and cyber-crime. If you haven’t been the direct victim of a fraudster yet, the chances are you know someone that has. You will certainly have been affected indirectly. Ever wondered why your insurance premiums keep going up, despite another year without a claim? It’s not because of a nationwide increase in accidents, but the costs associated with fraud prevention and detection. It won’t have escaped anyone’s notice that we’re being asked to prove “we are who we say we are” more frequently than ever. Some form of identification is required every time we go online, log in to an app or call a customer service centre.
The evolution of authenticationThere was a time when all you needed was an address, a date of birth and an account number to access services online. However, the vulnerabilities of using information that is easily accessed by “bad actors” required a greater degree of security; hence the introduction of usernames and passwords. For applications with a greater degree of risk (i.e., access to financial records or sensitive personal data) additional security steps were put in place. Most often, this would take the form of several pre-agreed security questions and answers. These are examples of what’s called knowledge factor authentication (i.e., something you know). Other examples include passphrases, passcodes, PINs and patterns. If you own a smartphone, you’ll be familiar with these techniques. Thus, a two-step knowledge factor example would be to state specific letters from your password, followed by the answers to one or more security questions.
Multi-step versus multi-factorIn the constant battle between cyber-criminals and cyber-security professionals the criminals are often a step ahead. Social engineering is frequently used to uncover security credentials, rendering a two-step process insufficient. With the advent of the latest update to the Payment Services Directive (PSD2), at least here in Europe, businesses involved in financial transactions will be obliged, from September 2019, to employ multi-factor authentication. Multi-factor authentication differs significantly from multi-step authentication. There are three universally recognised factors; knowledge (as we’ve seen previously) ownership and inherence. The new PSD2 regulations call for the use of any two of these three for any given transaction.
Examples of multi-factor authenticationSo, what do we mean when we talk about knowledge, ownership and inherence? Put simply, it’s something you know, something you own and something you are.Here are some examples:
- Knowledge - passwords, PINs and security questions
- Ownership - hardware keys, ID cards and one-time tokens
- Inherence - biometrics and behaviours