Response to discussion on RTS on strong customer authentication and secure communication under PSD2
Go back
1.) in-APP authentication elements without Out-of-Band functionality
2.) Authentication elements with OOB capabilities.
In-APP authentication elements without Out-of-Band functionality
There is no full independence of authentication elements based on Mobile device installed authentication elements, such as passwords, biometrics etc, as there is only one single mobile device (one channel). The breach of one authentication element potentially compromises the reliability of the other authentication element. As mentioned under article 4.1.32, if the mobile device contains the credential a compromise of the mobile device itself compromises the reliability. Under the segment “in-APP authentication elements without Out-of-Band functionality” credentials are always contained or created by the mobile device only. A potential non-compliant proposition considering the SCA requirements and a less secure authentication proposition in general.
Authentication elements using OOB
The receipt or retrieval of the credential through the telecom infrastructure provides an authentication element via an additional channel (infrastructure). The telecom infrastructure delivers the credential with the following characteristics :
• A secure end-to-end delivery pipeline through a VPN
• Regulated environment
• No open infrastructure, access for regulated parties only
• The credential is a message from and originated by the payment provider
The telecom infrastructure channel can identify a security breach for the mobile device as it can provide extra context checks, such as divert detection, location-based GEO checks, and SIM Swap detect.
It is imperative to identify and separate authentication elements which do not offer Out-of-Band functionality and do not operate in a regulated environment, and credentials are contained and/or created by the mobile device. Authentication elements retrieving/receiving credentials from an additional channel are offering compliancy, as the breach of one authentication element does not compromise the other. The latter should there for be regarded as more secure and compliant with the SCA requirements. In addition, the telecom infrastructure is capable of providing security to determine possible security risks concerning possession of the authentication element.
The inclusion of authentication elements using OOB is there for required to be compliant with the definition for a SCA as described by PSD2.
1. With respect to Article 97(1) (c), are there any additional examples of transactions or actions implying a risk of payment fraud or other abuses that would need to be considered for the RTS? If so, please give details and explain the risks involved.
NA2. Which examples of possession elements do you consider as appropriate to be used in the context of strong customer authentication, must these have a physical form or can they be data? If so, can you provide details on how it can be ensured that these data can only be controlled by the PSU?
NA3. Do you consider that in the context of “inherence” elements, behaviour-based characteristics are appropriate to be used in the context of strong customer authentication? If so, can you specify under which conditions?
NA4. Which challenges do you identify for fulfilling the objectives of strong customer authentication with respect to the independence of the authentication elements used (e.g. for mobile devices)?
The addressed complication of compliance under article 4.1.32 related to the independence of the authentication elements is justified but needs an in-depth view. A clear distinction is necessary between:1.) in-APP authentication elements without Out-of-Band functionality
2.) Authentication elements with OOB capabilities.
In-APP authentication elements without Out-of-Band functionality
There is no full independence of authentication elements based on Mobile device installed authentication elements, such as passwords, biometrics etc, as there is only one single mobile device (one channel). The breach of one authentication element potentially compromises the reliability of the other authentication element. As mentioned under article 4.1.32, if the mobile device contains the credential a compromise of the mobile device itself compromises the reliability. Under the segment “in-APP authentication elements without Out-of-Band functionality” credentials are always contained or created by the mobile device only. A potential non-compliant proposition considering the SCA requirements and a less secure authentication proposition in general.
Authentication elements using OOB
The receipt or retrieval of the credential through the telecom infrastructure provides an authentication element via an additional channel (infrastructure). The telecom infrastructure delivers the credential with the following characteristics :
• A secure end-to-end delivery pipeline through a VPN
• Regulated environment
• No open infrastructure, access for regulated parties only
• The credential is a message from and originated by the payment provider
The telecom infrastructure channel can identify a security breach for the mobile device as it can provide extra context checks, such as divert detection, location-based GEO checks, and SIM Swap detect.
It is imperative to identify and separate authentication elements which do not offer Out-of-Band functionality and do not operate in a regulated environment, and credentials are contained and/or created by the mobile device. Authentication elements retrieving/receiving credentials from an additional channel are offering compliancy, as the breach of one authentication element does not compromise the other. The latter should there for be regarded as more secure and compliant with the SCA requirements. In addition, the telecom infrastructure is capable of providing security to determine possible security risks concerning possession of the authentication element.
The inclusion of authentication elements using OOB is there for required to be compliant with the definition for a SCA as described by PSD2.