Open Banking: why a new approach to authentication is key to its success

The concept of open banking promises users greater control over their financial data; however, it is not without risks, and its success is tied to consumer confidence when it comes to the security and privacy of their information. Indeed, ahead of the arrival of open banking in the UK, a 2017 Accenture survey of more than 2,000 British consumers found that two-thirds were not prepared to share their personal financial data with third-party providers. As Accenture’s managing director Jeremy Light commented at the time, “Open banking has the potential to transform customers’ relationship with financial products, but it hinges on consumers’ willingness to embrace it.”

Privacy concerns regarding the practice of “screen scraping” – where a third-party payment or financial data aggregation service accesses bank accounts on the consumer’s behalf using their credentials – were surfaced by Barclays’ managing director Catherine McGrath in response to the news of banking giant HSBC’s foray into open banking with its aggregate app. The HSBC application pulled financial data from different bank accounts into one place for users. “With screen scraping, you have to give someone login details and then they can see absolutely everything; you don’t have the ability to discriminate to say just six months’ worth of transactional data,” Ms McGrath said. “Our view is the best way for customers to share their data through APIs, so they are in charge of their data.”

Regulatory implications and limitations

Around the world, regulations are emerging in line with the growing trend towards open banking. A prominent example is the second Payment Services Directive (PSD2), which came into effect in Europe at the start of 2018. PSD2 is being closely watched by other markets as open banking gains momentum, and regulated service providers navigate concerns regarding the implications for user privacy and security.

Whether or not these concerns ultimately slow Europe’s adoption of open banking largely depends on how the Strong Customer Authentication requirements defined in the PSD2 Regulatory Technical Standard are enforced. To help ensure successful adoption of open banking, the FIDO Alliance has taken an active role in helping European regulators and API design groups understand how standards-based, modern authentication can be used to deprecate today’s screen scraping practices while enabling a timely and secure migration to the open banking API model.

It is critical that open banking is implemented via modern APIs and protected by high assurance Strong Customer Authentication, as only an API-centred model is capable of protecting consumer privacy by providing granular access controls enabling the consumer to determine how much of their data is shared with any given third-party service provider. And only modern cryptographic-based authentication is fundamentally resistant to today’s most common and effective account compromise attacks, such as phishing for passwords and even one-time-passcodes (OTP).

Bolstering security, privacy, and usability with device-based authentication

New and improved methods of authentication are now available through open industry standards from the FIDO Alliance and W3C. Collectively known as FIDO Authentication, this innovative technology leverages on-device user verification such as the biometric capabilities on our mobile phones and combines this with interoperable protocols for strong cryptographic authentication. Biometrics is a compelling proposition for banks and other financial services companies, due to their ability to perform without dependency on the user remembering or sharing a password, greatly enhancing customer security while improving the user’s authentication experience.
In practice, by utilising public key cryptography techniques in combination with “one touch” biometrics and/or security keys, the proliferation of smart devices can be used to provide stronger authentication without burdening users. If the customer uses their fingerprint, face, or PIN code to unlock their device, banks can now combine that same user verification method with strong cryptographic protocols made available through on-device platform APIs, including a Javascript API for web apps. This would allow customers to securely access their accounts online in full compliance with PSD2 strong customer authentication requirements, on both apps and websites.

Complying with SCA requirements – our approach

FIDO certification provides a clear path for financial services organisations to comply with PSD2 strong customer authentication requirements.

The FIDO Alliance’s authentication standards provide a scalable way for the European financial ecosystem to meet PSD2 requirements for strong authentication of user logins and cryptographically signed transactions, while also meeting organisational and consumer demand for transaction convenience. FIDO certification programmes offer an independent validation of implementations conformance, interoperability, security, and even biometric performance when applicable. All certified devices are eligible to be listed in a public registry of device metadata that enables a financial service to evaluate the security properties of the device, ensuring the device’s ability to comply with the restricted operating environment requirements detailed in the PSD2 RTS.

PSD2 should significantly improve the way third-parties access account data. Ultimately, public trust is essential for momentum to continue to build around open banking and to ensure its enduring success. In order to build and maintain this confidence, a new approach to authentication must be taken in which there are adopted far superior modern methods that will enhance security and usability to the benefit of all concerned.

About Brett McDowell

Brett McDowell helped establish the FIDO Alliance in 2012 to remove the world’s dependency on passwords through open standards for strong authentication. Previously, he was head of ecosystem security at PayPal, where he developed strategies to improve online customer security.

About FIDO Alliance

The FIDO Alliance works to address the lack of interoperability among strong authentication technologies and to remedy the problems users face managing multiple passwords. The Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms which reduce reliance on passwords.