The Art of Principle-Based Authentication: The Reserve Bank of India (RBI) is advocating Principle-based Authentication rather than insecure and clunky SMS OTP. But what is Principle-based Auth? Why does it hold the key to solve not only current pain points in authentication, verification and fraud prevention but the future ones too?
Principle-based Authentication offers businesses the flexibility to choose authentication methods tailored to their needs, ensuring suitability for specific contexts. For instance, the level of assurance required for tasks like device binding, logging in, or conducting payment transactions varies widely. This approach allows for innovation as technology advances and new fraud methods emerge while maintaining authentication integrity.
Historically, the Identity and Authentication industry followed ISO/IEC 29115 as a guiding principle and framework, particularly Clause 6, which defined Levels of Assurance (LoAs) into four categories. While effective since 2013, recent changes in use cases, technological progress, and emerging fraud tactics have revealed inefficiencies in ISO29115. Notably, its coupling of authentication and identity proofing assurances, which are often distinct processes and responsibilities, may no longer align with current needs.
Principle-based authentication can instead adopt an authentication framework based on Levels of Authentication Assurance (LAAs), offering both predictability and flexibility. This framework ensures confidence in authentication methods while allowing room for industry innovation, thus ensuring future adaptability.
What are the Levels of Authentication Assurance? They provide a guiding framework for selecting and implementing authentication methods appropriate to the user’s context:
LAA1: Level of Authentication Assurance 1:
- Context: Medium level of assurance required, such as logging into a payment application.
- Authentication factors: Single Factor (e.g., Possession, Inherence, Passive).
- Examples: Seamless Mobile Authentication (using SIM cryptography), Passkeys, Biometrics.
LAA2: Level of Authentication Assurance 2:
- Context: High level of assurance needed, for instance, for low to medium-value payment transactions.
- Authentication factors: Two Factor, both factors must differ.
- Examples: Similar to LAA1, plus additional methods for higher assurance needs.
LAA3: Level of Authentication Assurance 3:
- Context: Very high level of assurance, suitable for high-value payment transactions.
- Authentication factors: Two Factor with cryptographic authentication required for at least one factor.
- Examples: Expanded options including FIDO2 based biometrics for added security.
Furthermore, additional assurance can be achieved through authentication factors augmentation:
- Contextual Authentication: Leveraging contextual information for added security, such as user location or device type.
- Continuous Authentication: Providing ongoing verification based on contextual changes, like device or SIM card swaps.
- Discrete Authentication: Offering non-binary authentication options, such as confidence scores or transaction risk analysis.
By embracing principle-based authentication and the Levels of Authentication Assurance framework, businesses can ensure robust security measures while adapting to evolving technological landscapes and emerging threats.
SAFr Auth uses the principle of ‘Who I am’ or ‘Identity’ as the very high level of assurance and with up to 66 separate data signals available from the SIM, it can provide a wide range of additional assurance thus epitomising The Art of Principle-Based Authentication.
Gautam Hazari is Sekura’s Chief Technology Officer and a Mobile Identity guru. He and his team have built the Sekura API Framework (SAFr) – a unique platform that connects in real-time to mobile operators to allow enterprises to build trust in their customers, prevent fraud and create awesome logins.
