Establishing strong authentication for PSD2

SDO Marketing Staff | January 31, 2019

September 14, 2019 will mark a milestone date for the online payment industry. That’s when the Strong Customer Authentication (SCA) regulation will come into effect. As part of the Revised Payment Service Directive (PSD2), SCA imposes stricter security rules on payment service providers to protect customers and merchants against the mounting threat of online fraud.

Whether you’re running a business that processes online payments or a customer using online payment portals to pay for goods and services, it’s important that you know how PSD2 SCA will affect you, and how you can use their security benefits to protect your payments against online fraud.


What is PSD2?

The PSD2 is a broad set of online payment rules that came into effect in early 2018 and is applicable to the European Economic Area (EEA). Many describe it as an end to the monopoly of banks over customer account information. Based on PSD2, bank customers, both retail and business, can enable third party services to access their account information through application programming interfaces (APIs) provided by their banks.

What this means is that you may use an online service such as Facebook or Google to pay your bills, make P2P transfers and analyze your spending, while still having your money safely placed in your current bank account. PSD2, which is the evolution of a previous directive published in 2007, is meant to adapt the regulation of online payments with innovation and technological advances and the many payment services that are now available.

But is PSD2 secure? After all, if you expand third-party access to your financial and banking data, aren’t you increasing the chances of fraud and financial crime? How does PSD2 ensure the security of sensitive banking data?

The directive also sets technical rules for all payment processors to ensure the security of user identities and data. Part of these rules is the establishment of Strong Customer Authentication (SCA) standards.


What is Secured Customer Authentication (SCA)?

SCA requires all businesses to use multi-factor authentication (MFA) and verify at least two independent authentication factors when processing online payments. For instance, users will have to enter a PIN or password plus complete a biometric challenge to complete a payment transaction.

European regulators provided an 18-month window between the rollout of PSD2 and the SCA addendum to give payment processors enough time to update their systems to comply with SCA requirements. SCA is mandatory, and starting September 14, banks may decline transactions that don’t meet the authentication requirements of SCA.

What’s significant about this regulation is that it is the responsibility of the payment service provider (PSP) to ensure its technology and transactions are compliant with SCA rules. In case of a loss, it is the PSP and not the bank that will bear the brunt. In cases where banks themselves are the payment processors, they will be subjected to SCA rules as well.

Now, given all of these developments, how can you make sure that your payment service is SCA compliant and will protect you and your customers against fraud?


A few notes on secure 2FA and SCA

While SCA clearly states that payment processors must use MFA to secure transactions, not all implementations of MFA are equally secure,reliable and easy to use.

Hardware tokens, while very secure, can become a point of failure and compromise if stolen by a malicious actor. For users they very onerous for users, as they need to be physically carried around and secured. And they are also very expensive to purchase, deploy and administer.

Second-factor technologies that rely on software for generating one-time passwords (OTPs) – verification codes that expire after they’re used or after a time interval passes – come in different flavors, each with their own set of challenges. For example, One-time codes send over SMS channels are considered not secure and no longer recommended by security standards bodies because malicious users can intercept and record them without being detected. OTPs generated by applications running on a user’s mobile device are susceptible to various forms of social engineering attacks and are cumbersome to use..

Finally, the ‘Regulatory Technical Standards (RTS) on strong customer authentication and common and secure communication’ published by the European Banking Association (EBA) to help reduce to practice the requirements laid out by PSD2, requires that authentication codes generated by SCA need to be dynamically linked to the details of the payment transaction itself. This requires SCA solutions that go beyond simply authenticating a user – they need to provide transaction verification capabilities as well.


The Secret Double Octopus solution to PSD2 SCA requirements

Secret Double Octopus has been developing its authentication solution with the changing and growing needs of the financial services industry in mind. And as the industry looks to implement strong customer authentication to comply with PSD2 requirements, Secret Double Octopus delivers an authentication solutions that complies with PSD2 requirements while ensuring an exceptional user experience.

The Octopus Authenticator implements a layered security approach to mitigate risk. Authentication secrets are stored and used inside a separated secure execution environment provided by the mobile device. The integrity of the authenticator is measured during load and runtime to ensure it has not been altered.

In addition, Secret Double Octopus utilizes Shamir Secret Sharing (SSS), a provably secure cryptographic algorithm, to provide additional protection for authentication secrets by sharding them. As a result, in the event that one of the other security controls fails – for example a vulnerability is found in the secure enclave used to protect its secrets – SSS provides an additional layer of security to ensure the integrity of the authenticator and its secrets.

Secret Double Octopus uses multiple channels to perform user authentication and validation of sensitive operations such as payments. Every authentication token is generated piecemeal through several out-of-band components, each of which is secured using different robust mechanisms. This makes it exponentially harder—virtually impossible—for a malicious actor to stage man-in-the-middle attacks to steal sensitive information or to tamper with payment data.


On the user experience side, Secret Double Octopus has succeeded in achieving the best of both worlds, providing a solution that is both easy to use and highly secure. The Octopus Authenticator app, which is the end-user component of Secret Double Octopus’ solution, enables payment service providers to provide their customers with a multi-factor, password-less authentication experience. Octopus Authenticator can be used as a standalone password-less authentication solution or a 2FA addition to whatever identity verification mechanism an application is already using.


Octopus Authenticator shows push notifications to users whenever there’s a login attempt to their account or a sensitive operation is about to be executed, such as making an online payment. Users can either refuse the request or accept it by providing a PIN or biometric signature. Moreover, Secret Double Octopus enables service providers to dynamically link additional data such as payment information to each request to make it clear to the user what they’re about to approve (or prevent) transactions from taking place.

To the user, Octopus Authenticator is a trivial swipe-and-accept operation. But under the hood, a highly secure process is taking place to make sure that user authentication and transaction approval are secure and compliant with PSD2 strong customer authentication (SCA).