The financial services industry is experiencing an unprecedented evolution, in large part due to the acceleration of digital payments.
According to Juniper Research, the total value of digital payments reached $3.66 trillion in 2016, up 20% over 2015. With mobile devices the predominate vehicle on which those digital transactions will be carried out, stronger authentication models must be put in place now to enable faster payments in real time, eliminate the processing lag and ensure the trustworthiness of any device transacting with an organization. The solution may be found in the actual device, and its embedded messaging technology.
A revised Payment Services Directive (PSD2) was issued by the EU, with Article 97 focused on requiring banks to implement two-factor authentication (2FA) on all online transactions involving financial institutions and retailers. This form of authentication confirms a user’s claimed identity through a combination of two different authentication factors, for example, something the user knows like a PIN number or one-time code, something they possess such as a mobile device, or something inseparable from the user’s identity such as a fingerprint.
Understandably, PSD2 Article 97 is not yet being readily embraced by financial institutions. Why? For many of the expected reasons. First, banks are not required to implement these mandates until 2018, so many financial institutions are taking a “wait-and-see” stance.
Second, financial services organizations tend to be risk averse and are therefore not early adopters of new technology. Third, they want to understand what the financial implications are on their organization to implement the regulations. They are also concerned about the impact of heightened security on the user experience.
Historically, tightening security has negatively impacted the user experience, manifesting into longer wait times, more authentication steps, more friction. Today’s always-on customers won’t put up with such barriers; they just want their transaction processed. More friction means costly abandoned transactions.
While most organizations understand that a multi-factor approach to digital security is considered industry best practice, they recognize the serious shortfalls of legacy two-factor authentication techniques such as SMS, which are commonly seen as insecure and cumbersome for the customer. In the banking industry alone, according to a Biocatch study, “Reducing SMS Authentication by a Factor of 5,” it is estimated that authentication processes using one-time passcodes are either failed or abandoned between 15% to 20% of the time, with some FIs reporting an even higher figure.
Such challenges can place a burden on the organization, dramatically increasing call center activity, driving up personnel and operating costs, and reducing efficiency and profitability. Other methods, such as using hardware tokens for 2FA, are costly and require the customer to purchase and have such a token on hand.
There is, however, a two-part authentication solution that can be implemented that meets PSD2 Article 97 requirements, and which facilitates a secure, yet frictionless user experience. In such a scenario, the payment services organization would utilize the mobile device as an authentication factor; and use a secure message delivered to a mobile app on a trusted, registered device where the customer can simply click to confirm or deny the transaction.
There are hundreds of individual characteristics on a mobile device, including the operating system, location, application data and other data. Enhanced device intelligence technology exists today that allows those attributes to be used in combination to form a unique and permanent identifier. This identifier acts as a secure token that the customer will have in their possession.
Taking that a step further, instead of cumbersome and insecure legacy solutions such as an SMS-based, one-time code, a contextual message can be pushed for the customer to confirm their activity from within a business’s mobile app. The message can be encrypted end-to-end, digitally signed, and only directed to a registered, trusted device associated to the customer, ensuring that there is no possibility of a man-in-the-middle interception or transmission to the wrong party.
Using this combination of authentication factors creates an innovative method to resolve the common business conflict between security and the need to deliver a satisfactory customer experience.
Institutions that can merge the best customer experience possible with the necessary level of security to meet increasingly stringent regulatory requirements will gain a competitive advantage in the new payments ecosystem by driving innovation and facilitating seamless, frictionless digital transactions.