New Challenges for Strong Customer Authentication

July 22, 2019

New Challenges for Strong Customer Authentication

While there are several viable routes to strong customer authentication, the choice of a second factor, possession, is posing problems.

Scott Taylor by Scott Taylor
Fraud Protection & Compliance

Last month I presented at the PSD2 Strong Customer Authentication Summit in London on the challenges of making sure that every customer has a compliant route to authentication. Two days later, the EBA published their latest opinion on SCA and while it seems to offer a little flexibility in terms of the timescales for implementation, in my view it also added some practical challenges in terms of how it can be implemented.

While it seems that there are several viable routes to establish possession, including the use of one-time passcode via both app and SMS, the choice of a second factor may not be easy — at least not for every customer, on every occasion.

For many customers, biometric authentication is not practical — both because of limited consumer adoption but also because availability through 3D Secure is not wide. This makes the ability to use inherence as a factor problematic.

Furthermore, as many financial institutions are opting for server-side biometrics opposed to on device, this is going to require customer enrollment, which will further delay inherence adoption and use.

It is likely that many PSPs will be forced to revert to knowledge as the second factor and that is also challenging:

  • Many organizations have made a strategic decision to move away from passwords, and haven’t collected them from customers for several years. Re-establishing the use of passwords will be a significant project.
  • The use of static card details such as PAN and CVV has been ruled out of use as both a knowledge-based factor and as a possession factor — somewhat contrary to an earlier opinion from the FCA.
  • Other forms of knowledge-based authentication have already been ruled out by an EBA opinion that determines that the knowledge-based factor must use information that is only known by the user. Asking questions based on known information about a customer — such as mother’s maiden name, date of birth or first pet’s name — will not do.

The routes to authentication will be different for every PSP and change will continue for the foreseeable future as consumers adapt to new methods and regulation evolves. As I said at the conference flexibility in deployment is key.

To learn more, see our pages on both managing SCA and on limiting the need to use SCA by using permitted exemptions that secure payments by transaction risk analysis.

related posts

popular posts
Using mobile to reach the Latin American unbanked
popular posts
5 Keys to Using AI and Machine Learning in Fraud Detection
popular posts
A Deep Dive into the Distribution of the FICO Score Across the US
popular posts
What Is Authorised Push Payment Fraud?
popular posts
Average U.S. FICO Score Ticks Up to 706

@BNSFRailway has optimized its management of assigned train crews allowing it to significantly reduce operational c… https://t.co/pzpcRRMmVd

3 hours ago

Who better to hear from during this time of #economiccrisis than two leaders who have over 40 years of combined exp… https://t.co/Fe9fGk7xHM

12 hours ago

Capabilities are now available to make affordability assessment quick, safe, forward-looking, & intelligent. Open B… https://t.co/edeENlKEvS

1 day ago