Based on comments received by the New Jersey Division of Gaming Enforcement (NJDGE) on the proposed Internet gambling regulations, the Division formulated changes that aim to enhance players’ protection when playing via remote gaming sites.
Aside from the basic username and password required by a system before a player can access his or her online gaming account, the NJDGE will require the following additional security measures:
- Customers creating an account must be provided with an option for adding “strong authentication” features to enhance security protection during account log-ins. The related instructions pertaining to the activation of such features should be contained in a player protection page at all times.
- The online gaming system must also furnish a customer with the option to receive automated email notification every time a player’s session is activated.
- The failure to access an account by using the wrong password for three consecutive times will automatically disable the customer’s account. Enabling of the account will require the restoration or resetting of the account owner’s password, and the site operator has to verify and confirm the identity of the account owner by using “strong authentication” measures.
In line with the mandatory “strong authentication” requirement, the NJDGE recommends multi-authentication methods, using at least two of any of three factors:
1. Information that only the customer knows such as password, tablet pattern or answer to a difficult question.
2. Information that is unique only to the account owner, which he or she may carry in an ID card, a physical token or an electronic token.
3. The account owner’s biometric data such as fingerprints, facial features or voice pattern, which shall be used in a control system intended for identity recognition.
Moreover, the effectiveness of the “strong authentication” measures that the site will adopt must first be demonstrated satisfactorily to the NJDGE.