You can now meet PSD2 authentication requirements while improving user experience

Yes, really!

When the European Banking Authority (EBA) published the final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the revised Payment Services Directive (PSD2) in February, two critical messages emerged for the European payments ecosystem:

1. You will need to require multi-factor authentication for customers in certain scenarios based on transaction amount and fraud level

2. You can accomplish the first item and still maintain a great user experience that helps to improve sales and conversion rates

This second piece is good news to an industry that had been bracing for “old school” multi-factor authentication requirements that would have introduced unwanted friction into the online payment process. But thankfully the final language in the regulation reflects a modern understanding of multi-factor authentication, thanks in large part to the outreach by FIDO Alliance and several of its members. Here’s what is new and different in the final language and why payment service providers have reason to celebrate the outcome of the extended public review process. While the final draft RTS requires two secure and distinct factors of authentication, it also recognizes that these factors can be housed in a single “multi-purpose” device – such a mobile phone, tablet or PC – as long as “separate secure execution environments” (such as trusted execution environments (TEE), secure elements (SE) and trusted platform modules (TPM)) are used.

Most consumer-grade devices, such as laptops and mobile phones, are shipping with these security capabilities already built in, as well as on-device biometric authenticators. Organisations can leverage these devices and capabilities to meet PSD2 SCA requirements simply by implementing support for FIDO authentication standards in their payment applications, such as card-on-file wallet services and merchant applications.

FIDO standards and certifications are offered by the FIDO Alliance, the not-for-profit, multi-stakeholder, global industry consortium of more than 250 organisations – many of whom are regulated payment service providers (PSPs) and/or financial institutions. FIDO standards, available to any organisation to freely implement, are in wide use today with hundreds of millions of supported devices in the market, and several companies using these devices to protect financial transactions. In fact, it is hard to buy a device that cannot support FIDO authentication today. The FIDO architecture offers a truly “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements:

? With biometric solutions being used for “user verification” (a “what you are” authentication factor), FIDO is addressing increased market demand for greater user convenience than anything used for online payments before.
? FIDO privacy requirements ensure biometric data is never shared, addressing requirements by data protection authorities and consumer concerns about sharing biometric information online.
? With asymmetric cryptography at the heart of the security model, FIDO addresses the security requirement designed to mitigate theft of payment service credentials by all known attacks that successfully harvest “shared secret” credentials like passwords, effectively mitigating the techniques that are behind 95% of all web app attacks that lead to data breaches.

The result is a single-gesture, multi-factor authentication event (“what you are” – the on-device biometric user verification step plus “what you have” – the cryptographic proof-of-possession of the private key) packaged for consumers in a very simple user experience they are already familiar with, since they likely use this same user experience to unlock their device several times per day.

If organisations want to roll out strong authentication with a lower total cost of ownership while meeting organisational and user demand for transaction convenience and PSD2 SCA requirements, they should consider solutions that leverage FIDO standards.

About Brett McDowell

Brett McDowell is the Executive Director of the FIDO Alliance, the organization he helped establish in 2012 to remove the world’s dependency on passwords through open standards for strong authentication. Previously, he was Head of Ecosystem Security at PayPal, where he developed strategies and lead programs to make the Internet safer for PayPal and their customers. Mr. McDowell has extensive experience leading multi-stakeholder cybersecurity initiatives, having held various leadership roles in NSTIC IDESG, DMARC.org, M3AAWG, National Cyber Security Alliance, StopBadWare.org, Kantara Initiative, and Liberty Alliance Project. Mr. McDowell is a Fellow at the National Center for Digital Government at the University of Massachusetts.

About FIDO Alliance

The 250+ member, cross-industry FIDO Alliance provides specifications and certifications to enable an interoperable ecosystem of on-device authenticators that can be used for simpler, stronger authentication to many compliant mobile apps and websites. Support for FIDO authentication has been built into flagship devices from top handset manufacturers, while some of the most trusted brands including Google, Facebook, NTT DOCOMO and PayPal have made FIDO authentication available to protect more than 3 billion end-user accounts.