PSD2 SCA authentication requirements will bring about better user experience

'The latest regulations for better authentication for the European financial services sector are about to take effect, and they will help motivate improvements in the customer user experience as well as security' Phil Dunkelberger, CEO of Nok Nok Labs

Are you tired of making trade-offs between better authentication and better customer experience? Until the last few years, that was mostly a rhetorical question, but recently there is a serious answer using the latest Fast Identity Online (FIDO) protocols and products, combined with the improvements in smartphone biometric sensors. As the EU moves closer to implementing the PSD2 Strong Customer Authentication (SCA) standards in 2021, there is even more reason to consider this approach. These standards were designed to make digital payments in Europe more secure, largely to combat the rise in online fraud.

SCA also grew out of the earlier PSD2 efforts to make it easier for customers to leverage Open Banking efforts and encourage the choice of their financial services without being locked into proprietary systems. To meet these standards, banks have to improve both security and user experience by authenticating customers in the fastest and least intrusive ways possible.

SCA requires multi-factor authentication for most of these payment transactions with a few exceptions (such as payments below 30 euros and recurring subscription transactions). The standards will be enforced by most of the EU’s country members by January 1, 2021, in France by April 1, 2021, and in the UK and Switzerland by September 15, 2021. Needless to say, this staggered implementation schedule has caused a lot of confusion and some banks are declining all non-SCA payments. This puts more pressure on everyone to get their SCA implementations rolled out as soon as possible. And even though SCA just applies in cases where the card issuer and acquiring banks are based in Europe, many banks are looking to apply these regulations across the board no matter the underlying geography.

The FIDO standards have been around for many years and now are multi-platform, running on Windows, Mac, iOS, and Android, along with support by a variety of web browsers running across these platforms. It has been implemented at some of the largest banks and multinational companies. It is used widely, including for the NTT Docomo payments network in Japan and as part of Mastercard’s Identity Check Express offering in India. FIDO is explicitly mentioned as one way to support the SCA standards. 

Before FIDO, businesses that wanted better authentication had to make this security/usability trade-off, either by using adaptive authentication or smartphone authenticator products. The former had the advantage of applying more stringent authentication when it was needed but required major modifications to an organisations’ application stack. The latter was just a less intrusive way to provide one-time passwords during the login process, but it was still too intrusive.

Both of these methods meant that users could abandon their online shopping carts out of frustration. (An Aite survey cited here showed lower sales for half of the user population.) ‘The industry considers SCA a significant risk to online commerce sales in the first year after its introduction’, says Ron van Wezel, senior analyst at Aite Group. What we have found at Nok Nok Labs is that by moving to more biometric-based authentication mechanisms, there is an 80% reduction in cart abandonment. The trick is to apply these mechanisms in such a way that doesn’t add any additional usability burden to the end user.

With FIDO, users can provide their fingerprint or face ID to authenticate their transactions. There is no need to leave the context of their shopping experience to look up and then enter a one-time passcode. If this seems familiar, many of us already use our fingers or faces to authenticate payments from our smartphones with various services such as Apple Pay and Google Pay. FIDO extends this and allows merchants to delegate their authentication requirements using industry standards to increase shopping cart completions and avoid end users from having to enter passwords and one-time passcodes. The trick is making sure your SCA implementation is done properly and using best practices.

When PSD2 was first proposed, the goal was to have it implemented across Europe by now, but the deadlines keep getting pushed further into the future, thanks to a combination of COVID-19 and other institutional factors. But we now have a unique opportunity: financial services companies can take advantage of the latest security technology and deliver a solid authentication experience without having to make any usability trade-offs.

About Phillip M. Dunkelberger

Phillip Dunkelberger has broad experience resulting from more than 30 years in technology. Prior to leading Nok Nok Labs, Mr. Dunkelberger served for 8 years as co-founder and CEO of PGP Corporation, until acquired by Symantec in 2010. He has significant experience in SaaS infrastructure and enterprise software, having served as Entrepreneur-in-Residence at Doll Capital Management (DCM), President and CEO of Embark, and COO of Vantive Corporation. He has also held senior management positions with Symantec, Apple Computer and Xerox Corporation.

About Nok Nok

Nok Nok provides secure, scalable, and frictionless experiences for passwordless authentication, preventing fraud and security risks. By reducing the reliance on weak, phishable passwords, Nok Nok empowers organisations to improve the authentication experience, while meeting the most advanced security and regulatory requirements. Customers include cloud, mobile, and IoT businesses. For more information, visit www.noknok.com.