Strong Customer Authentication and Transaction Signing
Strong Customer Authentication is a new mandatory requirement for authenticating online payments that will be introduced in Europe on September 14, 2019. It will require payments to be authenticated using at least two of the following three elements:
something you know, such as a password or knowledge-based questions
something you have, such as a mobile device or a physical token
something you are, meaning biometrics, such as face recognition or voice recognition
Most regulations, not just the European SCA, require that for specific sensitive operations, such as money transfers or change of contact details, customers must authenticate with two different authenticators from two different categories. This means that, at any given time, customers must be registered to at least two authentication techniques from two different categories. This requirement leads to a few challenges:
When to register users to additional authenticators
Which authenticators to use
De-registering and re-registering upon request
Authentication levels and when to authenticate users
Transmit provides a full set of authentication services to manage primary login, multi-factor, and step-up authentication across various applications and channels. The platform includes a large set of built-in authenticators such as OTPs, soft tokens, biometric authenticators, and knowledge-based authenticators. In addition, the platform can be used to manage any third-party authenticator or authentication service connected to the Identity Services Hub. Transmit’s authentication services manage the enrollment process for each authenticator and also tasks such as de-enrollment, re-enrollment, and expiry periods. The platform provides flexible ways of defining authentication levels and attaching them to different authenticators and journeys. The platform allows building rules for authentication failures across different authenticators and devices and taking various actions when thresholds are reached. Transmit is FIDO certified and can be used to manage any FIDO authenticator alongside non-FIDO authenticators.
Transaction Signing is often required by various regulations, and overall it is a good practice for non-repudiation and security. Transmit has built-in transaction signing capabilities for multiple use cases such as in-app transaction signing, cross channel transaction signing, and offline transaction signing. In an in-app transaction signing, the sensitive operation is highlighted to the user who needs to approve and authenticate using multiple factors. Cryptographic keys attached to the relevant authenticators are then used to sign the content of the transaction or operation, and the signature is stored on the server for future proof.
In a cross channel transaction, signing the user starts with one channel, such as a web application or the call center, and then gets a push notification to the mobile device. The transaction or operation is presented on the mobile device, and the user needs to approve and authenticate it. The content is then cryptographically signed using the keys associated with the relevant authenticators.
In an offline transaction, signing the user uses the mobile device to sign content without the need for network connectivity on the mobile device. This is done using various techniques such as scanning a QR code and returning back a code that is derived from the signed content.
Identity Services Hub
Identity is a highly fragmented space with many tools and capabilities from different vendors: biometric authenticators, traditional authenticators, KYC tools, risk and fraud engines, behavioral tools, directories, device security, and more. Integrating each of these services into your systems and applications requires significant ongoing work. This work involves processing input and output from each of these services, building the various user journeys around these services, and dealing with exceptions, failures, and edge cases. With Transmit, this can be avoided. The Transmit Identity Services Hub includes built-in, secure connectors to dozens of third-party identity services, dozens of built-in services, and a flexible, secure plug-in architecture that allows you to add anything and everything. It’s a complete, secure abstraction layer between your applications and the entire identity ecosystem. It’s the only platform capable of securing client-side identity services such as authenticators and KYC tools and also the only platform that doesn’t require writing third-party specific code in your applications.