Supporting Trusted Digital Identification and Authentication

The MIDAS Alliance’s key aim is to develop and promote an international standard for digital identification and authentication of individuals and organisations to enable them to trust each other’s online identity.

UK and Europe

Why is there an imminent need for a MIDAS Alliance?

In August 2015 the Securrity of Retail Payments Online (SecuRe Pay) came into force as the European Banking Authority (EBA) early adoption of PSD2 strong customer authentication for all future internet payments. SecuRe Pay sets out a number of minimum expectations that must be met.

‘Strong Authentication’ – Mandates multi-factor authentication, but now brings in some interesting caveats, as one or both of these factors:

  • must be mutually independent, i.e. the breach of one does not compromise the other(s);
  • should be non-reusable and non-replicable (except for inherence);
  • designed in such a way as to protect the confidentiality of the authentication data;
  • not capable of being surreptitiously stolen via the internet.

PSD2 – EBA Regulatory Technical Standards

On 23rd February the EBA published the conclusion of their development of RTS in Strong Customer Authentication.

The EBA draft will now be considered by the European Parliament to confirm that the RTS is in line with the primary legal text of PSD2. This process is expected to last three months, before the start of a 18 month implementation period to enable technical compliance and the development of industry standards to meet requirements. MIDAS will work with European institutions during this 3 month period, and PAS499 expects to have publicly available draft documentation available early in the 18 month implementation period.

What are the minimum requirements of SecuRe Pay that are most relevant for MIDAS Alliance

The full 42 page guidance

The changes to its definition of Strong Authentication are of the greatest relevance to MIDAS Alliance:

Definition of Strong Authentication – SecuRe Pay mandates multi-factor authentication, but in addition it also brings in some interesting caveats as to how these factors are handled, so that one or both of these factors;

1Must be mutually independent, i.e. the breach of one does not compromise the other(s);
2 Should be non-reusable and non-replicable (except for inherence);
3Designed in such a way as to protect the confidentiality of the authentication data;
4 Not capable of being surreptitiously stolen via the internet.

SecuRe Pay in addition lays out the following requirements for every issuing bank to conform to based on the use of two or more of the following elements:

1 Something only the user knows, e.g. static password, code, personal identification number;
2 Something only the user possesses, e.g. token, smart card, mobile phone;
3 Something the user is, e.g. biometric characteristic, such as a fingerprint or face recogniton.

In addition for SecuRe Pay, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other.

“At least one of the elements should be non-reusable and non-replicable and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.”

The purpose of the SecuRe Pay guidelines is to define common minimum requirements for the internet payment services listed below, irrespective of the access device used:

1 The execution of card payments on the internet, including virtual card
payments, as well as the registration of card payment data for use in ’wallet solutions’

2 The execution of credit transfers (CTs) on the internet
3 The issuance and amendment of direct debit electronic mandates
4 Transfers of electronic money between two e-money accounts via the internet.