The Financial Conduct Authority (FCA) in the UK has extended the deadline for implementation of strong customer authentication rules by six months. The deadline is now 14 September 2021.
Other regulators across Europe are expected to make similar moves.
From 14 September 2021, financial institutions must ensure that customers are completing strong customer authentication (SCA) before they carry out online processes, as set out in the EU Revised Directive on Payment Services (PSD2).
These processes include:
- Accessing a bank account online
- Making an online payment
- Carrying out any activity online that might come with a fraud risk
Strong customer authentication requires a customer to complete a multi-factor process to verify their identity. Multi-factor authentication requires two or more of the following elements:
- Knowledge: something only the user knows - eg, a password or PIN
- Possession: something only the user possesses - eg, a mobile handset or token
- Inherence: something the user is - eg, a biometric
The two factors also need to be independent of each other. For example, if a customer authenticates via voice on their mobile phone as the first factor, and then the bank sends a one time password (OTP) to that same device for the second factor, this could potentially present a risk. The two factors use the same channel or band, so if that channel - in this case the mobile phone - had been compromised, both the instruction and the security verification are being sent to an individual who now controls the compromised device. This must be avoided according to the recommendations.
Usability vs Security: half of consumers have abandoned online transactions
The challenge for banks is selecting the right balance of security with ease of use. Security is critical, but if systems are hard to access then banks face higher drop-off rates, increased loss of customers to competitors, and the brand impact of being seen as difficult to use.
Drop-off rates and loss of customers are very real concerns. A recent iProov study found that almost half of consumers in the US and UK have abandoned an online purchase because the security process took too long - and those aged 18-44 are more likely to have done so.
With iProov, strong customer authentication is simple and secure. The iProov facial biometric authentication can replace passwords, or it can be used as the second factor as detailed in the two examples below:
How to enable strong customer authentication/SCA on mobile devices with iProov:
- A customer would begin the sign-in process to their bank account.
- They provide a password for the first factor authentication (something they know).
- They then effortlessly iProov themselves for a strong second factor (something they are). The customer simply holds their device in front of their face and a coloured illumination provides Genuine Presence Assurance - that is, confirming they are the right person, a real person, and authenticating right now. The illumination ceremony also acts as reassurance to the customer that their security is being protected.
How to simplify strong customer authentication/SCA on web browsers with iProov
iProov Web offers the significant advantage of allowing strong customer authentication to be completed on a desktop or laptop without the need for a mobile device.
- A customer would begin the sign-in process to their bank account on a desktop, laptop or other device using a web browser
- They provide a password for the first factor authentication (something they know)
- They then effortlessly iProov themselves for the second factor (something they are) using the camera on their laptop. A coloured illumination provides Genuine Presence Assurance - that is, they are the right person, a real person, and authenticating right now.