Angst Over the EBA’s PSD2 Two-Factor Authentication Directive

The convenience and speed of online shopping and banking in Europe are said to be under threat by proposed standards from the European Banking Authority (EBA) due to be released in January of 2017. The new rules, issued in response to requirements in the Payment Services Directive, will require “strong customer authentication” for all electronic payments over €10 (around $10.50 USD).

That is a low bar when the average online retail transaction in Europe was $85.63 in 2016. In effect, “strong customer authentication” in the form of additional confirmation steps, such as entering passwords, one-time codes, or using a physical card reader, will be applied to a majority of transactions within the European Union.

Forcing users to perform these additional confirmation steps on transactions is likely to increase the online shopping cart abandonment rate, already high in the estimated 68-71% range worldwide. Further, the new rule as written would significantly impact one-click checkouts such as Amazon’s One-Click and PayPal’s One Touch in Europe. Many retailers fear that if these proposals are enacted as is, they will cause an unnecessary drag on online commerce.

As the controversy over these proposed new rules demonstrate, striking a balance between the needs for convenience and security remains a challenge.

On the one hand, all organizations want secure transactions that prevent fraud.  On the other, no one wants the hassle of additional barriers—the more requests for additional information and verification demanded from users, the less likely the transaction will be followed to completion. The additional friction expected to be introduced into the process in the pursuit of security can enact the ultimate cost—revenue loss.

This, in part, is why there is much angst surrounding the EBA’s requirement for the use of two factor authentication (2FA) which will require at least two different attributes to confirm the user is whom they claim.

Defining “Strong Authentication”

According to PSD2 as currently proposed, strong authentication is defined as:

“…based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”

Based on current 2FA methods, the concern over adding more friction to the transaction might be well founded.

However, while I do agree that more stringent authentication and risk assessment techniques through 2FA are needed to prevent fraud, I don’t agree that compromising the customer experience has to be an inevitable offshoot of these heightened security controls. 

Because of their internal architecture, mobile devices contain within them thousands of identifying attributes such as the location, manufacturer, operating system, and others. There are now advanced software solutions that can collect and combine these attributes to form a unique device ID, ensuring the mobile device functions as a trusted second factor of authentication, proving “something you have.” Further, this can be done in such a way that is permanent, “binding” the device to a legitimate account holder. When done in this manner, this permanent ID can survive an app uninstall/reinstall, operating system upgrades, and cannot be spoofed.

Using a permanent ID means that the mobile device can become the trusted vehicle for the delivery of a 2FA message—which must include elements that dynamically link the transaction to a specific amount and a specific payee in order to authenticate it. When done in the manner, the binded device is the only device in the world that can read the message and there is no possibility of intercept, replay, or forward — unlike current 2FA delivery methods that use SMS or email.

Once authenticated in this manner, the user’s device can then operate as a secure channel in all transactions with the organization. This eliminates the need for additional challenge questions, passcodes and other cumbersome methods to authenticate a user’s identity, while allowing retailers to identify devices and assess device riskiness with far greater confidence.

Once a customer is tied to a permanent device ID, organizations are able to better recognize and trust returning devices, enabling more customers to transact faster and with greater ease in just a few steps, while fraudsters can be flagged and barred.

With a strong device authentication strategy in place, organizations can then introduce innovations that drive higher conversions, including guest checkout and one-click transactions, without the fear of increased risk and exposure.  The organization gets assurance that the customer is who they claim, while the customer remains unaware of what is happening under the hood—in other words, they enjoy a frictionless experience.

Security works best when it is unobtrusive, doing its work protecting people quietly in the background. It becomes a nuisance—often with costly consequences—when it is intrusive, unnecessarily barring good customers and demanding more information from them.

While the PSD2 requirements are not yet final, given the right solutions, organizations can be compliant with the proposed EBA’s PSD2 requirements on 2FA while still striking that vital balance between security and a frictionless customer experience.