Two-factor authentication is, by now, a familiar means of securing online systems, especially in the financial services industry. Apart from static credentials (username and password), a user is usually also asked to authorize the transaction, or even a login event, by using another method. This second factor helps confirm their identity.
There is an array of mechanisms available in order to achieve this: SMS one-time passwords (OTPs) or mTANs, hardware-generated OTPs, or PKI solutions that rely on a digital certificate. Fraud syndicates are, however, becoming better organized and their attacks more sophisticated. As a result, many of these approaches to two-factor authentication are being circumvented, exposing consumers and organizations to serious fraud.
The concept of strong two-factor authentication has recently gained interest in Europe. The German Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht or BaFin) has been particularly active in issuing guidance in this area. BaFin’s guidelines on strong authentication were recently laid out in the May 2015 circular, Minimum Requirements for the Security of Internet Payments (Mindestanforderungen an die Sicherheit von Internetzahlungen or MaSI).
MaSI stipulates that a procedure can be considered to comply with the requirements on strong authentication when at least two of the following elements are implemented:
- Knowledge – something only the user knows (e.g. password, PIN, or identification number)
- Ownership – something the user possesses (e.g. token, smart card, mobile phone)
- Inherence – something the user is (e.g. a computer-readable biometric characteristic)
The selected elements must be mutually independent and at least one of the elements should be non-reusable and non-replicable (except for inherence, of course), and not capable of being stolen via the Internet.
How Entersekt’s Transakt technology meets BaFin’s requirements
Entersekt’s multi-factor, out-of-band authentication solutions are engineered specifically to meet all major digital banking security mandates, including the requirements set out by the European Central Bank and BaFin. Not only do they meet and often exceed these requirements, they also offer an unsurpassed user experience to end users.
Entersekt’s patented security system harnesses the power of public key infrastructure (PKI) and deploys it to the mobile phone or tablet. Digital certificates are arguably the strongest form of electronic verification available today. Entersekt’s technology uses them to:
- Uniquely identify any registered mobile device and, by extension, the user
- Encrypt all communication between the financial institution and the device from end to end
To the end user, this innovative deployment of authentication technology is entirely transparent. They are presented with a pop-up on their mobile device, providing details of the Internet- or mobile-initiated transaction that requires authentication and a simple Accept/Reject choice. With one touch, the user digitally signs the transaction verification and their response is returned to the bank.
No sensitive data is ever stored on the device, so a breach of the device will not compromise the knowledge factor of the authentication process.
Financial institutions and payment service providers can become MaSI compliant by using Transakt as primary authentication mechanism. If you are interested in learning more about Transakt and Entersekt, don’t hesitate to This email address is being protected from spambots. You need JavaScript enabled to view it..
