*** Welcome to piglix ***

Strong authentication


Strong authentication is a notion with several unofficial definitions. However, since January 2013, it has been defined by regulation and incoming legislation within the European Union and the SEPA payment zone for remote payment transactions. Strong authentication and strong customer authentication are used interchangeably in banking and financial services, particularly where access to an account must be linked to an actual person, corporation or trust.

Strong authentication is often confused with two-factor authentication or more generally multi-factor authentication. However, strong authentication is not necessarily multi-factor authentication. Soliciting multiple answers to challenge questions may be considered strong authentication but, unless the process also retrieves 'something you have' or 'something you are', it would not be considered multi-factor authentication. The FFIEC issued supplemental guidance on this subject in August 2006, in which they clarified, "By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category ... would not constitute multifactor authentication."

Another commonly found class of definitions relates to a cryptographic process, or more precisely authentication based on a challenge response protocol. This type of definition is found in the Handbook of applied cryptography. This type of definition does not necessarily relate to two-factor authentication, since the secret key used in a challenge-response authentication scheme can be simply derived from a password (one factor).

A third class of definitions says that strong authentication is any form of authentication in which the verification is accomplished without the transmission of a password. This is the case for example with the definition found in the Fermilab documentation.

The fourth class, which has legal standing within the EU28 and SEPA zone countries, is that as defined by the European Central Bank for remote (online or mobile) authentication. On 31 January 2013, the European Central Bank (ECB) issued mandatory guidelines that require all payment gateways, issuing, joint issuing/acquiring, and acquiring institutions, who jointly form the group defined as payment service providers (PSPs), to adopt 'strong (customer) authentication' by 1 February 2015. These requirements are for remote (online, mobile and internet) credit card transactions including and extend to e-mandates, eWallets, stored value cards, and credit transfers.


...
Wikipedia

...