Supporting Trusted Digital Identification and Authentication

The MIDAS Alliance’s key aim is to develop and promote an international standard for digital identification and authentication of individuals and organisations to enable them to trust each other’s online identity.

PSD2

What are the minimum requirements of SecuRe Pay that are most relevant for MIDAS Alliance

The full 42 page guidance is available at:

Download

The changes to its definition of Strong Authentication are of the greatest relevance to the MIDAS Alliance:

Definition of Strong Authentication – SecuRe Pay mandates multi-factor authentication, but in addition it also brings in some interesting caveats as to how these factors are handled, so that one or both of these factors;

  • Must be mutually independent, i.e. the breach of one does not compromise the other(s);
  • Should be non-reusable and non-replicable (except for inherence);
  • Designed in such a way as to protect the confidentiality of the authentication data;
  • Not capable of being surreptitiously stolen via the internet.

SecuRe Pay in addition lays out the following requirements for every issuing bank to conform to based on the use of two or more of the following elements:

  • Something only the user knows, e.g. static password, code, personal identification number;
  • Something only the user possesses, e.g. token, smart card, mobile phone;
  • Something the user is, e.g. biometric characteristic, such as a fingerprint or face recogniton.

In addition for SecuRe Pay, the elements selected must be mutually independent, i.e. the breach of one does not compromise the other.

“At least one of the elements should be non-reusable and non-replicable and not capable of being surreptitiously stolen via the internet. The strong authentication procedure should be designed in such a way as to protect the confidentiality of the authentication data.”

The purpose of the SecuRe Pay guidelines is to define common minimum requirements for the internet payment services listed below, irrespective of the access device used:

  • The execution of card payments on the internet, including virtual card payments, as well as the registration of card payment data for use in ’wallet solutions’
  • The execution of credit transfers (CTs) on the internet
  • The issuance and amendment of direct debit electronic mandates
  • Transfers of electronic money between two e-money accounts via the internet.