The EU Payment Services Directive (PSD2) will revolutionize consumer authentication. Passwords have been dying a slow death for a while, but PSD2 is likely going to deal the final death blow. Can we all say, “hip hip hooray?”
For those who feel that this is just an issue for the European market, think again. The scope is much broader than the original Payment Services Directive (PSD), which included all transactions with ‘two legs out’ (both parties located within the EU). Now all transactions with ‘one leg out’ (at least one party located within the EU) will be in scope, meaning this will have global implications.
PSD2 and the SCA Requirements
With the advent of PSD2, all electronic financial transactions above €30, with a few exceptions, will be subject to Strong Customer Authentication (SCA) requirements.
SCA must use two or more of the following independent factors:
- Knowledge – something only the user knows (password, PIN)
- Possession – something only the user possesses (key material, token)
- Inherence – something uniquely identifying to user (fingerprint, biometrics)
In addition, a unique authentication code will be required for remote transactions (internet, mobile) that can tie the transaction to a specific amount and payee (dynamic linking).
There’s another more familiar term for SCA: multifactor authentication (MFA). Legacy authentication systems reliant on passwords and text-based, one-time passwords have proven inherently insecure. If the numerous data breaches over the past decade have shown us anything, it’s that passwords alone are not a secure authentication channel. Additionally, the flood of breached data and credentials has led to a rise in credential stuffing attacks, account takeover, and both synthetic and true identity fraud.
Even two-factor (2FA) solutions are insufficient for a number of reasons, including lack of dynamic linking, lack of strong encryption, or the use of unsecured channels. This is a much higher bar than has been previously set and will have massive implications for anyone who processes online transactions.
Currently, businesses can choose to opt out of SCA requirements for lower-risk transactions, mostly in the form of 3D Secure, which shifts liability back to the merchant. And most did, because they found that 3D Secure created too much customer friction and drove up abandonment rates. This will no longer be an option once the PSD2 SCA requirements come into full effect in September of 2019. This means that e-commerce sites will now have to subject many more transactions to SCA.
Transforming Consumer MFA
This change is going to fundamentally alter the market and achieve what hundreds of data breaches and billions of compromised data records failed to do: transform consumer authentication. Skeptical? Consider this.
Conversion rates are already low in e-commerce, and any added obstacles or friction correlate to an increase in cart abandonments. Consumers want an easy, low-friction experience. They’re already using their smart device daily, so it makes sense they’ll show a preference for authentication methods that use a mobile device as the primary authenticator.
The winners post PSD2 implementation are going to be the businesses that really look at how they can elegantly solve for SCA requirements and provide a low-friction, user-friendly, policy-based authentication experience that is intuitive and safe. This is an opportunity to fundamentally transform the way MFA is done. Factors to consider in deploying an MFA solution include:
- Out-of-band authentication: Does the solution evaluate authentication factors in a separate channel from that in use by the session or transaction being authenticated?
- Configurable authentication methods: Such as biometrics, geofencing, pattern codes, and device proximity pairing.
- Platform-agnostic: What online services does the solution support?
- Decentralized, anonymous architecture: Eliminate or reduce the most common attack vectors associated with password-based authentication by moving credential storage to the user’s device.
- Dynamic Linking: SCA requires that authentication elementsshall generate an authentication code to the payer’s payment service provider, specific to the amount and payee agreed by the payer when initiating the transaction. Does the service meet this bar?
What’s been missing is the urgency and the need to bring these solutions to play in today’s consumer environment (because, after all, if it’s not broken, don’t fix it). While these new standards may cause some collective angst, they may also pave the way for modernization and new innovations. Not to mention the death of the password!
Scott Waddell, CTO at iovation