For many banking and security transactions now we are required to use second factor authentication. This is intended to make transaction more secure and more privy to the person doing transaction.
For example, in case of online transactions in securities for log in to the account on website of broking concern one need to enter the login id, password, and also second password or authentication factor.
Alternate 2nd factor password:
By many broking companies (e.g. icicidirect.com, india infoline and Angels Broking) generally two alternate second password are prescribed. Most popular are:
- Permanent Account no. (PAN) ,
- date of birth (DOB)
- mobile phone number or other phone number.
These alternate password cannot be called proper for intended purposes of increasing safety, security and privacy of account holder or client. All these information are available to the broker and its employees. Besides these are also in nature of information easily available to public.
Therefore, it can be said that the so called second time password asked by online brokers, as mandated by SEBI, are not at all useful for the purpose of such password.
Secret password is desirable:
It is suggested that instead of information which are available and can be easily known to any one the account holder or client must create his own secret second password. There should also be flexibility in creation of such password about minimum and maximum length, composition (letters, numbers, special character etc. and their positioning.)
From website of Kotak securities it appears that they have provided for a secret number like ATM PIN or card no and also security key and access number.
He use of ATM PIN or ATM card no are also not proper. Use of access code provided by broker or bank is also not proper.
Secret access code must be created by account holder without knowledge to anyone else. The secret code should also not be as small as four digits. It must be of at least six alphanumeric code. When account holder himself create a code, it can be safer than any other coding method.
1.
|
|
What is a two factor authentication?
|
A.
|
|
It is a security feature where an customer will need to satisfy 2 authentication criteria in order to login to a system. To access a system, the user should satisfy 2 out the given 3 criteria:
- Something the user knows (Eg. ATM pin)
- Something the user has (Eg. ATM card)
- Something the user is (Fingerprint)
Kotak Securities has opted for a & b where ‘something the user knows’ is your password and ‘something the user has’ is your security key or access code.
|
2.
|
|
Why do I need two factor authentication for online trading?
|
A.
|
|
In compliance with the new SEBI circular on increasing the security for your Stock trading account, we have introduced the 2-factor authentication process. This will give another security layer to your trading account.
|
3.
|
|
For whom this two factor authentication is applicable?
|
A.
|
|
This feature is applicable to all the online customers of Kotak Securities.
|
4.
|
|
What will be the 2 factors authentication that Kotak Securities will use?
|
A.
|
|
Kotak Securities will ask you for a security key or an access code when you try to login to your trading account. Access code will be applicable to only those customers who do not have a security key.
|
5.
|
|
What is an Access code?
|
A.
|
|
An Access code is a four digit number which you will required along with your user id and password at the time of login.
|
6.
|
|
if I have a security key, do I need Access code?
|
A.
|
|
No, Security key itself works as a second authentication to the online trading customers.
|
7.
|
|
I have a security key but I have not activated it. Can I use access code to login?
|
A.
|
|
No, if you have a security key that you haven’t activated, then you need to activate it to login. You cannot use access code if you have a security key.
|
8.
|
|
How can I use the security key?
|
A.
|
|
Perform the below steps to use your security key :
- Login to www.kotaksecurities.com and go to the login page
- Click on ‘Activate Security Key’ and enter you User-ID and Password
- Follow the steps to activate your security key
- After activating the security key, log in to KEAT Pro X / Mobile Stock Trader / Website with your User ID, Password and Security Key
- Press the button on your Security Key to get the digital Security Key access code
- Enter this number in the Security Key field
|
9.
|
|
Can I trade without an Access Code or Security Key?
|
A.
|
|
No, for every login you need to have a password and a security key or an access code.
|
10.
|
|
How can I use the access code?
|
A.
|
|
- Login to www.kotaksecurities.com / KeatProX / MST Enter your User ID and Password
- Click on ‘Generate an Access code’. The 6 digit access code will be sent to your registered mobile number and E-mail address
- Enter the access code and click ‘Submit’
- This access code will be valid till 23:59:59 PM on that day. You can use the same access code to log in till that time
|
11.
|
|
How can I update my contact details?
|
A.
|
|
- Go to www.kotaksecurities.com
- Login with your User ID and password
- Click on ‘My Account’
- Click ‘Update My Profile’
- Update your mobile number and E-mail Id and click ‘CONFIRM’
|
12.
|
|
Are NRIs also required to have access code?
|
A.
|
|
No, the NRI online trading customers will have to use the security key to login to their accounts.
|
13.
|
|
How can I get security key as an NRI customer?
|
A.
|
|
The security key will be send to you via post on your registered address with us.
|
TWO FACTOR AUTHENTICATION
|
Copyright
The information contained herein may not be copied, retransmitted, disseminated, distributed, sold, resold, leased, rented, licensed, sublicensed, altered, modified, adapted, or stored for subsequent use for any such purpose, in whole or in part, in any form or manner or by any means whatsoever, to or for any person or entity, including the purchaser, without DotEx International Ltd. express prior written consent.
|
Introduction
SEBI has mandated 2 Factor Authentication from the next financial year with reference to SEBI circular no CIR/MRD/DP/ 8 /2011 dated June 30, 2011 To comply with this mandate NOW has implemented 2 Factor Authentication in the form of image and question & answer.
Login Procedure
Steps for setting 2FA
(a)Enter Member ID & User ID
|
Top 4 misconceptions about Two Factor Authentication
|
By: Rakesh Thatha, Co-Founder and CTO at ArrayShield
RBI and SEBI guidelines over last few years have mandated the use of two factor authentications for online banking and trading transactions.
SEBI guideline last year for broking community says the following “Two-factor authentication for login session may be implemented for all orders emanating using Internet Protocol” [Circular number: CIR/MRD/DP/ 8 /2011]
RBI guideline last year for Urban co-operative banks says the following “In view of the proliferation of cyber attacks and their potential consequences, UCBs should implement two-factor authentication for fund transfers through internet banking” [UBD.BPD.(SCB)Cir No. 1/09.18.300/2011-12]
In the above RBI Circular there are some interesting points to be noted regarding Two Factor Authentication:
- Properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents and are more difficult to compromise. The principal objectives of two-factor authentication are to protect the confidentiality of customer account data and transaction details as well as enhance confidence in internet banking by combating various cyber attack mechanisms like phishing, key logging, spyware/malware and other internet based frauds targeted at banks and their customers.
- By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not constitute a true multifactor authentication. [The standard categories of factors include following: 1. - Something the user knows (e.g., password, PIN, pattern); 2. Something the user has (e.g., ATM card, smart card, grid card); and 3. Something the user is (e.g., biometric characteristic, such as a fingerprint).
But in reality there are some common misconceptions that consumers, enterprises typically get into while using, implementing and evaluating two factor authentication technologies. Let us look at top four of those misconceptions:
1. Using two passwords considered as two-factor authentication?
- No. As noted in the above RBI circular and also commonly accepted by security experts world-wide, two passwords come under the same category of factors i.e. something the user knows. Hence using two passwords will not be considered two-factor authentication and is still prone to multiple attacks that can compromise a single password based authentication solution.
2. Using password along with user’s date of birth/PAN number etc. considered as two-factor authentication?
- No. Even information like user’s date-of-birth, PAN number comes under the same category of factor i.e. something the user knows. In fact it is easier for hacker to crack the user’s date of birth/PAN number unlike password which is known only to the user. Hence this approach cannot be considered as two-factor authentication and prone to multiple attacks.
3. Using password along with a Question and Answer based authentication approach considered as two-factor authentication?
- No. Even Question and Answer based authentication approach which involves the end user answering questions like “Which floor does he live?” etc come under the same category of factor i.e. something the user knows. Hence this approach cannot be considered as two-factor authentication though provides better security than using two passwords based authentication approach.
4. Using virtual key-board considered as two-factor authentication?
- No. Virtual key-board is just a different key inputting mechanism for entering the password. Though it protects against key loggers, it can be compromised using advanced version of key loggers that have screen logging capability. As virtual keyboard doesn’t have any second factor of authentication it is also not considered two factor authentications.
|
RBI ready to relax 2-factor authentication norms conditionally
Read more at:
http://economictimes.indiatimes.com/articleshow/46558247.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
By PTI | 14 Mar, 2015, 01.29AM IST
MUMBAI: With the increasing demand for making electronic payments easier, the Reserve Bank today said it is willing to relax the norms only for 'card present' transactions where near-field communication (NFC) technology is used.
It said the ATM transactions where the card is not present will continue to require the additional factor of authentication, a PIN or one-time password.
"It has been decided to relax the extant instructions relating to the need for additional factor of ..
authentication, a PIN or one-time password.
"It has been decided to relax the extant instructions relating to the need for additional factor of authentication requirements for small value card present transactions only using contact-less card payments using NFC," it said in the draft circular late this evening.
The regulator has set a limit of ₹ 2,000 per transaction even for contact-less cards.
The RBI said it has arrived at this conclusion after examining the trade ..