API obsession means banks may miss PSD2’s SCA deadline

Banks have been too focused on open APIs and account access to prepare for secure customer authentication (SCA), according to Gemalto vice president of strategic partnerships, Alain Martin.

“In 2018 the main priority for banks was compliance focused on access to accounts, in particular the creation of open APIs. They’re under the obligation to prove that their APIs work well, are fast and have the functionality that fintechs need for connection,” says Martin.

“As a vendor, we have not seen many RFPs for new authentication methods, which has surprised us, as we thought we’d see plenty. Yet the focus has so far been on access to the account. That’s why it’s now too late to change for September [when SCA comes into force], and banks will end up using what they have today, except for a few who started thinking about it earlier.” Martin believes that by 2020 the industry will experience a “wave” of implementations focused around security.

There are “limitations” to one-time passwords (OTP), a system which many banks currently use to authenticate their users. “The SMS channel is fundamentally insecure and there are doubts over whether it actually complies with the second Payments Services Directive (PSD2),” says Martin.

While SMS provides a separate execution environment, it doesn’t address a number of needs under PSD2, including malware detection, dynamic linking and software authenticity. “You can be sure that in September banks will still be using OTPs. They aren’t going to switch overnight. It’s a long journey which they are embarked on.”

A recent report from Javelin Strategy & Research records that the number of enterprise organisations using strong authentication has tripled since 2017 (5% to 16%). 52% of respondents indicated that they were still using traditionally multifactor authentication, while a third still used single-factor. The study also found that ease of integration (32%) and cost (26%) were the most significant factors in the selection of new authentication solutions.

Andrew Shikiar, chief marketing officer at standards body FIDO, says that there are “several large banks” in the US “ramping things up for stronger authentication”. “We’ve actually seen adoption trends vary from region to region. Asia-Pacific is embracing a mobile-first approach, especially in Japan, Korea and China. In the US there is a fair amount of enterprise adoption and a lot of two-factor authentication adoption among the service providers. Yet there is a natural imperative in Europe, due PSD2, which is driving change.”

Banks have traditionally been highly sensitive around security matters, says Martin. “But it’s true that they haven’t put into place – at the pace that you would expect – strong authentication measures. Regulation is pushing banks to go a little bit faster,” he says.

Another major concern is reach. Things have to work “for everybody, not just the selected few who have the right phone.” PSD2 requires the scaling of solutions to 100% of the userbase, and Martin believes banks will find that a problem to comply with. “This is why a lot of banks started to deploy OTPs sent by SMS – it’s scalable.”

European banks are especially reluctant to make sweeping changes, as they invested in new security solutions “four or five years ago”, says Martin. “For example, in Scandinavia a lot of banks deploy hardware devices, while in France a majority have adopted OTP via SMS.”

A 2018 survey conducted by LastPass found that 59% of respondents used the same password across multiple sites, despite 91% of them knowing it’s bad security practice. “Password and OTP is better than just a single password, but still leaves a user susceptible to being targeted by phishing,” says Shikiar.

“User education is crucial. Best practice building is something [FIDO is] focused on doing. Leading service providers in FIDO such as Amazon, Facebook or any of our banking members, see the importance for there to be a common vernacular for talking to users about authentication – and are actively discussing this within the FIDO Alliance.”

Related reading