Zerify Inc (ZRFY)

[Gold49er]

By the MITRE Corporation - MFA FOR E-COMMERCE

Good to see the Sleddog Back on the Trail !




__________Is that a biometric device in your pocket? | ZDNet 2003



available at: https://nccoe.nist.gov/?projects/?use_?cases/?multifactor-authentication-ecommerce.

4. RELEVANT STANDARDS AND GUIDANCE

• ISO/IEC 27001, Information Technology – Security Techniques – Information Security Management Systems http://www.iso.org/iso/home/search.htm?qt=27001&sort=rel&type=simple&pu blished=on

• ISO/IEC 29115, Information Technology – Security Techniques – Entity authentication assurance framework http://www.iso.org/iso/catalogue_detail.htm?csnumber=45138

[B]• ISO/IEC 29146, Information Technology – Security techniques – A framework for access management,
https://www.iso.org/obp/ui/#iso:std:iso-iec:29146:ed- 1:v1:en

• NIST Cybersecurity Framework - Standards, guidelines, and best practices to promote the protection of critical infrastructure http://www.nist.gov/itl/cyberframework.cfm

• NIST SP 800-53, Recommended Security Controls for Federal Information Systems http://csrc.nist.gov/publications/drafts/800-53-rev4/sp800-53-rev4-ipd.pdf

• NIST SP 800-63-2, Electronic Authentication Guide http://csrc.nist.gov/publications/nistpubs/800-63-1/SP-800-63-1.pdf


NIST SP 800-73-4, Interfaces for Personal Identity Verification (3 Parts)
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf

• Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2, April 2016, PCI Security Standards Council, https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2.pdf


___________________________________

NCCoE has identified that implementing multifactor authentication (MFA) for e-commerce transactions, tied to existing web analytics and contextual risk calculation (by the retailer and/or by a federated identity provider), can increase assurance in purchaser or user identity and thus help reduce the risk of false online identification and authentication fraud. The NCCoE understands that retail is a volume-reliant business and that consumers and retailers will adopt multifactor authentication mechanisms as long as they do not unnecessarily encumber the purchasing process or disrupt the user experience.


___________________________________


To achieve this purpose, the National Cybersecurity Center of Excellence (NCCoE) will develop an example multifactor authentication solution composed of standards-based commercial and open-source products currently available in the marketplace. The project process includes identifying stakeholders and systems participating in the CNP transactions, defining the interactions between the stakeholders and retailer systems, identifying mitigating security technologies, and ultimately providing an example implementation.

Multifactor authentication will also be central to a new National Cybersecurity Awareness Campaign launched by the National Cyber Security Alliance designed to arm consumers with simple and actionable information to protect themselves in an increasingly digital world. The National Cyber Security Alliance will partner with leading technology firms like Google, Facebook, Dropbox, and Microsoft to make it easier for millions of users to secure their online accounts, and financial services companies such as MasterCard, Visa, PayPal, and Venmo that are making transactions more secure.2 Considering the anticipated rise of fraudulent activity due to stronger security mechanisms for card-present transactions, retailers should invest in understanding and implementing stronger authentication mechanisms for CNP purchases, while being sensitive to the user experience.

___________________________________

Assumptions
This example solution of multifactor authentication for e-commerce transactions provides numerous security benefits including increased confidence in user identity and reduced risk. The NCCoE understands that a retail business would weigh the cost of investment in a multifactor authentication solution with its potential benefits, which include protection of reputation and trust from the consumer, as well as reduced fraud losses.
The security of existing systems and networks is out of scope for this project. A key assumption is that all potential adopters of this project or any of its components already have in place some degree of system and network security, as well as many, layered e- commerce fraud reduction measures. Therefore, we intend to focus on the effort of complementing existing system and network security and e-commerce fraud reduction strategies with risk calculation, web analytics, and multifactor authentication.


Background
The NCCoE, working with retail organizations and other e-commerce payment stakeholders, including information sharing and analysis centers (ISACs) and the Retail Cyber Intelligence Sharing Center (R-CISC), has identified the potential need and benefits of a multifactor authentication for e-commerce solution. The need arises from the recognition that malicious actors are likely increasingly motivated to exploit security vulnerabilities in CNP retail transactions in response to the adoption of EMV chip credit cards in the U.S.
The NCCoE also held a workshop to identify key issues that affect multifactor authentication for e-commerce. The conversations held and insight derived from that workshop have informed the direction of this project and this project description.