Achieving PSD2’s Strong Customer Authentication with Behavioral Biometrics

July 28, 2020

The financial industry has long been the target of cybercriminals.  This is of course to be expected as the majority of criminal actors are financially motivated and financial and payment systems can quickly be monetized by cybercriminals for easy profits.  Protecting these systems from data theft and fraud was a primary driver behind the European Union’s Second Payment Service Directive (PSD2), which prescribes rights and obligations for both payment providers and users, including requiring Strong Customer Authentication (SCA) for most electronic payments.

PSD2 and the extension of Strong Customer Authentication

PSD2 has already reshaped banking in the European Union by opening the banking market to third-party actors and setting stricter security standards to secure transactions from multiple currencies and regions. The intention with PSD2 is to simplify market entry for new actors and enhance digital transformation across Europe. To ensure consumer safety, PSD2 mandates stronger customer protection via strict authentication regulations for most digital transactions.

Due to the devastating impacts of COVID-19, some regions like the United Kingdom, are delaying enforcement of SCA until the fall of 2021. This extension gives organizations an opportunity to get their SCA implementation done right and find compliant solutions that can meet the demands of both  the regulation and their customer experience teams.

The importance of Strong Customer Authentication

Strong Customer Authentication requires a combination of at least two out of three different elements: knowledge, possession, and inherence. The knowledge element is something that a user knows, like a password. Possession is something a user has, like a hardware token or an SMS one-time password (OTP). Inherence is something that uniquely characterizes the user, for instance Behavioral Biometrics. Financial institutions and payment services must use these SCA factors for online authentications to reduce the risk of fraud or other scams connected to digital transactions.

Two-factor authentication based on knowledge and possession is currently in frequent use by online payment providers to meet SCA demands. This often takes the form of a username and password – knowledge – combined with a One-Time Password (OTP) sent by text message to a phone – possession. Given that SIM Swapping, credential stuffing, and social engineering allow fraudsters to bypass these knowledge and possession elements, inherence elements are quickly becoming a more prevalent way of achieving SCA . This trend can be seen in both Germany and the United Kingdom, where banks are replacing OTPs and other friction-based authentication methods in favor of Behavioral Biometrics — inherence.

Better Authentication. Better Experience

Companies looking to compete in a crowded and demanding market can gain a competitive edge by providing strong, effective security that doesn’t disrupt the user experience. BehavioSec’s seamless solution can be integrated into payment providers’ new or existing applications to meet the requirements of PSD2 without friction, reducing the risks of fraud while enhancing customers’ digital experience.

At BehavioSec we believe that strong security and a seamless user experience should go hand in hand, detecting and stopping criminals without putting authentication obstacles in the way of genuine customers.  Find out how BehavioSec can help you achieve Strong Customer Authentication through Behavioral Biometrics by requesting a demo today!