The second Payment Services Directive (PSD2) rolled out a set of legal requirements for Strong Customer Authentication (SCA) targeting online banking providers. The ultimate goal was to protect customers against fraud and introduce an extra layer of security for online transactions.
In reality, it means that SCA will have to be present whenever a client signs in its account, commence an online payment transaction or undertakes any other activity that might be the subject of fraud or any other type of discrepancy.
When does SCA come into force?
Initially, the deadline to implement Strong Customer Authentication in the European Economic Area (EEA) was September 2019. Nevertheless, right before the deadline, the UK`s regulator Financial Conduct Authority (FCA) announced that the enforcement of SCA is delayed and will follow a phased 18-month implementation ending in March 2021. Then again, an additional period of six months was given because of the unprecedented Covid-19 circumstances. The new SCA deadline for businesses across the UK is 14 September 2021. Anyway, it means that the FCA will not take any measure after the final date in case the company provides evidence that it has done everything to comply with the SCA plan and requirements.
Similarly, the Strong Customer Authentication deadline across Europe was extended and should come into force by 31 December 2020. However, the European Banking Authority (EBA) hasn’t revisited the timeframe yet, and businesses expect another extension after the Covid-19 outbreak.
Types of mobile authentication apps for SCA
1. Standalone banking app
In digital banking, an all-in-one mobile application is one the most common solution for client authentication and authorisation. Usually, authorisation codes are used, but in some cases, the authorisation code can be replaced with biometrics, such as fingerprints or a face.
Such solution is set up locally and doesn’t require server-based features. The solution provider connects an authorised user to the particular devices (aka device binding) to avoid cloning or reusing cryptographic keys. Sometimes, according to the business logic, the device must have a registered mobile phone number and be able to receive an SMS. However, we need to take into account that SMS isn’t the most secure way of authentication because fraudsters can intercept SMS or forge SIM card.
The device registration means that digital banks not only enhance security but also meet the requirement on using multiple SCA factors. For example, push notifications are handy to inform the client of an authorisation or authentication request. When it comes to protection, there are distinct software protection techniques. Also, a trusted execution environment (TEE) can be used to implement high-security measures.
One app combining SCA and online banking
Digital banking apps integrate identity and security solutions through software development kits (SDKs) delivered by third-party vendors. The SDK mode means that the app has full control over the functionality of SDK supported authentication methods, customer journey and visual identity.
Key features:
· Simple and intuitive application for everyday financial operations
· Widely used and well-liked
· Support a wide range of security technologies (e.g., one-time password, biometrics, and smartcards, etc.)
· Limited accessibility – available on smartphones only
Standalone authentication app
Many digital banks use white label applications as a separate application for authentication. The functionality of the banking application includes an overview of the bank account, transaction management and a communications tool between the client and the bank. The app is protected from intruders by password or fingerprints. In the meantime, the authentication app verifies data like a transaction’s amount and beneficiary for dynamic linking and generates an authentication number for every transaction.
Key features:
· Two easy-to-use and straightforward applications for authentication and verification
· Widely adopted across digital banking
· Secure solution with two separate authentication channels
· Support different security technologies (e.g., one-time password, biometry, smartcards)
· Limited accessibility – available on smartphones only
For example, Advapay`s OTP/MAC Generator – an application that generates one-time passwords. Unlike common hardware tokens such as digipass, the generated password for the payment signature takes into account the payment data, thus providing additional monitoring of payment integrity. It does not depend on a mobile operator, does not need a SIM card and cellular coverage, does not need access to Wi-Fi-network.
2. Banking app deployed in TEE
A Trusted Execution Environment (TEE) is necessary for the central processors of a device to secure an operating system that is used to run an application and protect sensitive data. The secure operating system and the regular operating system operate simultaneously. Many activities on the app are done through the primary operating system. The app used the TEE to ensure that sensitive information is stored and processed in a secure and physically isolated setting.
Key features:
· Easy-to-use app for end-users
· Unprecedented level of security – the TEE sets apart the hardware environment from the rest of the device.
· Security credentials handled in the TEE and secured using hardware.
· Dependency on technologies – not all devices support the TEE
3. Mobile Identity solution
Mobile Connect, a global open standard supported by GSMA, provides generic login functionality for online banking worldwide. Currently, 24 businesses have agreed to become Mobile Connect vendors and comply with Mobile Connect requirements. In practical terms, Mobile Connect provides an industry-standard API that relies on Open ID Connect. The workflow defines that the client must have a smartphone (possession), a PIN code (knowledge) or biometrics such as face or fingerprints (inherence).
Mobile Connect is being adopted around the world with key markets embracing the opportunity in different ways and establishing new levels of cooperation between operators. The map displaying Mobile Connect global deployment locations you can find here.
Mobile Identity as a second-factor authentication
Mobile Identity can act as a means of authentication for the second factor. Digital banks usually provide the primary factor (e.g., user ID, password or app), but the Mobile Identity solution provides the second factor. In such a case, a secure execution environment (SEE) relies on the security of the SIM card or device-smartphone. There is a separate channel for mobile operator authentication and primary bank authentication. Mobile Identity is developed in a way that it can use different types of authenticators, including a SIM with an application (SIM applet), a smartphone application (standalone or all-in-one app), or mobile network authentication.
Key features:
· Compatible with different types of smartphones
· Fast and simple online authentication using an ID password
· Partnership with mobile operators required
· Mobile network authentication counts on the mobile network to exchange signatures. No encrypted messages, credentials or other details like PIN code and OTP are exchanged over the air.
· Segregated responsibility and security between the bank and the mobile operator
· Possibility to disable Mobile Identity feature and block the second factor in case the device is lost or stolen
Mobile Identity as two-factor authentication
In case of a SIM applet. The SIM serves as a holder of the authenticator. The mobile operator delivers an invisible SMS to the user, and the same user enters the Mobile Connect PIN. In the next step, the comparison of the PIN is carried out locally.
In case of Smartphone app authenticator. Smartphone app authenticator is linked to the mobile network, which means that the mobile network operator can validate the integrity of the associated SIM, device and user. The Mobile Connect SDK won’t start functioning unless the integrity is confirmed.
Key features:
· Compatible with different types of smartphones
· Multipurpose banking app with integrated SDK – no additional app is necessary
· Banking services and authentication split between two different channels
· Uncompromised security with SIM applets – a hardware protected environment for Mobile Connect PIN stored on the SIM
· Partnership with mobile operators required
· Possibility to disable the feature in case the device is lost or stolen.
· No credential is exchanged over the air.
Conclusion
Technologies are developing fast, and new ways of Strong Customer Authentication (e.g., biometrics) have been introduced to improve both customer experience and security of authentication and payment transactions. There are many next-generation applications on the market that are more hands-on with security than the previous versions. Therefore, whenever you think of using new application for SCA, you need to assess several factors that include security, integration and customer experience and expectations.
Be ready for SCA
We, at Advapay, are here to help digital banks and fintechs get ready and adopt Strong Customer Authentication. In addition to the Digital Core Banking platform, Advapay offers OTP/MAC Generator, a secure application for digital banks and fintechs to comply with SCA requirements. This solution is created to ensure that authentication and payment signing is up and running with unmatched security without taking away the ownership of the customer journey.
Advapay is a technology company providing the Digital Core Banking platform to empower fintech clients or digital banks to start their businesses and accelerate digital transformation. The platform delivers all essential functionalities, a front-to-back system and a set of tools to customise and bring new integrations. With Advapay, potential and existing customers can connect either to the cloud-based SaaS or on-premise software. Besides the technical infrastructure, the company provides business advisory and fintech licensing services. Interested to learn more, please drop us a message.
