PSD2: Strong Customer Authentication Done Right
The Revised Payment Services Directive (PSD2), an upcoming EC regulation, will have a massive impact on the Finance Industry. While the changes to the business are primarily based on the newly introduced TPPs (Third Party Providers), which can initiate payments and request access to account information, the rules for strong customer authentication (SCA) are tightened. The target is better protection for customers of financial online services.
Aside from a couple of exemptions such as small transactions below 30 € and the use of non-supervised payment machines, e.g. in parking lots, the basic rule is that 2FA (Two Factor Authentication) becomes mandatory. Under certain circumstances, 1FA combined with RBA (Risk Based Authentication) will continue to be allowed. I have explained various terms in an earlier post.
For the scenarios where 2FA is required, the obvious question is how best to do that. When looking at how banks and other services implemented 2FA (and 1FA) up until now, there is plenty of room for improvement. While many services, such as PayPal, still only mandate 1FA, there generally is little choice in which 2FA approach to use. Most banks mandate the use of one specific form of 2FA, e.g. relying on out-of-band SMS or a certain type of token.
However, PSD2 will change the play for financial institutions. It will open the fight for the customer: Who will provide the interface to the customer, who will directly interact with the customer? To win in that fight between traditional and new players, customer convenience is a key success factor. And customer convenience starts with the registration as a one-time action and continues with authentication as what the customers must do every time they access the service.
Until now, strong (and not so strong) authentication to financial services seems to have been driven by an inside-out way of thinking. The institutions think about what works best for them: what fits into their infrastructure; what is the cheapest yet compliant approach? For customers, this means that they must use what their service provider offers to them.
But the world is changing. Many users have their devices of choice, many of these with some form of built-in strong authentication. They have their preferred ways of interacting with services. They also want to use a convenient method for authentication. And in the upcoming world with TPPs that can form the new interface, so there will be competition.
Thus, it is about time to think SCA outside-in, from the customer perspective. The obvious solution is to move to Adaptive Authentication, which allows the use of all (PSD2 compliant) forms of 2FA and leaves it to the choice of the customer which he prefers. There must be flexibility for the customer. The technology is available, with platforms that support many, many different types of authenticators and their combinations for 2FA, but also with standards such as the FIDO Alliance standards that provide interoperability with the ever-growing and ever-changing consumer devices in use.
There is room for being both compliant to the SCA requirements of PSD2 and convenient for the customer. But that requires a move to an outside-in thinking, starting with what the customers want – and these many customers never only want one single choice, they want a real choice. Adaptive Authentication thus is a key success factor for doing SCA right in the days of PSD2.