Vlog: How the Reserve Bank of India Guidelines Align with 1Kosmos

Watch our latest vlog for an insightful conversation between Michael Cichon, Chief Marketing Officer at 1Kosmos, and Siddharth Gandhi, Chief Operating Officer of the Asia Pacific region. In this video, they explore the latest Reserve Bank of India guidelines on digital payment transactions and its implications for the banking and financial sector. Join them as they delve into the challenges of current authentication methods, the need for stronger security measures, and the innovative solutions offered by 1Kosmos. Get ready to gain valuable insights into the evolving landscape of digital authentication and its impact on user experience, privacy, and transaction security.

Michael Cichon:
Well, hello everybody. This is Michael Cichon, the Chief Marketing Officer here at 1Kosmos. I’m here today with Sid Gandhi, the Chief operating Officer of our Asia Pacific region. Sid, welcome to the vlog. I invited you here today to talk about the Reserve Bank of India guidelines, the new guideline. There are some pretty interesting implications for online payments. You’re familiar with those. Can you talk about them a bit?

Siddharth Gandhi:
Sure, absolutely, Michael. Pleasure to be here. Thank you so much for inviting me for the v-log. So yes, interesting times for us at 1Kosmos. The Reserve Bank of India recently announced a guideline which talks about principle-based framework for authentication of digital payment transactions. And very interestingly, I believe that the RBI or the Federal Bank of India has done a fantastic job over the years, not just to well manage the monetary policies, but they also do look at technology and security aspects and provide guidelines for the BFSI sector.

The recent one is interesting for a few reasons why. Number one is RBI has always spoken about having second factor as an authentication for internet banking. So while SMS-based OTP has been very commonly used today across the globe and in India, but interestingly, RBI has also mentioned there are three forms of authentication, right? Something that the user knows, which is a user ID password and a PIN. Something that the user has, which is their credit card, their ATM card, their phone, or something that the user is, which we all are aware is their biometric characteristics like their fingerprint, their facial features, or perhaps even their iris.

Now very interestingly, I was going through some of the content that RBI has published over time. It does call out saying that a true multifactor authentication requires at least two or more factors. However, what the industry has largely done is that they have gone with something that the user knows, which is the user ID password, and gone with the second factor of something that the user has, which is the SMS-based OTP and that has been around probably as long as I can remember for a few decades. This is the first time RBI has now said that you need to start looking beyond SMS based OTP, thanks to all the technological advances or the innovation that are emerging in the recent years. And we are here today ready to offer that to the industry as alternate factors.

Michael Cichon:
Okay. All right, so let’s take a step back here. As consumers, we’re all familiar with step-up authentication now. We might not know that it’s called that, but whenever I try to buy something online, I get the code, will you please key in this code to prove that this is legitimate? So it’s that built-in lack of trust in the password that got me to the shopping cart or the payment transaction and then I prompted for the code. So what’s wrong with the code? Why change?

Siddharth Gandhi:
Why change for the, I think more than one reason, Michael. Today SMS-based codes are considered as weak form of second factor. Why? Because of man-in-the-middle attack or SMS interception. You have dependency on having a SIM card. You have dependency on having the network with you to receive those codes. And you also have challenges around expiration or delivery delays. Especially in the recent few years we’ve seen SIM swapping also take place, which is again a big concern and increasing number of breaches happening even with a second factor like SMS-based OTP available. And for that reason is why I believe RBI is also indicating and telling the banks that you must start looking beyond.

Michael Cichon:
Okay. All right, so this is the kind of what I would call proxies for identity, right? You are you because you knew the password, you are you because you’re able to key in this code that I just sent you on your phone. You are you because your SIM card matches what we thought it would be. So all these are kind of guesses or approximations, it get us closer to identity, but it is almost what silly human tricks, can you go through these calisthenics to prove you are who you are. So not only are they not specific, they’re not exact, they’re guesses still. They’re clumsy, right? You want to buy something, you’re going to pay for something, and now you got to go to your inbox or go to your message folder, look at the code, remember the code, key the code in, hopefully key it in right. If you’re not, you got to go back, look at again, key it in again. So a lot of implications here, but there’s more to this principle-based framework than just convenience. There’s a privacy angle, right?

Siddharth Gandhi:
Correct, yes. There’s a privacy angle and there’s a security angle. You spoke about how do you prove who you are and absolutely with the credentials and SMS-based OTP, it’s really hard to prove. I could share my credentials with you. I could give you my OTP and you could still transact on my behalf as a friend, but what if you are not my friend? You get hold of my credentials in the dark web. You could very well go ahead and take the money away from me and that’s being reported every single day.

What we are able to do at 1Kosmos is prove who the user is based on our platform capabilities of identity verification and proofing, which is based on global standards. And along with that, we have multiple other capabilities of bringing in advanced biometric. We have our IP, something called Live ID, where we actually ask the user to showcase features by blinking, smiling and asking them to prove they are real person. And also the platform capabilities have a private and a permission blockchain, which even makes it even more secure. The idea is not just providing a second factor to the user, but how you deliver it to the user and how the authentication happens throughout that journey till conclusion of the transaction also plays a very, very critical goal.

Michael Cichon:
Right. Well, so this is interesting to me because it seems like what the Reserve Bank of India has done, it’s the latest iteration or the latest generation of guidelines that have surfaced around essentially the 1Kosmos business model or architecture, if you will. Dating back to whatever 2016, 2017 we saw in the United States, the NIST guidelines come out, the 800-63. We saw FIDO2, if you want to do biometric authentication, there’s a FIDO2 spec for that. We have the specification in the United Kingdom. And now here is the Reserve Bank of India coming up with the latest guidelines on what sounds like how you need to deploy this technology so we get to a higher level of both integrity, trust, and security in the transaction, but also privacy and security of the user’s information as well.

Siddharth Gandhi:
Exactly, Michael. You’re absolutely right. And not to forget at the end of the day, user convenience as well. So we are not only just providing security, privacy by default, but the experience of the user is very seamless. It’s very elegant by when you provide password-less experience to the user, they would enjoy transacting on the platform instead of trying to figure out or recall their eight, 12, 16 character passwords, waiting on the second factor, which may or may not arrive. So you’re absolutely right. I think we’ve been talking about it for the last few years and some of the BFSI customers do use our platform today and we are very happy and very excited with the recent announcement from RBI.

Michael Cichon:
Well, sure, because the guideline points to specific capabilities that we’ve been supporting for a while now. So when you step away from what you know to the who you are, there’s a range of possibilities there, right?

Siddharth Gandhi:
Correct. You are absolutely right. So we are able to bring in various factors that we’ve already discussed about, and these are based on global standards. I think that’s very important that the industry understands this. We spoke about FIDO certification from a privacy standpoint, we do, are able to meet global privacy standards like GDPR. India now has a DPDPA. And the interesting thing about our architecture is that we don’t store specifically any user information, which makes us very unique compared to some of the other players in the market and which is what customers or customer like banks would want, where they are safeguarding their customer data.

Michael Cichon:
So specifically in terms of the biometrics that are used for this, what I would call step-up authentication, they range from device biometrics, for example, what we’re all familiar with a thumb or a face ID on your device all the way up to a live biometric, correct?

Siddharth Gandhi:
That is correct, yes. So I would probably turn it a little bit in terms of how to think of it. So yes, we definitely want to bring in something that the user is by bringing in the biometrics. At the base level, you probably may want to use the device biometrics, which include the fingerprint or the face ID.

RBI in general also talks about risk-based authentication where the, for example, higher amount of transaction, you want to ensure that you are able to step-up. In our case, the way we look at step-up is that we bring in a Live ID where we are going to ask the person to blink, smile, turn left, right on a random basis to prove that the person is real. Alternately, yes, this does bring in a little bit of dependency on the phone, but we also as part of our platform capability can offer an additional alternate form of authentication, which is app-less. So if a customer is sitting on the laptop, he could use his camera to still provide those facial features or what we call as passive liveness to authenticate as well. Worst case scenario, you have time-based OTP, which is still more secure, I would say, than SMS or an email-based OTP.

Michael Cichon:
Well, so this is interesting. So not only do the guidelines specify or indicate that there’s a range of biometrics that might be appropriate based on the risk of the transaction for a low-value transaction, maybe a thumb or a face ID on the phone. It’s thousands of dollars, might require that you blink and smile and turn your head.

Siddharth Gandhi:
Correct. Yes. That’s what we are offering, Michael. I don’t think the guidelines would specifically talk about what the bank should be doing based on risk based or step-up. Guidelines are broad guide norms that they’re asking the banks to adhere to. The interpretations are left to the bank in terms of what and how they want to adopt it.

Michael Cichon:
Right. Well, that’s important too. I mean, there’s new developments, there’s the new shiny objects, but no one organization magically use the magic wand and all of a sudden everything is the latest and greatest. So being able to support this mix of authentication or step-up authentication use cases is super important and we’ve done that for a while with our platform.

Well, Sid, I know that we’re working extensively with some large financial institutions in Asia Pacific. Is it fair to talk a little bit about what we’ve done that aligns with these guidelines for those organizations?

Siddharth Gandhi:
Absolutely. I think so. Unfortunately because of the NDA, I am not going to be able to take names of the customers, but we can definitely talk about what we’ve done for them. So we are working with a few banking and financial institutions in India in the Southeast Asian markets.

One of the private sector bank has been our customer for the last or three years. It’s a known fact that RBI does audit the banks and the financial institutions on a yearly basis so we undergone the audit without any major challenges. The bank use us for their internal workforce to protect their internal enterprise applications and data, but also the customers are using it and we are having some very interesting conversation with some of the other banks that are there.

For one of the digital-only bank in Southeast Asian market, we are providing them with our liveness capability as part of our platform where the users are actually authenticating for transaction with the liveness factor, which kind of prevents any fraud that may potentially happen and ensuring that the customer data, the transactions, and the payment transactions are happening in a secure manner.

Michael Cichon:
Well that’s awesome. Well, Sid, I appreciate you spending time with us today. It’s, from my perspective, really gratifying to see these principle-based guidelines emerge in step with where 1Kosmos has been for the last couple of years. So it’s good to get some validation that we’ve been on the right track and remain on the right track.

Siddharth Gandhi:
Yes, absolutely, Michael. We’ve been talking about it for the last few years, so it’s very heartening to see the RBI coming out and asking the industry to start looking at the alternate factors of authentication. And we at 1Kosmos are sure ready to assist anyone who needs assistance with the guidelines.

Michael Cichon:
Indeed, we are. All right, thank you very much, Sid.

Siddharth Gandhi:
Thank you so much, Michael.

FIDO2 Authentication with 1Kosmos

Read More