Forms of electronic transaction authentication through the online banking system in Vietnam

Forms of electronic transaction authentication through the online banking system in Vietnam​ (Image from the internet)

On October 31, 2024, the Governor of the State Bank of Vietnam issued Circular 50/2024/TT-NHNN regarding safety and security for providing online services in the banking sector.

Forms of electronic authentication confirmation through the online banking system in Vietnam

According to Article 11 of Circular 50/2024/TT-NHNN, regulations on forms of electronic transaction authentication through Online Banking are as follows:

(1) Authentication by secret password: customers use a secret password, which is a string of characters, to confirm their access rights to the system, applications, services, or to verify transactions. The authentication by secret password must meet the requirements:

- The secret password must be at least 08 characters long and composed of at least the following characters: numbers, uppercase letters, lowercase letters;

- The validity period of the secret password is a maximum of 12 months, for the default first-issued secret password: the maximum validity period is 30 days.

(2) Authentication by PIN (Personal Identification Number) is a form of authentication by secret password wherein the secret password is created from a string of digits. Authentication by PIN (except for PIN associated with a physical card) must meet the requirement:

- PIN must be at least 06 characters long;

- The validity period for PIN is a maximum of 12 months, for the default first-issued PIN: the maximum validity period is 30 days.

(3) Authentication by one-time secret password (One Time Password - OTP) is a form of authentication by secret password wherein the secret password is valid for one-time use and effective for a certain period, including the following forms:

- SMS OTP is authenticated through OTP sent via SMS (Short Message Services) or message through basic telecommunication services over the Internet. SMS OTP must meet the requirement:

+ OTP sent to customers must include information to let them recognize the purpose of the OTP;

+ OTP is valid for a maximum of 05 minutes.

- Voice OTP is authenticated through OTP sent via voice call or call through basic telecommunication services over the Internet. Voice OTP must meet the requirement:

+ OTP sent to customers must include information to let them recognize the purpose of the OTP;

+ OTP is valid for a maximum of 03 minutes.

- Email OTP is authenticated through OTP sent via email. Email OTP must meet the requirement:

+ OTP sent to customers must include information to let them recognize the purpose of the OTP;

+ OTP is valid for a maximum of 05 minutes.

- Matrix OTP is authenticated through OTP determined from a two-dimensional table (row, column), with each row and column corresponding to an OTP. Matrix OTP must meet the requirement:

+ Matrix OTP card has a maximum usage term of 01 year from the date of registration;

+ OTP is valid for a maximum of 02 minutes.

- Soft OTP is authenticated through OTP created by software installed on customers' mobile devices; the software may be standalone or integrated with Mobile Banking application software.

Soft OTP has 02 types: (i) Basic Soft OTP: OTP is randomly generated over time, synchronized with the Online Banking system; (ii) Advanced Soft OTP: OTP is created combined with the individual transaction code, when executing the transaction, the Online Banking system generates a transaction code notified to the customer or transmitted to the Soft OTP software, which creates the OTP code.

Soft OTP must meet the requirement:

+ If the Soft OTP software is independent of the Mobile Banking application software, it must be registered, managed at the official application store of the operating system provider for the mobile device and have clear installation instructions on the unit's website for customers to download and install the Soft OTP software;

+ The Soft OTP software must require activation before use. The activation code for Soft OTP is provided to the customer by the unit and can only be used for activation on one mobile device. The activation code must have a set expiry period;

+ The Soft OTP software must have access control features. If there are consecutive incorrect accesses beyond the number defined by the unit (but not exceeding 10 times), the Soft OTP software must automatically lock to prevent customer use.

The unit can only unlock the Soft OTP software at the customer's request and must check and identify the customer before unlocking, ensuring protection against fraud and impersonation.

+ If the Soft OTP software is independent of the Mobile Banking application software, it must have a feature to verify individual customers before allowing them to use it for the first time or before using it on a device other than the one used in the last session. Customer verification must at least include: (i) a correct match of SMS OTP or Voice OTP through a phone number registered by the customer, (ii) and a correct match of the customer's biometric information;

+ OTP is valid for a maximum of 02 minutes.

- Token OTP is authenticated through OTP created by a specialized device. Token OTP has 02 types: (i) Basic Token OTP: OTP is randomly generated over time, synchronized with the Online Banking system; (ii) Advanced Token OTP: OTP is created combined with the individual transaction code. When performing transactions, the Online Banking system generates a transaction code, notifies the customer, who enters the transaction code into Token OTP to create an OTP. Token OTP is valid for a maximum of 02 minutes.

(4) Two-channel authentication is a verification method where, when a customer performs a transaction, the Online Banking system sends a transaction confirmation request to the customer's mobile device via voice call, call through basic telecommunication services on the Internet, or through a quick message code USSD (Unstructured Supplementary Service Data) or through specialized software, and the customer directly responds through the connected channel to confirm or not confirm the transaction. The confirmation request of the two-channel method is valid for a maximum of 05 minutes.

(5) Authentication by correct matching of biometric information is comparing, contrasting to ensure matching the biometric information of the customer performing the transaction with the biometric information collected and stored at the unit in accordance with the regulations of the Governor of the State Bank.

This form must meet at least these requirements:

- In the case of applying the correct matching of biometric information using facial recognition:

+ Accuracy must be determined according to international standards as follows (or equivalent): The false rejection rate is less than 5% with the false acceptance rate being less than 0.01% according to the standard FIDO Biometric Requirement (applicable for a minimum test set of 10,000 samples);

+ Must have the ability to detect fabrication attacks on the customer's biometric information using live objects (Presentation Attack Detection - PAD) based on international standards (such as NIST Special Publication 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management or ISO 30107 Biometric presentation attack detection or FIDO Biometric Requirements) to prevent fraud and impersonation via images, video, and 3D masks.

- When applying other forms of correct matching of biometric information, they must have precaution against fraud and impersonation according to equivalent standards;

- The solution for detecting fabrication attacks on the biometric information of live objects (PAD) according to standards self-implemented by the unit or from third-party providers must be certified by FIDO Alliance recognized organizations/biometric laboratories; (This regulation will apply from July 1, 2026)

- If the customer incorrectly confirms using the correct matching of biometric information more than the number of consecutive times stipulated by the unit (but not exceeding 10 times): lock the function for confirming transactions by biometric information, only unlock upon customer request and must check the customer before performing, ensuring protection against fraud and impersonation;

- The time to perform the verification of correct biometric information is a maximum of 03 minutes.

(6) Device biometric information verification is contrasting, comparing to ensure matching the customer's biometric information performing the transaction with the biometric information stored on the customer's mobile device.

This form of verification must meet the requirement:

- Only allow activation for use after obtaining customer consensus and the customer having completed at least one successful transaction using another verification method;

- The time required for verifying correct biometric information is a maximum of 02 minutes.

(7) FIDO Authentication (Fast IDentity Online) is a verification method according to the standard for transaction authentication using asymmetric key algorithms (consisting of secret keys and public keys, where the secret key is used for digital signatures and the public key is for verifying digital signatures) issued by the FIDO Alliance.

This form of verification must meet the requirement:

- The secret key is securely stored on the customer's device. Customers use a PIN or device biometric information verification to access and use the secret key when performing transactions;

- The public key must be securely stored at the unit and linked to the customer's electronic transaction account;

- Solutions self-implemented by the unit or from third-party providers must be certified by organizations recognized by the FIDO Alliance. (This regulation will apply from July 1, 2026)

(8) Authentication by electronic signature according to the law on electronic signatures (excluding secure electronic signatures as defined in (9)).

(9) Authentication by secure electronic signature is a form of verification by electronic signature, where the electronic signature is a specialized electronic signature ensuring security or digital signature or foreign electronic signature recognized in Vietnam according to the law on electronic signatures.

(10) Authentication based on risk assessment for online card payment transactions according to the EMV 3-D Secure standard (hereinafter referred to as EMV 3DS verification). The EMV 3DS verification must meet the requirement: Card issuers, card payment organizations, and card acceptance entities must implement the EMV 3-D Secure standard.

(11) Authentication through customer confirmation actions of data messages when performing transactions such as clicking accept, approve, send, or similar activities on Online Banking application software.

This form of authentication must meet the requirement:

- Confirmation actions must be logged to allow querying information related to these confirmation actions;

- Customers are organizations, and have logged into Online Banking application software using verification methods as stipulated above except in forms (1), (2), (6), (10).

More details can be found in Circular 50/2024/TT-NHNN, effective from January 1, 2025.

>> CLICK HERE TO READ THIS ARTICLE IN VIETNAMESE