Blog article
See all stories »

Angst Over the EBA’s PSD2 Two-Factor Authentication Directive

The convenience and speed of online shopping and banking in Europe are said to be under threat by proposed standards from the European Banking Authority (EBA) due to be released in January of 2017. The new rules, issued in response to requirements in the Payment Services Directive, will require “strong customer authentication” for all electronic payments over €10 (around $10.50 USD).

That is a low bar when the average online retail transaction in Europe was $85.63 in 2016. In effect, “strong customer authentication” in the form of additional confirmation steps, such as entering passwords, one-time codes, or using a physical card reader, will be applied to a majority of transactions within the European Union.

Forcing users to perform these additional confirmation steps on transactions is likely to increase the online shopping cart abandonment rate, already high in the estimated 68-71% range worldwide. Further, the new rule as written would significantly impact one-click checkouts such as Amazon’s One-Click and PayPal’s One Touch in Europe. Many retailers fear that if these proposals are enacted as is, they will cause an unnecessary drag on online commerce.

As the controversy over these proposed new rules demonstrate, striking a balance between the needs for convenience and security remains a challenge.

On the one hand, all organizations want secure transactions that prevent fraud.  On the other, no one wants the hassle of additional barriers—the more requests for additional information and verification demanded from users, the less likely the transaction will be followed to completion. The additional friction expected to be introduced into the process in the pursuit of security can enact the ultimate cost—revenue loss.

This, in part, is why there is much angst surrounding the EBA’s requirement for the use of two factor authentication (2FA) which will require at least two different attributes to confirm the user is whom they claim.

Defining “Strong Authentication”

According to PSD2 as currently proposed, strong authentication is defined as:

“…based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data.”

Based on current 2FA methods, the concern over adding more friction to the transaction might be well founded.

However, while I do agree that more stringent authentication and risk assessment techniques through 2FA are needed to prevent fraud, I don’t agree that compromising the customer experience has to be an inevitable offshoot of these heightened security controls. 

Because of their internal architecture, mobile devices contain within them thousands of identifying attributes such as the location, manufacturer, operating system, and others. There are now advanced software solutions that can collect and combine these attributes to form a unique device ID, ensuring the mobile device functions as a trusted second factor of authentication, proving “something you have.” Further, this can be done in such a way that is permanent, “binding” the device to a legitimate account holder. When done in this manner, this permanent ID can survive an app uninstall/reinstall, operating system upgrades, and cannot be spoofed.

Using a permanent ID means that the mobile device can become the trusted vehicle for the delivery of a 2FA message—which must include elements that dynamically link the transaction to a specific amount and a specific payee in order to authenticate it. When done in the manner, the binded device is the only device in the world that can read the message and there is no possibility of intercept, replay, or forward — unlike current 2FA delivery methods that use SMS or email.

Once authenticated in this manner, the user’s device can then operate as a secure channel in all transactions with the organization. This eliminates the need for additional challenge questions, passcodes and other cumbersome methods to authenticate a user’s identity, while allowing retailers to identify devices and assess device riskiness with far greater confidence.

Once a customer is tied to a permanent device ID, organizations are able to better recognize and trust returning devices, enabling more customers to transact faster and with greater ease in just a few steps, while fraudsters can be flagged and barred.

With a strong device authentication strategy in place, organizations can then introduce innovations that drive higher conversions, including guest checkout and one-click transactions, without the fear of increased risk and exposure.  The organization gets assurance that the customer is who they claim, while the customer remains unaware of what is happening under the hood—in other words, they enjoy a frictionless experience.

Security works best when it is unobtrusive, doing its work protecting people quietly in the background. It becomes a nuisance—often with costly consequences—when it is intrusive, unnecessarily barring good customers and demanding more information from them.

While the PSD2 requirements are not yet final, given the right solutions, organizations can be compliant with the proposed EBA’s PSD2 requirements on 2FA while still striking that vital balance between security and a frictionless customer experience.



Comments: (4)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 06 February, 2017, 17:10Be the first to give this comment the thumbs up 0 likes

Going by the experience with 2FA in India, the angst is justified. Sad to see EBA regressing.

Arjeh Van Oijen
Arjeh Van Oijen - Icon Solutions - Amsterdam 07 February, 2017, 13:21Be the first to give this comment the thumbs up 0 likes

Hi Sunil,

Fully agree with your PoV. If the burden is too high for the end user (and everything that takes more than one click will be) it will impact e/m-commerce conversion rates and/or fall back to less secure (but easier to use) payment instruments.

I also believe that HCE/SE in combination with TEE can play a role in this. This makes it possible to have an authorisation message digitally signed with keys securely stored in the cloud/SE (as happens with a NFC driven card transaction). TEE is used to make sure that only trusted Apps can access the relevant APIs. This mechanism can not only applied for securing payments, but also secure signon and signing of documents.

Ganesh Guruvayur
Ganesh Guruvayur - Intellect Design Arena - New Jersey 07 February, 2017, 23:17Be the first to give this comment the thumbs up 0 likes Hi Sunil, Great post. I would further extend the thought to propose creation of a wider corelation matrix that covers ownership of physical assets such as refrigerators, cars, washing machines that are becoming digital assets in the rapid realization of the IOT scenario, capable of originating owner not present purchases. Imagine each of these transactions requiring the owner to provide 2FA through the day forcing her to forego few precious moments of attention from office work to understand the context of the transaction
A Finextra member
A Finextra member 13 February, 2017, 17:48Be the first to give this comment the thumbs up 0 likes

Hi. You mention Statista's huge 68-71% abandonment rate. But interesting to check those "6 main reasons for e-commerce cart abandonment" by WMO where "Payment Security concerns" rank #4 at 13% and "Confusing checkout" #5 at 12%, well after "unexpected shipment costs" (#1 28%), "create user account" (#2 23%) while #3 16% of clients were "just conducting research".

So 1) it seems like e-merchants have a lot on their side to improve conversion rate and 2) PSD2 and SCA could indeed help them in that move


Now hiring