Strong Customer Authentication (SCA)
Strong customer authentication is a procedure
based on the use of two or more of the following
elements categorized as knowledge, ownership
The ability to assert the trustworthiness of a device is vital for addressing mobile transaction security concerns. Binding a user through a known single password to a previously registered device is the first element of the CVS security concept. This is achieved by the combination of user specific data entered during the enrollment for the CVS services. Upon registration for the CVS service, the customer is prompted to insert registration data, predefined by the bank's internal rules and in line with ECB Recommendation No. 6 and No. 8. The enrollment data may include: customer name, mobile phone number, account number and a registration passcode.
After this initial step, the user defines the Passphrase or PIN and/or sets his biometric data that he wants to use to sign transactions. The PIN corresponds to element 2 something only the user knows and the biometric data (fingerprint, face recognition) represents element 3 something the user is. This ensures highest flexibility for the bank to define any combination of elements, as per its own risk assessment procedures and in consideration of ECB Recommendation No. 8, that it may require for the authorization of a financial transaction. It is important to note that the access control (either Passphrase/PIN or Biometric) is created offline on the mobile phone itself. This information is not stored on any host server, and is only known to the user. RSA Keys are used to establish a secure channel between the CVS Host and the application on the smartphone during the initial activation process and for transaction processing.
Once the registration code generated by the application has been received and verified by the host, the corresponding activation code is sent to the phone by SMS. The user enters the activation code to complete the initial activation process. Upon successful activation, the user will be able to login to the application and carry out transactions securely with his identity verified and protected from fraud-after-theft, malware and other cyber threats.
For full product information about strong customer authentication please
refer to our product brochure "BGS Customer Cerification System"