The final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) under the revised Payment Services Directive (PSD2) mandates that financial institutions require multi-factor authentication for certain scenarios based on transaction amount and fraud level.
For a an industry that had been bracing for “old school” multi-factor authentication requirements that would have introduced unwanted friction into the online payment process, there is good news: with FIDO standards, you have an easy-to-deploy way to meet PSD2 SCA requirements, while meeting organizational and user demand for transaction convenience. In a paper released today, we detail exactly why and how. Read the paper, “FIDO & PSD2: Meeting the Needs for Strong Consumer Authentication,” here.
The final language in the regulation reflects a modern understanding of multi-factor authentication, thanks in large part to the outreach by FIDO Alliance and several of its members. Here’s what is new and different in the final language and why payment service providers should be happy. While the final draft RTS requires two secure and distinct factors of authentication, it also recognizes that these factors can be housed in a single “multi-purpose” device – such as a mobile phone, tablet or PC – as long as “separate secure execution environments” are used (such as trusted execution environments (TEE), secure elements (SE) and trusted platform modules (TPM)).
Most consumer-grade devices, such as laptops and mobile phones, are shipping with these security capabilities already built in, as well as on-device biometric authenticators. Organizations can leverage these devices and capabilities to meet PSD2 SCA requirements simply by implementing support for FIDO authentication standards in their payment applications, such as card-on-file wallet services and merchant applications.
FIDO Authentication is available to any organization to implement freely and once deployed, banks and PSPs may accept a variety of FIDO-compliant authenticators in the market. FIDO certified products are tested for interoperability, whether based on a mobile phone, a PC-based browser or external hardware device such as a FIDO security key – regardless of operating system, therefore reducing costs and simplifying deployment.
The FIDO architecture offers a truly “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements:
- With asymmetric cryptography at the heart of the security model, FIDO addresses the security requirement designed to mitigate theft of payment service credentials by all known attacks that successfully harvest “shared secret” credentials like passwords, effectively mitigating the techniques that are behind 95 percent of all web app attacks that lead to data breaches.
- With biometrics and security keys being used as convenient “something you are” and “something you have” authentication factors, respectively, FIDO is addressing increased market demand for greater usability than anything previously applied to online payments.
- FIDO privacy requirements ensure biometric data, when used, is never shared, addressing requirements by data protection authorities and consumer concerns about sharing biometric information online.
The result is a single-gesture, multi-factor authentication event packaged for consumers in a very simple user experience.
To learn more about how FIDO Authentication meets the PSD2 requirements for strong online authentication, visit our new landing page dedicated to the topic, read the new white paper, and/or request a briefing from the FIDO Alliance by filling out the form here.