Additional Factors of Authentication (AFA)

Interestingly, RBI categorically mentions the need to move away from SMSbased one-time passwords (OTP) as a factor. While no specific mandate was given by the central regulator, SMS-based OTP became the primary Defacto and most adopted second factor for digital payments.

SMS-based authentication is not secure and has been deprecated since 2016 as per National Institute of Standards and Technology (NIST) since it is recognized to be vulnerable to attacks. To address these challenges and with advancements in technology, RBI produced recommendations to safeguard digital payments.

The RBI draft framework on alternative authentication mechanisms for digital payment transactions introduces several key requirements:
 

1. Additional Factor of Authentication (AFA): The use of an additional factor of authentication for most digital transactions. This AFA should be robust and dynamically generated for each transaction, ensuring it cannot be reused. This applies to all digital payments except for certain low-value transactions like small contactless card payments up to 5,000 Indian Rupees and specific recurring transactions. Categories for factors of authentication consist of the following:
   • A) Something you know (Password/PIN)
   • B) Something you have (Possession of hardware/soft token)
   • C) Something you are (Biometrics).
2. Diverse Authentication Methods: The availability of multiple authentication options, allowing users to choose methods that suit their needs. This flexibility is intended to increase the adoption of digital payments by improving user convenience while maintaining security.
3. Risk-Based Authentication: Issuers (e.g., banks and payment providers) are encouraged to adopt a risk-based approach when determining the appropriate AFA for a transaction. Factors such as the customer’s risk profile, transaction value, and the payment channel used should be considered.
4. Customer Consent and Deregistration: Customers must explicitly consent before any new authentication method is implemented. Additionally, customers should have the option to deregister from any authentication method if they choose.
5. No Exclusivity with Providers: The framework prohibits issuers from entering exclusive arrangements with any payment service provider or technology service provider, ensuring a competitive and non-restrictive environment for deploying alternative authentication solutions.
6. Real-Time Transaction Alerts: Issuers are required to alert customers in near real-time for all eligible digital payment transactions to further enhance security.
7. Compliance and Standardization: Technology Service Providers (TSPs) must ensure that their solutions comply with the RBI’s regulatory standards. This includes adherence to the requirements for robustness, security, and interoperability of the authentication mechanisms they provide. The RBI mandates that these solutions should work across different platforms and devices, ensuring a consistent and secure user experience. TSPs assume liability for the robustness and integrity of the authentication platform.

The 1Kosmos platform is well-positioned to address the Reserve Bank of India’s (RBI) draft framework on alternative authentication mechanisms for digital payment transactions. Below is a detailed summary.
 

1. Additional Factor of Authentication (AFA)The RBI framework mandates the use of AFA for most digital transactions, which should be robust and dynamically generated for each transaction. The 1Kosmos platform excels in this area by offering a multi-factor authentication (MFA) solution that goes beyond traditional SMS-based OTPs.Categories for Factors of Authentication:
   • Something you know (Password/PIN): While 1Kosmos supports traditional knowledge-based factors, it emphasizes more secure methods.
   • Something you have (Possession of hardware/soft token): The platform supports hardware tokens and soft tokens, ensuring that the possession factor is dynamically generated and cannot be reused.
   • Something you are (Biometrics): 1Kosmos leverages biometric authentication, such as fingerprint, facial recognition, and iris scan, which are captured at enrollment and tied to a verified identity. This ensures that each access attempt physically verifies the user’s identity, making it highly secure and resistant to fraud.
2. Diverse Authentication Methods
   The RBI framework encourages the availability of multiple authentication options to improve user convenience and adoption. The 1Kosmos platform offers a variety of authentication methods, including:
   • The new age and advanced passwordless authentication using biometrics.
   • 1Kosmos can assist to provide traditional 2FA and MFA methods like SMS, push notifications, and email to ensure continuity and slowly transition over to passwordless authentication.
   • Hardware and software tokens.

    
   This flexibility allows service providers and their users to choose the authentication method that best suits their needs, thereby increasing the adoption of digital payments while maintaining high security standards with minimal friction to the user experience.

   The platform is attested for Authentication Assurance Level 1, 2, and 3 as per NIST 800-63 standards.

   This allows 1Kosmos to enforce multiple factors of authentication via various authentication methods in a single platform.

   It also leverages adaptive authentication to adjust the required factors based on risk signals, ensures secure transmission and storage of authentication data, and provides convenient user management and recovery options. This approach helps to protect against unauthorized access while maintaining a user-friendly experience.

   1Kosmos customers are able to leverage this in multiple ways, for example, by this global banking customer.

3. Risk-Based Authentication
   The RBI framework recommends a risk-based approach to determine the appropriate AFA for a transaction. The 1Kosmos platform continuously assesses risk levels associated with each transaction or login attempt based on several factors such as user behavior, device, location, and time.This dynamic assessment allows the system to adjust authentication requirements in real-time. The system collects and analyzes risk signals, which might include unusual login locations, changes in user behavior, high-value transactions, or access attempts from unfamiliar devices. Issuers can configure authentication policies based on various risk factors, such as:
   • Customer’s risk profile
   • Transaction value
   • Payment channel used

    
   Based on the risk assessment, 1Kosmos adapts the authentication process. For elevated risk / high value activities, it might require additional verification steps, such as biometric authentication, multi-factor authentication (MFA), or additional identity proofs. For low-risk activities, it may streamline the process with fewer steps.

   As an example, a 1Kosmos banking customer leverages Liveness by having users blink their eyes and smile to authenticate digital payments, proving they are a real person.

4. Customer Consent and Deregistration
   The RBI framework requires explicit customer consent before implementing any new authentication method and provides the option for customers to deregister from any method. The 1Kosmos platform ensures compliance with this requirement by:
   • Ensuring that users provide explicit consent before any identity-related data is collected or used. This is typically managed through user interfaces where consent is obtained through affirmative actions, such as checking a box or clicking a consent button.
   • Giving users control over the specific information they are sharing and with whom. The system allows for detailed permission settings, giving users the ability to grant or revoke access to their personal data as needed.
   • One of the most unique differentiators that 1Kosmos offers to its customer is its privacy-by-design architecture. Utilizing a private, permissioned ledger (AKA private blockchain) to create immutable audit trails of all consent actions. This means that once consent is given or revoked, the record of this action is permanently stored and cannot be altered, providing a clear and verifiable history of user permissions.
5. No Exclusivity with Providers
   The RBI framework prohibits exclusive arrangements with any payment or technology service provider. The 1Kosmos platform is designed to be interoperable and non-restrictive, ensuring that it can integrate seamlessly with various payment service providers and technology solutions. This open approach fosters a competitive environment and allows issuers to choose the best solutions for their needs without being locked into exclusive agreements.
6. Real-Time Transaction Alerts
   The RBI framework mandates near real-time alerts for all eligible digital payment transactions. The 1Kosmos platform supports this requirement by:
   • Providing real-time notifications for all transactions, ensuring that customers are immediately aware of any activity on their accounts.
   • Offering customizable alert settings, allowing users to choose how they receive notifications (e.g., SMS, email, push notifications).
7. Compliance and Standardization
   The RBI framework requires technology service providers to ensure their solutions comply with regulatory standards, including robustness, security, and interoperability. The 1Kosmos platform meets these requirements by:
   • Adhering to industry standards and certifications, such as NIST 800 63 3, UK DIATF IDSP & ASP, FIDO, and iBeta ISO /IEC 30107 3.
   • Implementing a distributed identity architecture that provides an immutable audit trail, ensuring the integrity and robustness of the authentication platform.
   • Ensuring interoperability across different platforms and devices, providing a consistent and secure user experience.

India has recently enacted the Digital Personal Data Protection (DPDP) Act, which emphasizes the protection of personal data, ensuring data privacy, security, and minimizing data breaches. The 1Kosmos solution can significantly aid in compliance with this act by offering more secure and user-friendly ways to verify identity without traditional passwords, which are a common point of vulnerability. Specifically, the following benefits accrue on its implementation:
 

1. Enhanced Security: Passwords are susceptible to breaches, phishing, and other attacks. The diverse and flexible methods (e.g., biometrics, device-based authentication, and one-time codes) offered by 1Kosmos reduce the risk of unauthorized access, aligning with DPDP requirements for strong data protection.
2. Data Minimization: The DPDP Act encourages minimizing data collected, used, and retained. Passwordless systems often reduce or eliminate the need to store password data, which reduces the volume of sensitive information the organization must protect.
3. Privacy by Design: The state-of-the-art approach of 1Kosmos solution aligns with the DPDP’s requirement for “privacy by design.” This approach inherently reduces the data footprint and enhances user security, which is built into the authentication mechanism from the start.
4. Improved User Control and Transparency: The reliable mechanisms, particularly those that use biometrics or device-based factors, help comply with the DPDP’s emphasis on user rights by giving individuals more control over their data (e.g., biometric data stored locally on their device rather than a central server).
5. Reduced Risk of Data Breaches: With fewer stored passwords, the organization’s risk of exposure from data breaches decreases, which helps in meeting the DPDP Act’s data security and breach reporting standards.

The 1Kosmos platform is well-equipped to address the RBI’s draft framework on alternative authentication mechanisms for digital payment transactions. By offering robust, dynamic, and diverse authentication methods, 1Kosmos enhances security while maintaining user convenience. The platform s risk-based approach, customer consent mechanisms, and real-time transaction alerts further align with the RBI’s requirements. Additionally, 1Kosmos commitment to compliance and standardization ensures that its solutions are secure, interoperable, and reliable, making it an ideal choice for issuers looking to meet the RBI’s guidelines.