Response to discussion on RTS on strong customer authentication and secure communication under PSD2

Go back

2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?

Mobile devices provide several mechanisms that can be used to provide strong customer authentication. There has been a significant effort in creating trusted execution environments and secure video playback on mobile devices. Traditional approaches to leveraging these capabilities have proven to be impractical due to the complexity of the eco systems that control these resources. However there are some applications of these technologies that have been able to use these capabilities in a very scalable manner. The most notable example has been the usage of Digital Rights Management to protect video playback. This has been mandated by major content studios and has been widely deployed and utilized by content distributors such as Netflix to securely distribute high value video content using the hardware security elements in mobile devices. It has been demonstrated that this video based Digital Rights Management can create a strong binding between the PSU and a mobile device.
Additional methods that can be used to enhance strong consumer authentication, is the usage of dynamic data which is updated on a regular basis between the device being used by the PSU and the server. These techniques can be very effective in enabling the detection of fraud attempts. This data can further be protected using protected software that may execute within the device or even the browser on the device.

3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?

We believe that it is possible to improve the level of authentication in a cost effective manner by using behavioral elements that can be inferred from the operation of a mobile device. These can include motion and location as well as more conventional biometric techniques. These can be made more robust by applying software security techniques to the applications that read these forms of data and either make direct inference to the PSU’s identity or feed this information back to a server for analysis. In either case software security can enable a greater confidence in the integrity of the decision or the data being used to make the decision.

4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?

In the case of mobile devices it has proven extremely difficult to create the infrastructure where multiple parties can manage the security of the device and in particular resources such as the trusted execution environment. Several attempts have been made to create Trusted Service Managers have been made globally which have failed due to the complexity of the mobile eco systems. We have demonstrated that current digital rights management infrastructure is capable of and can be utilized to ensure a hardware root of trust and secure interaction with the PSU on that device.

5. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to dynamic linking?

The greatest challenge is to enable multiple parties to interoperate while maintaining security. To this end we believe that light weight solutions that can work with existing web infrastructure with the minimum requirements for interaction between parties. This is an area in which software based security solutions have a significant advantage. Embedding security within applications reduces the need for platform dependency (which significantly impedes innovation and scale) and speeds the deployment of services. It also reduces the need for the parties to interact with each other, reduces the ability of a single party or entity using their dominant position as a platform provider from exerting excessive control in the market. Software solutions also enable rapid responses to security issues.

6. In your view, which solutions for mobile devices fulfil both the objective of independence and dynamic linking already today?

The following solutions have been created by Irdeto to enable security around dynamic linking particularly around API protection and multi-factor authentication.
For the protection of API calls we have developed software protections which protect the keys they are used to sign calls made to APIs. This protects the server side APIs from attempts by hackers to abuse the API to compromise end users or the service provided.
For multi-factor authentication Irdeto has developed a solution that utilizes widely deployed hardware Digital Rights Management solutions implemented as standard features on Android devices. This solution utilizes the unique identity and secret key embedded in Android devices for video path protection as one factor for authentication and enables the end user to securely enter their pin as a second factor of authentication. This solution has the further advantage of protecting the user’s pin from malware that may be executing on the mobile device.

12. Have you identified innovative solutions for the enrolment process that the EBA should consider which guarantee the confidentiality, integrity and secure transmission (e.g. physical or electronic delivery) of the users’ personalised security credentials?

We have two types of solution that we believe to be innovative in this regard. The first is the usage of software security (Irdeto’s Java Script solution) which enables the security of sensitive data and actions within a web application. This enables direct encryption within the browser of sensitive data (reducing the overall attack space) before it leaves the web browser. This technology also provides a degree of integrity verification of the web application as it executes within the browser.
The second solution is the usage of the Video Digital Rights Management within the mobile device to enable interaction with the end user from the server. This technology enables an encrypted interaction from the server to the screen which is not accessible to the application processor even if the device has been infected with a malware program

13. Can you identify alternatives to certification or evaluation by third parties of technical components or devices hosting payment solutions, to ensure that communication channels and technical components hosting, providing access to or transmitting the personalised security credential are sufficiently resistant to tampering and unauthorized access?

The usage of our software protection technologies within the browser and in particular the ability to encrypt and decrypt sensitive data within the web application reduces the number of components and devices that have access to sensitive data. In one deployment of this technology the end user is able to enter sensitive data within the web application which encrypts it directly. The sensitive data remains encrypted until it is processed by a backend vault which sits behind multiple application servers. Normally with link encryption technologies such as Transport Layer Security any server that is processing web applications has full access to the sensitive data.

Name of organisation

Irdeto B.V.

Please select which category best describes you and/or your organisation.

[IT services provider"]"

Please select which category best describes you and/or your organisation.

[Other "]"

If you selected ‘Other’, please provide details

Security Solutions & Services