E-Banking Authentication - Dynamic Password Generators and Hardware Tokens

• https://europen.cz/Anot/54-1/sbornik-54.pdf

Online banking, PSD2, Multi-factor authentication, Cybersecurity, Secure
hardware, FIDO2, WebAuthn, CTAP2

In our recent work we presented an overview of current authentication methods,
their properties with respect to international standards, and their resistance
against attacks from defined attacks taxonomy (compatible with NIST Digital
Identity Guidelines). With the Payment Services Directive (PSD2) for European
Union coming into force, we believe it is necessary to revise compliance of
currently available schemes.

The concepts enforced by PSD2 to the area of client authentication are two factor
authentication (with requested factor independence), strong customer
authentication (SCA), the dynamic linking of the authentication code to the
transactions beneficiary and amount, and cloning protection. The most common
means of achieving the compliance is the usage of Dynamic Password Generators
(DPG) or dedicated Hardware Tokens. DPG is usually a mobile application
generating one-time passwords (OTP) and often implementing a challenge-response
protocol. We discuss the features of possible DPG implementations both when
included in the e-banking application or as a stand-alone, and look into usage of
special cryptographic chips in mobile phones - secure enclaves.

Hardware Tokens are less frequent in e-banking nowadays, but start to get more
traction especially in web services which require two factor authentication.
FIDO2 protocol consisting of W3C (World Wide Web Consortium) open web standard
WebAuthn and CTAP2 is becoming the de facto standard for using secure hardware
and biometrics for authentication in a web environment as it is implemented in
all major browsers. We present the key features of FIDO2 protocol and how it can
be utilized in e-banking or other web services and illustrate examples of some
banking institutions using the FIDO standards for e-banking authentication.