TMI BlogSECOND PASSWORD OR TWO FACTOR AUTHENTICATION DOB, PAN, PHONE NUMBER, MOTHERS MAIDAN NAME, . ETC. ARE NOT PROPER. IT MUST BE SECRET ND SELF CREATED.X X X X Extracts X X X X X X X X Extracts X X X X ..... SECOND PASSWORD OR TWO FACTOR AUTHENTICATION DOB, PAN, PHONE NUMBER, MOTHERS MAIDAN NAME, . ETC. ARE NOT PROPER. IT MUST BE SECRET ND SELF CREATED. - By: - CA DEV KUMAR KOTHARI - Corporate Laws / IBC / SEBI - Dated:- 16-3-2015 - - For many banking and security transactions now we are required to use second factor authentication. This is intended to make transaction more secure and more privy to the person doing transaction. For example, in case of online transactions in securities for log in to the account on website of broking concern one need to enter the login id, password, and also second password or authentication factor. Alternate 2 nd factor password: By many broking companies (e.g. icicidirect.com, india infoline and ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... Angels Broking) generally two alternate second password are prescribed. Most popular are: Permanent Account no. (PAN) , date of birth (DOB) mobile phone number or other phone number. These alternate password cannot be called proper for intended purposes of increasing safety, security and privacy of account holder or client. All these information are available to the broker and its employees. Besides these are also in nature of information easily available to public. Therefore, it can be said that the so called second time password asked by online brokers, as mandated by SEBI, are not at all useful for the purpose of such password. Secret password is desirable: It is suggested that instead of information which are ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... available and can be easily known to any one the account holder or client must create his own secret second password. There should also be flexibility in creation of such password about minimum and maximum length, composition (letters, numbers, special character etc. and their positioning.) From website of Kotak securities it appears that they have provided for a secret number like ATM PIN or card no and also security key and access number. He use of ATM PIN or ATM card no are also not proper. Use of access code provided by broker or bank is also not proper. Secret access code must be created by account holder without knowledge to anyone else. The secret code should also not be as small as four digits. It must be of at least six a ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... lphanumeric code. When account holder himself create a code, it can be safer than any other coding method. 1. What is a two factor authentication? A. It is a security feature where an customer will need to satisfy 2 authentication criteria in order to login to a system. To access a system, the user should satisfy 2 out the given 3 criteria: Something the user knows (Eg. ATM pin) Something the user has (Eg. ATM card) Something the user is (Fingerprint) Kotak Securities has opted for a b where something the user knows is your password and something the user has is your security key or access code. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... 2. Why do I need two factor authentication for online trading? A. In compliance with the new SEBI circular on increasing the security for your Stock trading account, we have introduced the 2-factor authentication process. This will give another security layer to your trading account. 3. For whom this two factor authentication is applicable? A. This feature is applicable to all the online customers of Kotak Securities. 4. What will be the 2 factors authentication that Kotak Securities will use? ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... A. Kotak Securities will ask you for a security key or an access code when you try to login to your trading account. Access code will be applicable to only those customers who do not have a security key. 5. What is an Access code? A. An Access code is a four digit number which you will required along with your user id and password at the time of login. 6. if I have a security key, do I need Access code? A. No, Security key itself works as a second authentication to the online trading customers. 7. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... I have a security key but I have not activated it. Can I use access code to login? A. No, if you have a security key that you haven t activated, then you need to activate it to login. You cannot use access code if you have a security key. 8. How can I use the security key? A. Perform the below steps to use your security key : Login to www.kotaksecurities.com and go to the login page Click on Activate Security Key and enter you User-ID and Password Follow the steps to activate your security key After activating the security key, log in to KEAT Pro X / ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... Mobile Stock Trader / Website with your User ID, Password and Security Key Press the button on your Security Key to get the digital Security Key access code Enter this number in the Security Key field 9. Can I trade without an Access Code or Security Key? A. No, for every login you need to have a password and a security key or an access code. 10. How can I use the access code? A. Login to www.kotaksecurities.com / KeatProX / MST Enter your User ID and Password Click on Generate an Access code . The 6 digit access code ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... will be sent to your registered mobile number and E-mail address Enter the access code and click Submit This access code will be valid till 23:59:59 PM on that day. You can use the same access code to log in till that time 11. How can I update my contact details? A. Go to www.kotaksecurities.com Login with your User ID and password Click on My Account Click Update My Profile Update your mobile number and E-mail Id and click CONFIRM 12. Are NRIs also required to have access code? A. No, the NR ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... I online trading customers will have to use the security key to login to their accounts. 13. How can I get security key as an NRI customer? A. The security key will be send to you via post on your registered address with us. TWO FACTOR AUTHENTICATION Copyright The information contained herein may not be copied, retransmitted, disseminated, distributed, sold, resold, leased, rented, licensed, sublicensed, altered, modified, adapted, or stored for subsequent use for any such purpose, in whole or in part, in any form or manner or by any means whatsoever, to or for any person or entity ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... , including the purchaser, without DotEx International Ltd. express prior written consent. Introduction SEBI has mandated 2 Factor Authentication from the next financial year with reference to SEBI circular no CIR/MRD/DP/ 8 /2011 dated June 30, 2011 To comply with this mandate NOW has implemented 2 Factor Authentication in the form of image and question answer. Login Procedure Steps for setting 2FA (a)Enter Member ID User ID Top 4 misconceptions about Two Factor Authentication By: Rakesh Thatha, Co-Founder and CTO at ArrayShield RBI and SEBI guidelines over last few years have mandated the use of two factor authentications fo ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... r online banking and trading transactions. SEBI guideline last year for broking community says the following Two-factor authentication for login session may be implemented for all orders emanating using Internet Protocol [Circular number: CIR/MRD/DP/ 8 /2011] RBI guideline last year for Urban co-operative banks says the following In view of the proliferation of cyber attacks and their potential consequences, UCBs should implement two-factor authentication for fund transfers through internet banking [UBD.BPD.(SCB)Cir No. 1/09.18.300/2011-12] In the above RBI Circular there are some interesting points to be noted regarding Two Factor Authentication: Properly designed and implemented multifactor authentication metho ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ds are more reliable and stronger fraud deterrents and are more difficult to compromise. The principal objectives of two-factor authentication are to protect the confidentiality of customer account data and transaction details as well as enhance confidence in internet banking by combating various cyber attack mechanisms like phishing, key logging, spyware/malware and other internet based frauds targeted at banks and their customers. By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category at different points in the process may be part of a layered security or other compensating control approach, but it would not cons ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... titute a true multifactor authentication. [The standard categories of factors include following: 1. - Something the user knows (e.g., password, PIN, pattern); 2. Something the user has (e.g., ATM card, smart card, grid card); and 3. Something the user is (e.g., biometric characteristic, such as a fingerprint). But in reality there are some common misconceptions that consumers, enterprises typically get into while using, implementing and evaluating two factor authentication technologies. Let us look at top four of those misconceptions: 1. Using two passwords considered as two-factor authentication? No. As noted in the above RBI circular and also commonly accepted by security experts world-wide, two passwords co ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... me under the same category of factors i.e. something the user knows. Hence using two passwords will not be considered two-factor authentication and is still prone to multiple attacks that can compromise a single password based authentication solution. 2. Using password along with user s date of birth/PAN number etc. considered as two-factor authentication? No. Even information like user s date-of-birth, PAN number comes under the same category of factor i.e. something the user knows. In fact it is easier for hacker to crack the user s date of birth/PAN number unlike password which is known only to the user. Hence this approach cannot be considered as two-factor authentication and prone to multiple attacks. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... 3. Using password along with a Question and Answer based authentication approach considered as two-factor authentication? No. Even Question and Answer based authentication approach which involves the end user answering questions like Which floor does he live? etc come under the same category of factor i.e. something the user knows. Hence this approach cannot be considered as two-factor authentication though provides better security than using two passwords based authentication approach. 4. Using virtual key-board considered as two-factor authentication? No. Virtual key-board is just a different key inputting mechanism for entering the password. Though it protects against key loggers, it can be compromis ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... ed using advanced version of key loggers that have screen logging capability. As virtual keyboard doesn t have any second factor of authentication it is also not considered two factor authentications. RBI ready to relax 2-factor authentication norms conditionally Read more at: http://economictimes.indiatimes.com/articleshow/46558247.cms?utm_source=contentofinterest utm_medium=text utm_campaign=cppst By PTI | 14 Mar, 2015, 01.29AM IST MUMBAI: With the increasing demand for making electronic payments easier, the Reserve Bank today said it is willing to relax the norms only for 'card present' transactions where near-field communication (NFC) technology is used. It said the ATM transactions where t ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... he card is not present will continue to require the additional factor of authentication, a PIN or one-time password. It has been decided to relax the extant instructions relating to the need for additional factor of .. authentication, a PIN or one-time password. It has been decided to relax the extant instructions relating to the need for additional factor of authentication requirements for small value card present transactions only using contact-less card payments using NFC, it said in the draft circular late this evening. The regulator has set a limit of ₹ 2,000 per transaction even for contact-less cards. The RBI said it has arrived at this conclusion after examining the trade .. - - Scholarly articles for kn ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... owledge sharing authors experts professionals Tax Management India - taxmanagementindia - taxmanagement - taxmanagementindia.com - TMI - TaxTMI - TMITax ..... X X X X Extracts X X X X X X X X Extracts X X X X
|
