FIDO Authentication and the European Banking Authority’s Payment Services Directive (PSD2) Requirements
FIDO standards provide
secure, user-friendly way for European payments industry to meet PSD2 strong authentication requirements
The FIDO Alliance’s authentication standards provide a scalable way for the European financial ecosystem to meet PSD2 requirements for strong authentication of user logins and cryptographically signed transactions — while also meeting organizational and consumer demand for transaction convenience.
FIDO Authentication is based on open standards that are supported by an interoperable ecosystem of 350+ FIDO Certified solutions. Banks and payment services providers (PSPs) can select from many leading vendors of modern authentication solutions and/or they can develop and test their own FIDO-based PSD2 solutions. Once deployed, banks and PSPs may accept a variety of certified, interoperable FIDO-compliant authenticators in the market, including those in mobile devices and PCs, and hardware-backed security keys. The end result is a low-friction approach for user authentication that exceeds the European Banking Authority’s (EBA) PSD2 requirements.
The FIDO architecture offers a truly “best of both worlds” solution to the problems that drove the creation of multi-factor authentication requirements as defined in the EBA’s final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA).
- With asymmetric cryptography at the heart of the security model, FIDO addresses the RTS security requirement designed to mitigate theft of payment service credentials by all known attacks that successfully harvest “shared secret” credentials like passwords, effectively mitigating the techniques that are behind 95% of all web app attacks that lead to data breaches
- With easy-to-use biometrics and security keys being used for the “what you are” and “what you have” authentication factors, respectively, FIDO is addressing increased market demand for greater user convenience than anything used for online payments before.
- FIDO privacy requirements ensure biometric data, when used, is never shared, addressing requirements by data protection authorities and consumer concerns about sharing biometric information online.
Financial services organizations and policy makers who want to learn more about how FIDO Authentication meets the PSD2 requirements for strong online authentication can review the additional resources below, or request a briefing from the FIDO Alliance by filling out the form here.
FIDO & PSD2 Resources
How FIDO Standards Meet PSD2’s Regulatory Technical Standards Requirements On Strong Customer Authentication
This document provides a detailed review of the security requirements listed in the Regulatory Technical Standards For Strong Customer Authentication and Common and Secure Open Standards Of Communication under PSD2 (the RTS) and describes how the FIDO standards meet such requirements.
FIDO & PSD2: Meeting the Needs for Strong Customer Authentication
This white paper outlines how the FIDO standards can facilitate the implementation of the new disruptive PSD2 regulation with user-friendly secure solutions.
FIDO & PSD2: Providing for a Satisfactory Customer Journey
This white paper examines the different authentication models that could apply within the interactions of a Third Party Provider and an Account Servicing Payment Service Provider. It proposes the FIDO standards as a solution to simplify the user experience, for any of these models, in a way that meets the Strong Customer Authentication requirements of PSD2.
Response to the European Banking Authority Discussion Paper on Future Draft Regulatory Technical Standards on Strong Customer Authentication and Secure Communication Under the Revised Payment Services Directive (PSD2)
In this response to the EBA, the FIDO Alliance details how FIDO-compliant implementations that follow security best practices are ideal examples of what the EBA regulations for “strong customer authentication” under PSD2 are striving to foster: simpler, stronger authentication capabilities that merchants and consumers will adopt at scale.
Response to the European Banking Authority Consultation on PSD2 and Exemptions
This is FIDO’s response to the EBA’s Consultation paper, which details proposed conditions that banks will have to meet to be exempted from developing alternative options to an API when implementing PSD2 compliant solutions. FIDO’s responses are largely focused on the portions of the draft that impact on how Strong Customer Authentication (SCA) will be implemented.
FIDO ALLIANCE Addresses PSD2 Screen Scraping Debate in Letter to European Commission and European Parliament
In this blog and associated open letter to the European Parliament, the FIDO Alliance explains why it does not see any way in which the screen scraping approach can be implemented to the level of enhanced security called for in PSD2. The Alliance also says that, to the extent that the EC believes a “fallback option” such as screen scraping needs to be supported while banks come up to speed with PSD2, that this may be better addressed through a policy exemption to the RTS, rather than in the RTS itself.
FIDO Privacy: FIDO Alliance White Paper
This white paper describes how privacy has been taken into account in the design of the FIDO protocols, and how they can help meet privacy requirements from certain regulatory authorities.
FIDO Solutions for Financial Services and Payments
This web page explains FIDO Authentication use cases and benefits for users and deploying organizations for financial services and payments applications.