Reserve Bank of India (RBI) Governor Shaktikanta Das, during the Monetary Policy Committee (MPC) meeting on February 8, 2023, suggested the adoption of a principle-based framework for Additional Factor of Authentication (AFA) in digital transactions. The aim is to enhance security and replace the widely used SMS-based OTP mechanism. This proposed framework will provide a more robust and secure authentication process for digital payments.
Timelines - The exact timeline for implementing these changes has not been explicitly mentioned in the available information. But the formal guidelines can be expected within six months.
Importance - Not only RBI but with the rising cyber frauds regulators around the globe are rethinking enhancing the authentication frameworks. In this blog we will explore the key development in the area by some of the regulators and present a view on the various authentication techniques and discuss what regulated entities can do to become ready.
Why NO-OTP?
SMS One-Time Passwords (OTPs), while widely used for authentication, suffer from serious security flaws. Let’s explore why they are unsafe:
Flawed Design:
The protocol behind SMS OTPs has inherent vulnerabilities. Hackers can exploit these flaws to intercept calls and SMS messages, including OTPs [1].
SS7 Protocol Vulnerabilities:
The Signalling System 7 (SS7) protocol is used by mobile carriers to route texts and calls. Exploiting SS7: Hackers can intercept OTPs by exploiting security vulnerabilities in the SS7 protocol. Once intercepted, they gain unauthorized access to user accounts [2].
SIM Swap Attacks:
Cybercriminals perform SIM swaps by convincing mobile carriers to transfer a victim’s phone number to a new SIM card. With control over the victim’s number, they intercept OTPs sent via SMS.
Social Engineering Risks:
Attackers use social engineering tactics to trick users into revealing OTPs. Phishing calls or messages impersonate legitimate services, asking users to share their OTPs.
Cost and User Experience:
Sending OTPs via SMS can be expensive for businesses. Users find the process cumbersome, especially when traveling or in areas with poor network coverage.
In summary, SMS OTPs are no longer the most secure option. Businesses should explore alternatives to enhance security and protect user accounts.
Regulators Views
MAS (Monetary Authority of Singapore) (link) - Mr Tharman Shanmugaratnam, Senior Minister & Minister in charge of MAS in a Written reply to Parliamentary Question on SMS OTP diversions and unauthorised transactions on 5-Jul-2023 has said -
“Given the inherent vulnerability of the SMS channel, MAS has required banks to phase out SMS OTP as a sole factor to authenticate high-risk transactions. Banks in Singapore have already moved away from sole reliance on SMS OTP for high-risk online banking activities, like adding of payees and changing of fund transfer limits. MAS expects the same for high-risk card transactions, such as authorising online card payments. The transition has commenced, and MAS will set a deadline for all retail banks to complete this”
RBI – In the press release dated 08-Feb-2024 [4] RBI has proposed to adopt “Principle-based Framework for Authentication of Digital Payment Transactions” It further states -
“Over the years, the Reserve Bank has prioritised security of digital payments, in particular the requirement of Additional Factor of Authentication (AFA). Though RBI has not prescribed any AFA, the payments ecosystem has largely adopted SMS-based One Time Password (OTP). With innovations in technology, alternative authentication mechanisms have emerged in recent years. To facilitate the use of such mechanisms for digital security, it is proposed to adopt a principle-based “Framework for authentication of digital payment transactions”. Instructions in this regard will be issued separately.”
In summary, based on the increase in cyber frauds, vulnerability of current SMS OTPs and significant improvements in the authentication systems both the regulators and industry are looking out for safer, cheaper, and more convenient and reliable options of authentication.
What is Principal Based Authentication & why does it matter?
What?
Definition: Principle-based authentication focuses on principles rather than rigid rules.
Flexibility: It allows for various approaches based on context and risk.
Context-Driven: Authentication adapts to the specific context of the transaction.
Risk-Adaptive: The level of authentication adjusts based on risk factors.
Balancing Security and Usability: Principle-based approaches strike a balance between security and user experience.
Why?
Security – Rather than a one-size-fits-all approach, the risk-based approach enhances security.
Convenience and user experience – It balances the user experience with the security needed at different levels or contexts.
Proposed Approach
Like the approach taken earlier for KYC where various identity assurance levels are needed for onboarding the customer based on the context, the principles can be applied to authentication. We recommend implementing various levels of authentication assurance levels.
Level I
Where - Low value or non-financial transactions
What – First Factor of authentication (e.g. PIN/ Password/ On-Device biometric, password-less, etc)
Why – The risk in such transactions is low and hence the first factor can suffice.
Level II
Where - Low to medium-value transactions
What – Two Factor authentication (e.g. Push-notification, Offline tokens, hardware tokens, QR Codes, etc.)
Why – The possibility of small financial loss and the second factor of authentication in the context will alleviate the risk.
Level III
Where – High-Value Transactions
What – Stronger mechanisms for 2nd factor of authentication which considers the context (e.g. Cryptographic authentication techniques, FIDO, real-time biometric with liveliness check, Hardware tokens with PKI, etc.)
Why – For high-value transactions the risk of sophisticated attacks like MITM are greater and hence needs a stronger authentication mechanism. Even the customer does not mind performing additional checks and balances. It will only help in improving the customer experience.
By embracing principle-based authentication, exploring additional factors, and adhering to assurance levels, banks can fortify their security posture. As MAS and RBI lead the way, the financial industry must adapt to a dynamic digital landscape while safeguarding customer trust.
Difference between the Principle and Principal based authentication framework approach?
We discussed the principle based approach above, which can be confused with principal based approach
What is Principal-based approach?
Definition - the process of proving the identity (Humans & Applications) to the security-enforcing components of the system.
How – This can be effected using a mutual authentication mechanism where both the parties users and application prove their identities to each other before initiating any transaction.
Is Mutual Authentication Part of the guideline?
Mutual authentication is prominently mentioned in both the guidelines.
MAS - GUIDELINES ON RISK MANAGEMENT PRACTICES INTERNET BANKING &TECHNOLOGY RISK MANAGEMENT GUIDELINES VERSION 3.0 Page 15, point 4.4.6
RBI - Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds Page 53, Point 6
Fortytwo Lab's π-CONTROL Platform enables both types of authentication along-with mutual authentication. The platform is built on Military grade quantum-safe cryptography and is already used in several banks and defense establishments.