18 November 2017
visit www.avoka.com

FIDO Alliance urges European Commission to outlaw screen scraping

08 September 2017  |  4353 views  |  0 Source: FIDO Alliance

Conversations are ongoing between the European Commission (EC) and the European Banking Authority (EBA) around the Regulatory Technical Standard (RTS) for Strong Customer Authentication (SCA) under the Payment Services Directive 2 (PSD2), specifically with regards to “screen scraping”.

Screen scraping is the practice where third-party Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) access bank accounts on a client’s behalf using their username and password. The practice was prohibited in the EBA’s final draft RTS, however, following a strong push back from banks, the EC is now urging the EBA to allow companies to use screen scraping as a “fallback option”.

The FIDO Alliance* recently wrote to the EC setting out the key problems with endorsing screen scraping. It argued that any approach where consumers are asked to share their login details with another entity is fundamentally at odds with language in the PSD2 and that it ultimately places consumers at increased risk. The most secure and efficient way for consumers to authorise third parties to access bank accounts today is through the use of Application Programming Interfaces (APIs), authorised by means of unphishable strong customer authentication i.e. credentials based on public key cryptography as opposed to passwords, which are inherently vulnerable.

Brett McDowell, executive director of the FIDO Alliance*, has since made the following comments in a blog post on this topic.

“We do not see any way in which the screen scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2. There are far more secure ways for consumers to delegate access to their bank accounts, involving APIs protected by strong customer authentication credentials. Based around proven global standards such as OAuth 2.0 and OpenID Connect (OIDC), these API-based solutions have the added benefit of providing not just better security but also better privacy - as they allow consumers to grant access to their bank accounts on a granular level, choosing to share some details but not others. When paired with FIDO standards for strong authentication, API-based solutions gain the benefits of device-based multi-factor authentication that is both safer and easy for consumers to use than typing codes into a form.”

* The Fast IDentity Online Alliance (FIDO Alliance) is a consortium of more than 250 organisations from around the world collaborating to improve the state of online authentication by developing open technical standards and advocating industry best practices

Comments: (0)

Comment on this story (membership required)

Related company news

 

Related blogs

Create a blog about this story (membership required)
visit https://www.niceactimize.comvisit www.atos.netvisit www.aciworldwide.com

Top topics

Most viewed Most shared
Ripple boss predicts central bank adoption of blockchainRipple boss predicts central bank adoption...
13144 views comments | 21 tweets | 21 linkedin
Singapore central bank open sources blockchain prototypesSingapore central bank open sources blockc...
11819 views comments | 15 tweets | 28 linkedin
Digital receipt startup Flux scores game-changing deal with BarclaysDigital receipt startup Flux scores game-c...
9931 views comments | 20 tweets | 36 linkedin
AmEx partners Ripple and Santander for blockchain-enabled cross-border paymentsAmEx partners Ripple and Santander for blo...
9448 views comments | 13 tweets | 39 linkedin
UK cryptocurrency exchange startup launches debit card for spending bitcoinUK cryptocurrency exchange startup launche...
7979 views comments | 26 tweets | 37 linkedin

Featured job

to £70K base, £105K ote, benefits
London, UK

Find your next job