In April 2016, the new PCI DSS 3.2 version was adopted. Some of the changes introduced in this version become effective on the February 1st, 2018. These are changes in employee authentication upon access to bank information systems. In particular, starting from February 1st, 2018, multi-factor authentication becomes mandatory for a number of access scenarios.
The PCI DSS defines the following factors or methods of user authentication:
- Something that you know;
- Something that you have;
- Something that you possess.
Here are some examples of the mentioned factors, that are the most frequently used in practice of multi-factor authentication.
Something that you know
- USB key or smart card PIN code. PIN is stored in device memory only and is used to access the protected data area of a smart card or USB key to perform various cryptographic operations, including the authentication ones.
- Answer to security question. As a rule, this method is used as redundant for access recovery. For security reasons, it is recommended to require correct answers for several questions.
- Classic conventionally constant password.
Something that you have
- USB key or smart card. Such devices have private key stored on them to perform asymmetric cryptography operations, and also other key data
- OTP-key — one-time password (OTP) generator. OTP hardware generation device. The most commonly used standard of one-time password generation are OATH TOTP and HOTP algorithms. There also are proprietary OTP generation algorithms (RSA, for example)
- User smartphone. A user smartphone can be used as: (a) mobile application for OTP generation; (b) device to receive OTP via SMS; © mobile application for out of band authentication using push notifications
- Proximity card (RFID). Such cards can be used both for logical access to information systems and for physical access to company premises
Something that you possess (something that you are)
This category holds all the technologies based on the biometric data.
- Currently, the most widely spread biometric authentication method is fingerprint verification. Today, this technology has one of the best quality-price balances among the biometric technologies.
- Vein pattern This technology uses hand or finger vein pattern to create a biometric template. The advantages of the technology are high recognition accuracy and hygienic cleanness, as vein pattern recognition is performed at distance, with no direct contact between palm or finger and scanner.
- Photo (2D face image). This technology is one of the cheapest biometric authentication methods, as it does not require usage of special devices. A disadvantage of the technology is that recognition accuracy is dependent on the room illumination.
- 2D and 3D face image. For authentication with 2D and 3D face image, Intel RealSense™ technology is used. This allows for obtaining of highly accurate face image (in IR band as well) and thus for higher authentication accuracy.
- Voice biometrics. As is the case with face photo image, voice biometrics is also one of the cheapest authentication methods. The technology advantage is the opportunity to use phone calls for authentication. The drawbacks are relatively low recognition accuracy and limited number of usage scenarios.
It should be noted that the standard requires combined use of at least two different authentication factors. In other words, use of two passwords or two fingerprints is not multi-factor authentication. The most frequent practical combinations of various authentication factors are listed below:
- Smart card (with private key and certificate) + PIN code
- Constant password + one-time password
- Proximity card + constant password
- Proximity card + fingerprint verification
- Fingerprint verification + constant password
- Smartphone application (push notification) + constant password
- Smartphone application (push notification) + fingerprint verification