Intra-ASEAN Secure Transactions Framework Title Project Sub TitleProgress Report Chaichana Mitrpant [email protected] Title Project Information Sub TitleAIM 2015 under • Support • Strategic Thrust 2 :People Engagement and Empowerment • Initiatives 2.4 : Building Trust • Action : Promote Secure transaction with in ASEAN • Description : Promote the use of twofactor authentication Intra-ASEAN Secure Transactions Title Framework Project Scope work Subof Title o Status update on : Laws, Policies, Regulations related to e-signature , certification o Propose e-authentication recommendation for Intra-ASEAN secure electronic transactions Methodology o Desk Research : Review from the data available to public o Questionnaire Survey : Distributed to 10 ASEAN member countries Period : 1 year Budget : 10,000 USD Title Sub Title Executive Summary Three main components of e-authentication have been identified as follows: Assurance Levels and Risk Assessments – Levels of assurance are defined so that different levels of importance of getting e-authentication right can be distinguished. Identity Proofing and Verification – For each level of assurance, an objective of authentication and a set of controls are defined. Then details about identity proofing and verification methods are provided for the registration process. Authentication Mechanism – Different token technologies are listed and mapped to the levels of assurance. Moreover, how identity should be managed is recommended. Executive Summary Standards and Best Practices Title Sub Title Assurance Levels • ISO/IEC 29115:2013 and Risk • OMB M-04-04 Assessments • NeAF Identity Proofing and Verification • ISO/IEC 29115:2013 Authentication Mechanism • NIST Special Publication 800-63 Executive Summary Assurance Levels and Risk Assessment Title Sub Title Assurance Level Description 1 – Low Little or no confidence in the asserted identity’s validity 2 – Medium Some confidence in the asserted identity’s validity 3 – High High confidence in the asserted identity’s validity 4 – Very High Very high confidence in the asserted identity’s validity Executive Summary Identity Title Proofing and Verification Approach Sub Title Assurance Level Objectives Control Method of processing 1 – Low Identity is unique within a context Self-claimed or self-asserted Local or remote 2 – Moderate Identity is unique within context and the entity to which the identity pertains exists objectively Proof of identity through use of identity information from an authoritative source Local or remote 3 – High Identity is unique within context, entity to which the identity pertains exists objectively, identity is verified, and identity is used in other contexts Proof of identity through 1. use of identity information from an authoritative source 2. identity information verification Local or remote 4 – Very High Identity is unique within context, entity to which the identity pertains exists objectively, identity is verified, and identity is used in other context Proof of identity through 1. use of identity information from multiple authoritative sources 2. identity information verification 3. entity witnessed in-person Local Executive Summary Examples Title of Token Types for Different LoAs Sub Title Token Type Assurance Level Level 1 Level 2 Memorized Secret Token ✓* ✓* Pre-registered Knowledge Token ✓* ✓* Look-up Secret Token ✓ Out of Band Token ✓ Single-factor (SF) One-Time Password (OTP) Device ✓ Single-factor (SF) Cryptographic Device ✓ Multi-factor (MF) Software Cryptographic Token Level 3 Level 4 ✓ Multi-factor (MF) One-Time Password (OTP) Device ✓ Multi-factor (MF) Cryptographic Device ✓ Needs for ASEAN Legal Infrastructure Title The cooperation among Member States is necessary in creation of the legal framework for Information Technology Legal Infrastructure development to be in equivalence and Sub Title conform to international principle especially in the following matters: – Legal Infrastructure for Cross Boarder Electronic transactions – Principle on organization or unit for supporting and controlling the reliance on Electronic Transactions – Clear policy relating to Authentication technology in Electronic Transaction – Clear and appropriate principle on Identification and Authentication in Electronic Transaction, for example, the principle that allows a Certification Authorities (Foreign CA) to issue foreign digital certificate – Relevant measurements regarding data confirmation, such as, Electronic Signature and the responsibility of data owner for the accuracy of data. – The principle on Personal Data Protection, including the principle on a request of data in Authentication system in Cross Boarder Transaction by authority or relating person, or data sharing between Government Sector and Private Sector.