2 April 2019
How can a financial service provider choose the right authentication method?
The increasing amount of online services is leading us to spend more and more time on the internet. Smartphone use is growing rapidly, and online payments have become very common. These trends mean we must protect our data better, especially now that criminals are finding new ways to commit digital fraud, such as scams via Whatsapp.
Digitisation of services and the changing regulations
In the fight against fraud, reliable authentication solutions play a key role. This is especially true when it comes to online payments, explains Claire Deprez-Pipon, Product Manager at equensWorldline. "The recently implemented legal procedures, such as the GDPR, NIS, PSD2 and eIDAS demonstrate that the security of electronic transactions is a top priority. The regulations are mainly focused on protecting personal data and strengthening authentication solutions."
The digitisation of services and changing regulations have consequences for banks. "In the field of transaction security," Deprez-Pipon continues, "financial service providers cannot fall behind. They must keep up with new developments." Banks are required to open their API because of the PSD2. This means banks have to validate customer permissions when third parties want access to their accounts. For this, strong customer authentication (SCA) is required. "The Privacy Law GDPR and the eIDAS regulation also influence the way we organise authentication solutions."
This is why it’s important for a financial service provider to choose the right authentication method, one in which ease of use and security go hand in hand.
One aspect to pay attention to two-step verification, as there are three factors with which you can identify yourself: something that you know (such as a password), something that you possess (such as an ID card) and something unique about yourself (such as fingerprints). The PSD2 RTS decrees Strong Customer Authentication (SCA), stating that you must verify yourself with at least two of the three factors before you can make a payment. Some factors are safer than others. Deprez-Pipon notes that "two-factor SMS authentication is still popular, but it’s been proven that sending an SMS with a code is not a completely safe method. Installing an app on a smartphone is a better way to do it because biometric features can also play a role."
Convenient use and implementation
"The last thing a seller wants is for customers to abandon payment process because authentication is too complicated," Deprez-Pipon warns. "Therefore, the solution must be easy to understand and implement. A frictionless authentication process can prevent a lot of irritation." This also applies to the financial service provider’s own implementation of the authentication method; the method must be easy to roll out. A software development kit (SDK, a set of development tools) or a white-label app (a generic app that can be customised according to the house style of each company) can serve as an important tool for implementation. Deprez-Pipon adds, "A solution must not only be compliant with all regulations but must also be flexible. This means that new services can easily be replaced or expanded."
Deprez-Pipon adds that companies should use the same authentication solution for all channels (whether on a computer, tablet or mobile phone). "It's easier for a bank to have the minimum number of authentication solutions, so users don't get confused. Choose a solution that always works: when the customer calls a call centre to protest against a credit card block; when the customer buys a new laptop via the internet; or when the customer wants to initiate a credit transfer via a bank app. A verification app on the mobile or tablet that can always be used, regardless of the channel, is a good example to aim for."