Blog article
See all stories »

2019 - the year we may finally get to grips with Digital Identifcation & Authentication

On Thursday evening I was delighted to be speaking in Parliament on behalf of the MIDAS Alliance at the launch of Tech UK’s Digital IDs report, hosted by the All Party Parliamentary Group in Digital Identity. This very well attended event heard of the opportunities afforded by getting digital identification & authentication right, ranging from accessing banking services online, proving your age, or securing access to sensitive Government held data, such as your tax or medical records.

The launch was particularly timely given the breaking news last week of the attack against the 2 factor authentication technique being adopted by a number of banks, notably Metro, utilising one time passwords (OTPs) sent over SMS. Unfortunately, as was widely being reported, cyber criminals had developed a ‘new cyber attack’ to intercept these OTPs, gaining access to customers’ accounts. However, this ‘new’ attack exploited a well known and long standing vulnerability, which is highlighted in the forthcoming Strong Customer Authentication requirements going live under PSD2 in September this year.

Fortunately, the Tech UK report (along with the Emerging Payments Association Financial Crime report the week before, etcetera) highlights the British Standard in Digital Identification & Authentication (PAS499) as giving the necessary guidance to help steer organisations through such pitfalls to the satisfaction of these forthcoming banking security standards.

On Thursday I highlighted the importance of adopting these banking standards as best practice, rather than merely relying on common or good practice. After all, if your bank has to provide an additional layer of authentication security for a 30 euro e-commerce payment, wouldn’t you want, and indeed expect, your medical or tax records to have at least the same degree of protection.

Equally, it’s all very interesting knowing that there is definitely an Andrew Churchill in existence, but this is of little use if you can’t be sure that it is actually Andrew Churchill, and the right Andrew Churchill, that you are dealing with.

Thanks to Mvine for the photo





Comments: (1)

A Finextra member
A Finextra member 12 February, 2019, 08:26Be the first to give this comment the thumbs up 0 likes

A timely article, like you said. This "new" attack has been happening for years, and it's very worth noting that OTPs are not 2FA but 2SV (two step verification), the next worst thing after just passwords.

You make a great point that banking, and indeed anything requiring high assurance identity authentication, should not just go with the "common" solution, like SMS based OTPs, but should look at industry leading security. Cryptographic solutions need to be considered in this space.

Andrew Churchill

Andrew Churchill

ID & Authentication Standards author

MIDAS Alliance

Member since

04 Mar 2009



Blog posts




This post is from a series of posts in the group:

Banking Strategy, Digital and Transformation

Latest thinking in respect to Banking Strategy, Digital and Transformation. Harnessing our collective wisdom to make banking better. Ambrish Parmar

See all

Now hiring