The impact of the EU’s Second Payment Services Directive (PSD2) continues to shake up and open up banking systems across Europe, but a major component is still to come into force — the requirement for “strong customer authentication” (more commonly known as two-factor authentication) for online card payments.
This will kick in by September 2019, and promises to reduce fraud by confirming customer approval of all significant transactions. It means some serious technical work is required of banks and payment providers to ensure their systems not only comply with the new regulation, but do so in a way which minimizes additional effort from consumers.
In many implementations, two-factor authentication relies on a mobile app or text message, making for a common point of compromise. Overreliance on the smartphone risks mistaking device authentication for user authentication.
PSD2 was signed into EU law in 2015, with member states required to adopt its requirements into their own laws by Jan. 13, 2018 — in the U.K., this was addressed by the Payment Services Regulations 2017. The requirements include more open visibility of bank account information, leading to an explosion in offerings combining multiple accounts from different providers in a single place, usually a website or app.
The “strong customer authentication” (SCA) part of the legislation defines SCA in the same way two-factor has generally been defined: a combination of at least two out of three types of authentication data. The categories are listed in the legislation as “knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is)”.
In everyday terms, the “knowledge” component is generally a username or password; things like “memorable information” or answers to pre-set personal questions (“mother’s maiden name”) would also fall into this category.
These are inherently limited in terms of security. Passwords can be leaked, shared, guessed or worked out, while the security questions used to supplement passwords are often based on personal information which may be easily discovered, especially in a world where many people openly share huge amounts of information via social networks.
The “possession” side of things is also in common use for online security. The standard implementations are smartphone apps which generate unique one-time codes, or require the user to hit a “confirm” button, before a login is approved or a payment is made. In the physical world, a card counts as a possession, so making a chip-and-PIN payment or ATM withdrawal is a two-factor process, combining possession of the card and knowledge of the PIN.
This translates into the online world with card readers, which use a generic reader to create a one-time code using the card, and also with user-unique code-generating dongles. Both methods are widely used to secure online banking, although more common in business accounts than at the consumer level. It also covers codes sent via SMS or voice calls, in which case the phone (or more specifically the phone number) is the “possession” element.
The “inherence” category is the least widely used so far, but potentially the most secure and the simplest to operate from the user perspective. It includes all biometric approaches, from fingerprint readers and face recognition (both now commonly supported in high-end smartphones) to voice or iris identification.
More esoteric methods include identifying individuals by everything from the way they move to the patterns of their heartbeat or the smell of their breath.
So far, none of these methods have proved entirely reliable, with even high-end variants often easily defeated. Examples of this include the use of Gummi Bears to trick early fingerprint sensors, and the facial recognition in the latest iPhones being unable to tell twins apart.
Too much mobile
Under PSD2, payments and access to account information will need to be secured by SCA-compatible technologies by September next year, with a few exemptions . For example, smaller transactions (up to €30 online or €50 for contactless), or payments to pre-approved recipients. The SCA component of logging in to view account details needs to be refreshed every 90 days.
With ever more payments being initiated directly from our mobile devices, their value as a secondary “possession” element is reduced — if a bad actor gets hold of your phone, either physically or by remote hijack, they can also get at your code generator or SMS messages, and successfully impersonate you to your payment processor.
SMS methods are particularly vulnerable to simple "port-out" scams, where an attacker uses weak security at phone service providers to pose as a customer and have a number redirected elsewhere — with many providers still relying on basic “private information” such as dates of birth or Social Security numbers, this can be very simple to achieve.
Using phones as both the transaction tool and the “possession” part of the authentication process also risks violating the “independence” requirements under PSD2 — the two factors used for authentication need to be separated in such a way that, should one factor be compromised, the second remains secure.
This convergence makes biometrics an even more attractive option. Smartphones are the weapon of choice here too, as they can provide fingerprint reading (for many of us at least - two-thirds of new phones now have readers, but it will take some time for all of us to have them), while increasingly sophisticated cameras and microphones can provide face, iris or voice recognition, and motion sensors may soon be able to measure our unique gait or gesture patterns. Many laptops also include fingerprint readers too.
This means we can meet the “inherence” component even if the device used to measure it is the same one being used to make the transaction.
However, this rules out a large proportion of the population: those with no compatible device (or no device at all). While the number of customers making online payments using only a basic PC may be limited, banks and payment processors can’t afford to shut them out entirely.
The other potential issue with biometrics is their immutability. It’s easy to change a password, order a replacement card or buy a new phone, but we can’t change our fingerprints, face or voice (at least, without fairly significant surgery). If crooks figure out how to spoof any of these, either with physical copies or by compromising and reproducing their digital representations, it’s pretty much game over for that feature as a reliable means of identification.
Most of these approaches also rely on internet connectivity, or at least cell phone service, so may be unsuitable (or expensive) for travelers. The simplest “possession” method, using a code-generating app such as Google Authenticator, is at least viable without data roaming costs, but others all require at least some mobile data to transmit requests and confirmations.
There are doubtless other circumstances where particular methods are impossible or inappropriate — for example, fingerprints when you’ve got a hand in bandages after an injury. So some sort of fallback options will be necessary.
Ultimately, it is likely that banks and other payment providers will need to make multiple methods available to their customers, and allow them to choose whichever combination works best for each individual. They’ll also need to give users the ability to select the best options for their circumstances on the fly, while remaining secure.
This could become a major differentiator, with those companies providing the most seamless, reliable and low-effort options likely to accumulate more users, while those who offer only limited or awkward methods will undoubtedly lose business.
With little over a year before the SCA components of PSD2 come into force, we should be seeing a major upturn in the release of new authentication methods very soon indeed. There’s not much time for these new methods to be trialed, rolled out and accepted as the new reality. Just how much more security they will provide remains to be seen.