Last month I presented at the PSD2 Strong Customer Authentication Summit in London on the challenges of making sure that every customer has a compliant route to authentication. Two days later, the EBA published their latest opinion on SCA and while it seems to offer a little flexibility in terms of the timescales for implementation, in my view it also added some practical challenges in terms of how it can be implemented.
While it seems that there are several viable routes to establish possession, including the use of one-time passcode via both app and SMS, the choice of a second factor may not be easy — at least not for every customer, on every occasion.
For many customers, biometric authentication is not practical — both because of limited consumer adoption but also because availability through 3D Secure is not wide. This makes the ability to use inherence as a factor problematic.
Furthermore, as many financial institutions are opting for server-side biometrics opposed to on device, this is going to require customer enrollment, which will further delay inherence adoption and use.
It is likely that many PSPs will be forced to revert to knowledge as the second factor and that is also challenging:
- Many organizations have made a strategic decision to move away from passwords, and haven’t collected them from customers for several years. Re-establishing the use of passwords will be a significant project.
- The use of static card details such as PAN and CVV has been ruled out of use as both a knowledge-based factor and as a possession factor — somewhat contrary to an earlier opinion from the FCA.
- Other forms of knowledge-based authentication have already been ruled out by an EBA opinion that determines that the knowledge-based factor must use information that is only known by the user. Asking questions based on known information about a customer — such as mother’s maiden name, date of birth or first pet’s name — will not do.
The routes to authentication will be different for every PSP and change will continue for the foreseeable future as consumers adapt to new methods and regulation evolves. As I said at the conference flexibility in deployment is key.
To learn more, see our pages on both managing SCA and on limiting the need to use SCA by using permitted exemptions that secure payments by transaction risk analysis.