a user-friendly Strong Customer Authentication solution that exploits Blockchain technology

A user-friendly Strong Customer Authentication solution that exploits Blockchain technology

StrongAuth is a mobile authorisation system that connects a traditional application of Public Key Infrastructure (PKI) with immutability and security of the Blockchain.

It has been developed by PwC Italy for a leading Italian Banking Group and it is based on Two-Factors Authentication (2FA): possession of the device and knowledge of 4-digits PIN.

The core functionality works like traditional Authentication solutions based on PKI: creating a dynamic Challenge Text for every Authentication Requests and securing the validation by checking the signature, with the exception that the trust authority is distributed and the signature is timestamped.

In this way, StrongAuth is more cost-effective, secure and user-friendly than other solutions based on SMS or Virtual One Time Password as dynamic elements.

The solution started as a Proof of Concept and the Banking Group is going to put in production to manage the access to critical servers by System Administrators evidencing key benefits such as time and costs reduction, security and an improved user experience.

The engagement started on April 2016 and it is still ongoing. It scaled up from a PoC to Minimum Viable Product and now is rolling out in production. It involved 5 internal colleagues that designed and developed the solution in cooperation with external startups.


The PKI infrastructure is supported by a distributed trust authority

StrongAuth, to secure the interaction between the parties, uses the PKI infrastructure that needs a vault mechanism to protect some security data: the link between the user Identity and its cryptographic quantities. In legacy systems, this trust function is performed by central Certification Authorities. StrongAuth exploits an immutable distributed ledger that guarantees that stored data cannot be tampered by malicious third party or by the CA itself. It works better on public Blockchain like Bitcoin, but it has been designed to work on private Blockchain anchored to a public one to demonstrate the immutability.



Every authorisation is timestamped and available for SelfService check

The second important feature that StrongAuth exploits from a Blockchain is the Timestamping: every signature from users is timestamped on the immutable ledger, thus providing what we use to call enhanced Advance Electronic Signature (eAES) that adds the trustless time evidence to the well known and defined AES used also for the electronic Identification Authentication and Signature (eIDAS) framework.

Timestamping is performed by StrongAuth using the public Opentimestamp protocol: the Timestamp server aggregates all the responses created during the interval of time and it assembles them into a single hash that will be stored into the blockchain. This information is needed to prove that provided response signed by particular user existed at the specific time it was performed.

With this mechanism StrongAuth notarises efficiently and immutably great amount of data using a single transaction and allow external actors to verify responses in a SelfService mode, thus reducing auditing effort and costs.



StrongAuth has a wide range of applications: a single system that is able to improve Authorisation Workflow and authentication mechanism introducing 2FA (it has been integrated with Microsoft ADFS, Oracle OAM and CA Sitemider), Timestamping server, digital identities (according to the eIDAS regulation) and even more.

According to the new Payment Services Directive (PSD2) from 13 January 2018, banks, electronic money issuers and Payment Service Processors (PSPs) will be required to apply, for particular type of payments, a “Strong Customer Authentication”. It must use of two or more elements categorized as knowledge, possession or inherence and must provide a feature called Dynamic Linking: a single authorisation must be performed using a digital token that is validated against the time, the amount and the counterparty of the payment.

Dynamic Linking is not feasible using traditional hardware token (OTP) widely used by banks because they are only time based. StrongAuth can be used as SCA and is compliant with PSD2 requirements, thus a single system can have multiple applications with many benefits.

"StrongAuth enhances the User Experience of mobile Authorisation with the aim to increase adoption of Online and Mobile services"

Contact us

Roberto Lorini

Roberto Lorini

Senior Advisor | Technology FS, PwC Italy

Follow us