Skip to main content

PSD2 SCA delay: an ideal time to re-evaluate authentication methods

(Image credit: Shutterstock)

Before the Covid-19 pandemic struck, the European Banking Authority had established that PSD2 Strong Customer Authentication (SCA) requirements should be fully enforced by 31st December 2020. With the global economy and many organizations now in a state of flux, the UK regulator has extended this deadline until 14th September 2021.

The last few months have caused unprecedented disruption, and any kind of delay to a regulation like PSD2 SCA can seem like a hindrance. However, the coronavirus crisis has actually given banks and financial services organizations a chance to take a step back and think about whether their authentication methods are up to scratch, leading many to consider fresh approaches as a result. This is especially pertinent as the pandemic has seen an increase in cyberattacks.

Effectively, now is an ideal time to re-evaluate authentication and make sure it is robust enough for a post-pandemic future.

PSD2 SCA: 21st century security  

When PSD2 came into effect in September 2019, it brought with it wide-reaching implications for companies across Europe that deal with payments, ranging from the regulation of third-party providers, to implementing adequate consumer payment protection.

The aim of PSD2 is to simply ensure that a bank or payment service provider can authenticate that the account holder is making a transaction, and not an outside party. To achieve this, SCA, a key element of PSD2, will require merchants to introduce two-factor authentication for transactions with a value of over €30. This forces customers to take extra steps to verify their identity, potentially relying on biometric methods or SMS one-time passcodes generated by the payment provider.

Calls for an extension have been requested by a number of leading organizations over the last few months, and for good reason. The Covid-19 crisis has seen a surge in online traffic, which has placed considerable pressure on banks and financial service organizations. More people have begun buying items that they would never have purchased on the internet, which makes it more challenging to distinguish between normal and fraudulent activity. With this in mind, organizations need a bit more time to get their houses in order from an authentication perspective.

Current ways of achieving SCA standard

As technology becomes more advanced, new and more innovative ways of fighting cybercrime are certain to emerge. SMS one-time passcodes (OTP), static passwords and security questions are just a few of the more traditional ways of achieving the SCA standard. In particular, financial service organizations have put great emphasis on the achievement of OTPs when authenticating customers.

OTPs enable a user to authenticate themselves in a matter of seconds, and unlike static passwords, they can only be used once before being made redundant. Security passwords are a method that we are all familiar with: when opening an account, a user will pick a security question and input a unique answer that only they should know.

Approaches such as these have generally been effective up to now and have reduced our reliance on outdated processes such as static passwords. However, as technology grows in sophistication, so do the skills of cybercriminals.

A growing threat

Despite the ubiquity of methods such as SMS OTP, these security features are vulnerable to compromise through techniques such as SIM swap. This type of fraud involves a perpetrator registering an existing phone number onto a new SIM card, which allows the criminal to intercept a range of sensitive information, including OTPs. Similarly, security passwords can also be easily bypassed in this way.

In addition, accounts that are only protected by old-fashioned static passwords can also be compromised through the use of malicious applications like keyloggers, which record a user’s keystrokes. Essentially, there are gaps here to be plugged in terms of security.

Finally, the user experience typically associated with OTP usage and other forms of authentication can also be described as ‘clunky’ at best. We’ve all experienced having to type in our passwords multiple times due to typing errors. As a result, there’s a real opportunity now to establish what comes next for customer authentication, both from a security and convenience perspective.

A new era for authentication

So what are the alternatives? One place to look is the mobile phone itself. Our relationship with our mobile provides a unique window of opportunity to leverage the longest-standing digital relationship we have, especially when you consider we get a mobile phone before we even start our banking journey. By leveraging a combination of mobile signal intelligence and transparent verification processes, organizations can enhance security without compromising the user experience.

Making better use of mobile intelligence to get an accurate picture of customer behavior enables banks and financial services organizations to circumvent many of the routes through which fraudsters are often successful. If a cybercriminal, for example, attempts to pose as a customer, a mobile intelligence-based approach will be able to flag these unusual patterns of behavior and help stop a fraudulent transaction from taking place. These verification processes can all be done behind the scenes, which helps increase security while maintaining a seamless customer experience.

This need for convenience and a lack of friction is more important than ever for today’s consumer. For example, in a study of 1.5 million site visitors, only 49 percent of visitors added details to an online subscription form after viewing it. Of those 49 percent that started filling out the form, only 16.5 percent completed it. To overcome this, techniques like auto form pre-fill are able to leverage the information tied to someone’s phone number to automatically fill in all the necessary information, so the user doesn’t have to. This works through in-depth analysis of phone data conducted by mobile intelligence software.

Innovation is key to recovery

The next few months will be a time of reflection and rebirth for many organizations. Lots of processes will be evaluated and changes will be made, and the way we approach authentication should be no different. Meanwhile, the battle against cybercrime is ongoing, so organizations should be looking to up their game wherever they can. Drawing intelligence from mobile data and using this to authenticate customers is an area worthy of consideration as banks and other companies make their plans for the future.

Keiron Dalton, VP, Payfone

Keiron Dalton, VP at Payfone.