Commissioned by ForgeRock
1 Executive Summary
In the European Union, the Revised Payment Services Directive (PSD2) will radically alter the financial services landscape. It has already begun to create a more competitive environment, with new business entities arising to offer additional financial services, such as acquiring account information and presenting it to consumers, and initiating payments directly from accounts at traditional financial institutions to merchants and other electronic service providers.
From a technical perspective, PSD2 necessitates improvements in two major functional areas:
- Strong Customer Authentication (SCA), transactional risk analysis, and malware mitigation in transaction processing
- Opening new financial service APIs, and properly securing them
Concerning SCA, in most cases, authorization and access control are predicated upon authentication, i.e. determining if the subject is who/what it purports to be. Regulations often stipulate the level of authentication assurance that is necessary for certain types of actions to be performed on systems and data. PSD2, at a high level, requires “strong authentication”. The directive relies upon the standard definition, which requires two of these three factors: something you know, something you have, and something you are.
The problems with username/password authentication are well-known. Both usernames and passwords are easily and often forgotten. Password resets are expensive, in terms of both help desk costs and lost productivity. Passwords are easily guessed by hackers. Password databases can be broken via brute force attacks. There is no such thing as a strong password. Telling users to choose complex passwords and use different passwords for every site is futile. Most cyber-attacks and data breaches that have made the news in recent years have involved the perpetrator(s) gaining access to systems and data by compromising usernames and passwords.
Higher assurance authentication is fundamental to reducing risk of fraud and data loss. Stronger authentication techniques also enable greater compliance with regulations such as PSD2, as we will see below.
Fortunately, better alternatives to passwords exist. Many enterprises have deployed SmartCards, USB tokens, or other types of strong authentication tokens for the highest levels of assurance. Biometric solutions, using something about oneself as an authenticator, such as fingerprints or iris scans, are gaining traction due to their popularity among users. Out-of-band and step-up authentication and authorization options via mobile devices are becoming more common and accepted by users.
PSD2 will spur the adoption of these new authenticators in the quest to achieve SCA. Authenticators with a higher degree of usability, such as mobile push and mobile biometrics apps, are likely to be preferred and become dominant. Authenticator form factors such as Smart Cards and USB tokens will probably not be deployed by banks or FinTechs due to the fact they are less user friendly.
With regards to APIs, please see KuppingerCole’s Leadership Brief.
PSD2 will radically change the financial sector in the EU.
This paper will dive deeper into the technical requirements that banks and financial service providers face in preparing for EU PSD2 with regards to strong customer authentication. We will also discuss the ramifications for banks and other financial services organizations. Lastly, we will consider how ForgeRock Identity Platform can help banks and TPPs prepare for PSD2.