4
AUTHENTICATION & AUTHORIZATION IN DIGITAL FINANCIAL TRANSACTIONS Seamless Consumer Experience from Security and Privacy Standpoint
AUTHENTICATION & AUTHORIZATION IN
DIGITAL FINANCIAL TRANSACTIONS
Seamless Consumer Experience from Security and Privacy Standpoint
Supply chain of Transac�on Processing and FinTechWith more players joining the digital payments landscape bringing specialized capabili�es, the supply chain of transac�on processing also is increasingly becoming enriched. Technologies like RPA, AI, DLT, NLP, AR/VR & cloud compu�ng technologies are enabling innova�ons. Fintech players are thus now in a posi�on to offer niche capabili�es such as digital ID provisioning, device integra�on, open interfaces, context provisioning, account aggrega�on, document management, process op�miza�on & automa�on, customer experience management to name a few. Regulators have recognized the role of Fintech providers in ini�a�ng, enriching and processing digital transac�ons.
Study Objec�ves
· Capture the disrup�ons shaping the Digital Payment landscape
· Map transac�on flows prevalent in India
· Assess trends, innova�ons and capabili�es impac�ng payment
processing
· Examine the current authen�ca�on and authoriza�on paradigm
· Future modelling of authen�ca�on and authoriza�on
Digi�za�on of Transac�on Processing: Fintech
RPA ML/AI Big DataEnabling
Technologies
Mobility DLT Cloud Compu�ng
AR/VR Chat Bot | NLP Biometrics Presence & Geospa�al
Ini�a�on EnrichmentData Management & Aggrega�on
Processing
Digital ID Provisioning
Customer Onboarding
Transac�ons
Device Integra�on
Process Op�miza�on &
Automa�on
Account Aggrega�on
Context Provisioning
Experience Management
Sales & Service Interac�ons
Regula�on & Compliance
Management
Segmenta�on & Targe�ng
Advisory & Assistance
Document Management
Interfaces & APIs
FinTech Capabili�es
En��es involved in Transac�on Processing
Financial Ins�tu�ons Devices & Pla�ormsPayment Processors
Banks, NBFCs, Insurance, Exchanges, Mutual Funds,
etc.
Credit Card Providers, ATM Switches, Wallet, PPIs,
Gateways, etc.
Device Manufacturers, Internet & SM Pla�orms, U�lity Apps,
etc.
Across the globe and in India, efforts are
on to promote rapid digi�za�on of
payment transac�ons. The increase in
volumes and complexity of transac�ons
are bringing tectonic shi�s in the digital
payments landscape. Buoyed by the
ability to process large amount of
complex data, the whole supply chain of
financial transac�on processing has
become more intricate.
This study endeavours to capture the
innova�ons that are taking place in the
area of authen�ca�on and authoriza�on-
the two key pillars of secured digital
payments and transac�ons.
Background
Regulated En��es
Technology & Business Services
1 2 3
4
Authen�ca�on: Future Modelling
Authen�ca�on
Tradi�onal passwords, single/limited knowledge factors and centraliza�on of authen�ca�on authority have
failed to achieve security, scalability, and innova�on expecta�ons in the digi�za�on of transac�on processing.
The present authen�ca�on mechanisms rely mostly on explicit inputs from users such as one-�me passwords
(OTP)/email verifica�ons, knowledge ques�ons and public key tokens. However, these are today proving
insufficient to protect iden�ty the�s in an ever evolving and sophis�cated threat landscape.
Future authen�ca�on mechanisms will essen�ally be secure device led, biometric enabled, data driven-context
aware, risk based, mul� factor authen�ca�on with low fric�on and high flexibility. Along with explicit factors,
future authen�ca�on mechanisms will also consider other implicit func�onali�es of device, user behaviour, risk
as key factors of authen�ca�on.
Regulatory
Common Devices to Easily
Authen�cate Online Services
Client to Authen�cator Protocol (CTAP)
3-D Secure protocol for
online payment
Auth Flows for Web,
App, Mobile & Devices
Strong Customer Authen�ca�on (SCA)
Payment Service Direc�ve (PSD2 )
Digital ID Management
Paths Devices Access Paths Services
Creden�alsCurated
rd3 Party
Authen�ca�on
Knowledge
Mobile Push
Message Exchange
So�ware Applica�ons
Hardware Mobile
Contextual Data
Enrichment Data
Risk/ A�ack/ Fraud Signals
User A�ributes, Device Iden�ty, Feeds, etc.
Loca�on, Behaviour, Social, Transac�onal
Risk Levels & Signals, A�ack Signals & Fraud
Modus Operandi
Fric�onless User Experience Accountable Non-repudia�on Trusted Privacy Fast Flexible Security
Security Element in Mobile
Modern Cryptography
API-based: SSO OAuth & OpenID Connect
Machine Learning & AI
NFC & Bluetooth Interfaces
Biometrics: Mul�-Model, Fast & Accurate
Requirements Scalable
Technical Standards & Specifica�ons
Trusted Pla�orm Module [TPM]
Cloud Architecture
Token Biometrics
PRESENT
Centralized
PIN/ Password
Single Factor
Out-of-Band
Knowledge-based
Public Key TokensBiometrics
Explicit OTP
Closed Network
W3C Web Auth Specifica�on Oauth 2.0
EMVCoVersion 2.0
NIST SP 63-B
Data
Tech
no
logy
FUTURE
Mul� Factor Risk Based Auth & Life CycleExternal Auth
FIDO Alliance
Device Token
Na�ve Auth (UAF)
ndUniversal 2 Factor (U2F)
SMS Voice
Privacy Preserving Trust Score Decentralized
Self-Sovereign Id
Auth-aware Apps
A�ack/Fraud Signals Mul�ple Factor
Phone-as-Auth-TokenBiometrics: Mul�-model
AI/ML
Cloud Hardware Capabili�es BYOI
Risk-based Implicit Behavioural
>>
>>
>>
Authoriza�on
The marketplace of the transac�on processing is also changing significantly with an ever increasing number of payment
methods, and rising volume of transac�ons. Instruments that facilitate, execute, exchange messages and informa�on, need
�mely authoriza�on. While user authoriza�on is key in transac�on processing, applica�on and machine authoriza�ons are
cri�cal for keeping the pace of transac�on processing. The current authoriza�on mechanisms pose some severe challenges.
Future models of authoriza�on must address challenges of complexity, role and access varia�ons, granularity, and
dynamicity. Authoriza�on processes need to be fine-grained, context driven, run�me independent of third party, and ensure
privacy and security.
Authoriza�on: Future Modelling
TAKEAWAYS
Regulatory
Authoriza�on Cer�ficate
Framework for Authen�ca�on &
Authoriza�on
SAML 2.0
Asserta�on Protocol
SSO for Enterprise
Europe [GDPR]California (CCPA)
FedRAMP AuIndia [PDPB- Dra�]
Consent & Preference Mgmt
WS-Policy
Specifica�on Adver�se Policy
& Policy Requirements
Instruments Paths Resources Services
Creden�alsPolicies Controls
Authoriza�on
Objects Profile Role
Transac�on
Iden�ty Provider
So�ware Applica�ons
Gateways Devices
Contextual Data
Enrichment Data
Risk/ A�ack/ Fraud Signals
User A�ributes, Device Iden�ty,
Feeds, etc.
Loca�on, Behaviour, Social, Transac�onal,
Payment Conversa�on
Risk Levels & Signals, A�ack Signals & Fraud
Modus Operandi
Fric�onless Op�mized Accountable Non-repudia�on Trusted Privacy Fast Flexible Security
Orchestra�on: Process & Policy
Automa�on: Workflow & RPA
API Gateway Technologies
Service Mesh Technologies
Machine Learning & AI
Webservices Federa�on
Oauth 2.0
XML Data Formats
Requirements
Secure Delegated
Access Tokens by ID provider
Scalable
Technical Standards & Specifica�ons
Service Contract, Abstrac�on, Reusability, Statelessness,
Discoverability, Composability & Interoperability
Policy Driven: CICS, RACF, WAM
Consent & Preference Management
Relying Party
Onboarding/ Registra�on
A�ributes Permissions
Simplified
Tedious Administra�on
Policy InconsistencyFine-grained Policies
Adap�ve Decisions
Process Orchestra�on
Contextual Decisions
Automa�on
Run-�me Authoriza�on
Cloud Architected & Hosted
Iden�ty Governance
Iden�ty Governance
Dynamic Switching/ Rou�ng
Privacy Preserving
Siloed
Configura�on/ Rule Driven
Inadequate Policy A�ributes
PRESENT
SOA X.509
Data
AP
IsIn
terf
aces
ServicesM
icro-services
Tech
no
logy
FUTURE
rdDATA SECURITY COUNCIL OF INDIA, NASSCOM CAMPUS, 3 Floor, Plot. No. 7-10, Sector 126, Noida, UP - 201303
P: +91-120-4990253 | E: [email protected] | W: www.dsci.in
The market offers opportunity for a broader set of players to par�cipate in financial transac�on processing.
Establishing accountability and ensuring non-repudia�on will be key requirements of regulated transac�on processing.
Technological evolu�on and emergence of niche capabili�es has altered the authen�ca�on paradigm.
The future modelling of authen�ca�on and authoriza�on systems shown above (diagram) is meant to help enterprises build a robust authen�ca�on and authoriza�on strategy.
Data availability is cri�cal for leveraging risk based approach for authen�ca�on and authoriza�on.
>>
>>
>>
