5 Solution Design.......................................................................................................................................

5.1 Solution Architecture................................................................................................................

5.2 Deployment Architecture..........................................................................................................
5.2.1 Performance............................................................................................................
5.2.2 Fault Tolerance.........................................................................................................
5.2.3 Database Sizing.......................................................................................................
5.2.4 Audit and Reporting.................................................................................................
5.3 ActivID Appliance Configurations............................................................................................
5.4.1 Hardware / Software Properties..............................................................................
5.4.2 Username / Password Authentication Types.........................................................
5.4.3 Device Authentication Types.................................................................................
5.4.4 Function Sets.........................................................................................................
6 Solution Scenarios...............................................................................................................................
6.1 Token Data Import..................................................................................................................
6.1.1 Pre-conditions................................................................. ........................... ...........
6.1.2 Process Steps.........................................................................................................
6.2 User Creation.........................................................................................................................
6.2.1 Pre-conditions.........................................................................................................
6.2.2 Process Steps.........................................................................................................
6.2.3 Outcomes................................................................................................................
6.3 Initial Customer Login and Token Assignment......................................................................
6.3.1 Pre-conditions................................... .....................................................................
6.3.2 Process Steps.........................................................................................................
6.3.3 Outcomes...............................................................................................................
6.4 Subsequent Customer Login.................................................................................................
6.4.1 Pre-conditions.........................................................................................................
6.4.2 Process Steps.........................................................................................................
6.4.3 Outcomes................................................................................................................
6.5 Transaction Approval.............................................................................................................
6.5.1 Pre-conditions.........................................................................................................
6.5.2 Process Steps.........................................................................................................
6.5.3 Outcomes................................................................................................................
6.6 Beneficiary Creation................................................................................................................
6.6.1 Pre-conditions.........................................................................................................
6.6.2 Process Steps.........................................................................................................
64.6.3 Outcomes..............................................................................................................
6.7 Authentication Record Unlock.................................................................................................
6.7.1 Pre-conditions.........................................................................................................
6.7.2 Process Steps.........................................................................................................
6.7.3 Outcomes................................................................................................................
6.8 Token Synchronisation..........................................................................................................
6.8.1 Pre-conditions.........................................................................................................
6.8.2 Process Steps.........................................................................................................
6.8.3 Outcomes................................................................................................................

5 Internet Banking Solution Design

5.1 Solution Architecture
The following diagram shows the architecture of the ActivID solution for the ActivID Appliance
Implementation project. Any integration between third party components and external systems are
described in this section.

Figure 2: Solution Architecture

Integration from Temenos ARC-IB and Temenos T24 to the ActivID Public API utilizes Java RMI.

5.2 Deployment Architecture

The following diagram shows the architecture of the ActivID Appliance deployment in the
production environment. Please note that this is not a specification for the physical deployment.

Figure 3: Production Deployment

5.2.1 Performance
NIB International Bank are planning and sizing the solution initially for approximately 50 users (internal
staff) and expect this to grow towards 1,000.
Assuming the following:
A customer base of 1,000;

20% of this customer base authenticates daily into the ActivID Appliance;
and a peak authentication window in which 80% of the daily authentications are performed within
1 hour;

There will be 200 authentications per day on average with a peak load of 160 in a single hour.
This calculates to an average peak rate of 0.05 authentications per second. A single ActivID Appliance
has been benchmarked to perform approximately 50 authentications per second when factoring the use
of device-generated One Time Passwords.
5.2.2 Fault Tolerance
The internet banking solution is being deployed at the production data center in Addis Ababa. Two ActivID
Appliances will be deployed in a dual-node configuration, with automatic data synchronization between

the Primary Appliance located in the production data center and the Secondary Appliance located in the
Disaster Recovery (DR) data Centre, approximately 3 kilometers away.
The database synchronization mechanism leveraged by the ActivID Appliances is based on Oracle
Golden Gate and a separate private network is configured between the two nodes to enable an activeactive deployment configuration.
The Temenos T24 and ARC-IB applications will be configured to always send requests to a given ActivID
Appliance. If no response is received, the request will be submitted to the other node.

5.3 ActivID Appliance Configurations

This section specifies the high level data configuration of the ActivID Appliance solution. Detailed ActivID
Appliance configuration is documented in the PS21 deployment documentation.
5.3.1 Hardware / Software Properties

Table 5: ActivID Appliance Hardware / Software Properties

5.3.2 Username / Password Authentication Types

The Username / Password authentication types requires for the ActivID Appliance and Temenos
integration are available under the Online Banking for Temenos ARC-IB dataset, which will be loaded for
each security domain. The configuration of the below authentication types have been verified against the
NIB International Bank password policy.

Table 6: Username / Password Authentication Types

5.3.3 Device Authentication Types

NIB International Bank has elected to use the HID Mini Tokens for generation of one time passwords. The
Customer One Time Password authentication type will be configured according to the table below to
enable OTP authentication in line with the NIB International Bank password policy.

Table 7: Device Authentication Types

5.3.4 Function Sets

In order to support the T24 and ARC-IB workflows, the following function sets are defined as part of the
Online Banking for Temenos ARC-IB dataset:

Table 8: Function Sets

6 Internet Banking Solution Scenarios

This section of the document provides a specification for interactions between actors and solution
components to meet the project requirements.
The following roles have been defined for the workflows in this section:
Customer / User This is the customer who uses the Internet Banking portal
Middle Office Middle Office staff at NIB International Bank, responsible for management and
support of customers
Temenos ARC-IB Temenos Internet Banking front end
Temenos T24 T24 core banking platform
ActivID Appliance ActivID Appliance API and Management Console
HID Global HID Global Manufacturing

6.1 Token Data Import

In this process, HID Global ships HID Mini Tokens to NIB International Bank and the NIB International
Bank Middle Office staff import the token data into the ActivID Appliance

Figure 4: Token Data Import

6.1.1 Pre-conditions

An SDS token import file is available

The Middle Office staff has been provided sufficient access to the ActivID Management Console

6.1.2 Process Steps

1. HID Global supplies NIB International Bank with the hardware tokens and an SDS file containing
token import data
2. Middle Office staff at NIB International Bank logs on to the ActivID Management Console and
imports the tokens into the ActivID Appliance
3. The ActivID Appliance holds the token data for each imported batch, ready for binding tokens to
end users via the ARC-IB registration process
6.1.3 Outcomes

The devices imported are available for assignment to end users

6.2 User Creation

This process describes initial creation of user accounts in the new internet banking solution.

Figure 5: User Creation

6.2.1 Pre-conditions
The user account does not exist in the ActivID Appliance
6.2.2 Process Steps
1. Customer creation is initiated in T24
2. An External User ID is created
3. T24 calls the ActivID Appliance to create a user account in the ActivID database
4. T24 generates a random Memorable Word
5. The Memorable Word credential is created for the user object in the ActivID Appliance
6. The Memorable Word and User ID are read from T24
7. Middle Office collects an unassigned token from stock
8. The user credentials and token are sent provided to the customer
6.2.3 Outcomes
An External User ID account is created in T24
A T24 customer user account is created in ActivID
A random Memorable Word is created and assigned to the user in ActivID
User ID, Memorable Word and the hardware token are owned by the end user

6.3 Initial Customer Login and Token Assignment

This scenario describes the process of first time login and device assignment for customers.

Figure 6: Initial Customer Login and Token Assignment

6.3.1 Pre-conditions

The User accounts have been created in T24 and the ActivID Appliance
The token seed data has been imported into the ActivID Appliance
The customer has received their initial Memorable Word, User ID and token

6.3.2 Process Steps

1. The customer connects to the Internet Banking portal and proceeds to login
2. ARC-IB prompts the user to enter their User ID and Memorable Word
3. The customer proceeds to enter their User ID and Memorable Word
4. ARC-IB forwards the authentication data to the ActivID Appliance for validation
5. ActivID Appliance validates the authentication data received
6. On successful authentication, ARC-IB prompts the customer to enter and confirm a new 4 digit
numeric PIN and provide their token serial number
7. The customer enters and confirms a PIN and their token serial number
8. ARC-IB makes a call to the ActivID Appliance to assign the device to the customer and create a
Customer One Time Password authentication record as well as a Customer PIN authentication
record
9. The ActivID Appliance assigns the token to the user account and creates the authentication
records in the user wallet
6.3.3 Outcomes

The customer has a Customer Static PIN authentication record in the ActivID Appliance
The customer has a Customer One-Time Password authentication record in the ActivID Appliance

The token is assigned to the customer

6.4 Subsequent Customer Login

This scenario describes the standard customer login experience

Figure 7: Subsequent Customer Login

6.4.1 Pre-conditions

The customer has a Customer Static PIN authentication record

The customer has a Customer One-Time Password authentication record
The customer has their HID Mini Token available

6.4.2 Process Steps

1. The customer connects to the Internet Banking portal and proceeds to login
2. ARC-IB prompts the customer to enter their credentials:

User ID

PIN

One-Time Password

3. The customer provides the requested authentication data

4. ARC-IB forwards the authentication data to the ActivID Appliance for validation
5. On successful authentication, ARC-IB logs the customer in to the Internet Banking application
6.4.3 Outcomes

The customer is logged in to Internet Banking

6.5 Transaction Approval

This use case describes the procedure of approving transactions made from within the Internet Banking
application.

Table 9: Transaction Approval

6.5.1 Pre-conditions

The customer has their HID Mini Token available

The customer is logged in to the Internet Banking application

6.5.2 Process Steps

1. The customer performs a transaction in the Internet Banking application
2. ARC-IB prompts the customer to enter a new One-Time Password
3. The customer provides a newly generated OTP
4. ARC-IB forwards the authentication data to the ActivID Appliance for validation
5. On successful authentication, ARC-IB approves the transaction
6.5.3 Outcomes

The transaction is approved

6.6 Beneficiary Creation

Figure 8: Beneficiary Creation

6.6.1 Pre-conditions

The customer has their HID Mini Token available

The customer is logged in to the Internet Banking application

6.6.2 Process Steps

1. The customer elects to create a new beneficiary in the Internet Banking application
2. ARC-IB prompts the customer to enter a new One-Time Password
3. The customer provides a newly generated OTP
4. ARC-IB forwards the authentication data to the ActivID Appliance for validation
5. On successful authentication, ARC-IB creates the new beneficiary
6.6.3 Outcomes

The new beneficiary is created

6.7 Authentication Record Unlock

This workflow details the scenario where an authentication record has reached the lockout threshold due
to too many consecutive unsuccessful login attempts and must be unlocked. This applies to both
Customer Static PIN and Customer One Time Password.

Figure 9: Token Unlock

6.7.1 Pre-conditions

The customer has reached the lockout threshold for an authentication record
The authentication record cannot be used for login

6.7.2 Process Steps

1. The customer contacts the NIB International Bank Middle Office to request their authentication
record to be unlocked
2. The Middle Office agent connects to the ActivID Management Console
3. The Middle Office agent requests that the customer provide their User ID and verifies the user
identity according to NIB International Banks procedures for customer identity verification
4. The customer provides their User ID and replies to any identification questions
5. The Middle Office agent queries the Management Console for the user and requests that the
lockout threshold for the given authentication record is reset
6. ActivID resets the lockout threshold and re-enables the authentication record
7. The Middle Office agent notifies the customer that their authentication record has been unlocked
6.7.3 Outcomes

The customers lockout threshold is reset

The customers authentication record(s) is re-enabled

6.8 Token Synchronisation

This workflow describes the process of re-synchronising a token that has become out of sync with the
ActivID Appliance

Figure 10: Token Synchronisation

6.8.1 Pre-conditions

The customers token has become out of sync with the ActivID Appliance
The token cannot be used for authentication

6.8.2 Process Steps

1. The customer contacts the NIB International Bank Middle Office to request their token to be resynchronised
2. The Middle Office agent connects to the ActivID Management Console
3. The Middle Office agent requests that the customer provide their User ID and verifies the user
identity according to NIB International Banks procedures for customer identity verification
4. The customer provides their User ID and replies to any identification questions
5. The Middle Office agent queries the Management Console for the user and selects the
Synchronise function for the token
6. The ActivID Appliance prompts the Middle Office agent to enter an OTP from the token
7. The Middle Office agent requests that the customer generate and provide an OTP from their
token
8. The customer generates an OTP and provides it to the Middle Office agent
9. The Middle Office agent enters the OTP into the ActivID Appliance
10. The ActivID Appliance increments its counter and clock values and re-synchronises the token
6.8.3 Outcomes

The token is synchronised

The token can be used for authentication