Back Custom print Link Text Only Rich Text Print

  • Independence of elements of strong authentication

    • GR-6.3.14

      Islamic retail bank licensees must establish adequate security features for customer authentication including the use of the following three elements:

      (a) an element categorised as knowledge (something only the user knows), such as length or complexity of the pin or password;
      (b) an element categorised as possession (something only the user possesses) such as algorithm specifications, key length and information entropy, and
      (c) for the devices and software that read, elements categorised as inherence (something the user is), i.e. algorithm specifications, biometric sensor and template protection features.
      Amended: July 2021
      Added: April 2019

    • GR-6.3.15

      Islamic retail bank licensees must ensure that the elements referred to in Paragraph GR-6.3.14 are independent, so that the breach of one does not compromise the reliability of the others, in particular, when any of these elements are used through a multi-purpose device, i.e. a device such as a tablet or a mobile phone which can be used for both giving the instruction to make the payment and for being used in the authentication process. The CBB will consider exempting from a 3 factor authentication on a case to case basis provided that the licensee is able to demonstrate to CBB that it has established robust controls to mitigate the relevant key risks.

      Amended: July 2021
      Added: April 2019