Two-factor authentication (2FA) is an essential security measure designed to enhance the protection of online accounts by requiring two distinct forms of verification. It is a subset of multi-factor authentication (MFA), which uses multiple layers of security to ensure that only authorised users can access their accounts.
The Securities and Exchange Board of India (SEBI) emphasised the importance of robust cybersecurity measures for stockbrokers and depository participants in a circular released on December 3rd, 2018. This directive aimed to protect the integrity of data and prevent privacy breaches. As of September 30th, 2022, brokers across the industry implemented various forms of 2FA to comply with these regulations.
2FA requires at least two of the following distinct factors to authenticate a user:
1. What a Person Knows:
o This includes information known only to the user, such as a Personal Identification Number (PIN) or Date of Birth (DOB).
2. What a Person Doesn't Know and is Random:
o This includes randomly generated codes, such as a One-Time Password (OTP) or Time-based One-Time Password (TOTP).
3. What a Person Has in Their Possession:
o This includes physical devices that the user possesses, such as a smartphone, smartcard, or hardware token.
4. What a Person Is:
o This involves biometric verification, such as fingerprint, facial recognition, or voice recognition.
· Valid 2FA Combinations:
o A valid 2FA setup might include an OTP sent to the user's phone (something they have) and a PIN (something they know).
o Another valid combination could be using a biometric scan (something they are) along with a hardware token (something they have).
· Invalid 2FA Combination:
o Using just a Date of Birth (DOB) and a PIN is not considered valid 2FA. Both pieces of information fall under the "what a person knows" category and, thus, do not meet the requirement of having two distinct types of factors.