BackText onlyPrint

You need the Flash plugin.

Download Macromedia Flash Player



Location: Central Bank of Bahrain Volume 5—Specialised Licensees > Specific Modules (By Type of Licensee) > Type 7: Ancillary Service Providers > Part A > Business Standards > OB Open Banking Module > OB-2 Operating Rules > OB-2.2 Standards for Authentication and Communication > Independence of elements of strong authentication > OB-2.2.5
  • Independence of elements of strong authentication

    • OB-2.2.4

      AISPs and PISPs must establish adequate security features for customerG authentication including the use of the following three elements:

      (a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;
      (b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and
      (c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.
      Added: December 2018

    • OB-2.2.5

      AISPs and PISPs must ensure that the elements referred to in Paragraph OB-2.2.4 are independent, so that the breach of one does not compromise the reliability of the others, in particular, when any of these elements are used through a multi-purpose device, i.e. a device such as a tablet or a mobile phone which can be used for both giving the instruction to make the payment and for being used in the authentication process. The CBB will consider exempting from a 3 factor authentication on a case to case basis for small value payments provided there are adequate security features.

      Added: December 2018

    • OB-2.2.6

      Where any of the elements of authentication or the authentication code is used through a multi-purpose device including mobile phones and tablets, the AISP and PISP must adopt security measures to mitigate the risk resulting from the multi-purpose device being compromised. The mitigating measures must include each of the following:

      (a) the use of separated secure execution environments through the software installed inside the multi-purpose device; and
      (b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party or mechanisms to mitigate the consequences of such alteration where this has taken place.
      Added: December 2018

Back to top