In order to improve security of access to the services of the KDPW Group, taking into consideration the results of the risk analysis conducted in accordance with the Guidelines of the Polish Financial Supervision Authority (KNF) concerning management of information technology and information and communication environment security of market infrastructure operators, we are planning to introduce a requirement for authentication of services made available using applications within the service portal https://online.kdpw.pl
. As a result, after the implementation of the solution, any access to services in the portal will require authentication with two factors (MFA model: multifactor authentication).
Requiring an additional authentication factor will provide additional security to ensure that the person attempting to access the KDPW Group’s application is who they say they are and has all the necessary attributes to confirm it. By default (at the moment), authentication is done by entering the access account password, which is a credential of what the user knows. To improve credibility, a second authentication factor will be added based on a credential of what the user has. As a result, during authentication, the user will be required to prove that they have access to a trusted and assigned device.
The trusted device will be:
- A mobile application (KDPW Group Authenticator) installed on an Android or iOS mobile device. The application can be downloaded for free from authorised stores: Google Play (Android), App Store (iOS - Apple). Its use will only be permitted on phones with unchanged security features of the operating systems of the indicated manufacturers. In order to act as a second authentication factor, the mobile application should also be linked to an appropriate access account (user’s digital identity), which can be done after installation by the user.
- A trusted web browser, used on a computer on a specific network and IP address, which the user designates as trusted when logging in (after confirmation using the mobile app). The use of a trusted browser for login (after it has been designated as trusted) will be verified automatically during the login process as an additional factor of authentication to the designated user account. The list of devices assigned to a given access account and designated as trusted can be managed in the account management options using a dedicated application: https://identity.kdpw.pl. The application allows users to remove devices from the trusted list as well as to verify all authentication operations carried out with a given device. It should be noted that access to the application will also require multi-factor authentication.
User’s manual: access account for KDPW Group online applications