Delivering Strong Customer Authentication to support PSD2 Compliance

The EU Payment Services Directive (PSD2) will undoubtedly facilitate innovation, competition, and efficiency among banks and other payment institutions. While giving consumers additional choice over how they manage their money and transact online, PSD2 also calls for a heightened security standard for online payments, ensuring consumer protection. With digital fraud growing faster every year, the need for enhanced security protections has never been more relevant.

Under PSD2’s Regulatory Technical Standards (RTS), account and payment service providers must comply with increased security requirements when processing payments or providing account-related services. At the heart of the RTS is the need for Strong Customer Authentication, allowing consumers to be better protected when making transactions online.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is mandatory under PSD2, and article 4.1 requires that users be authenticated using at least two separate elements out of the following three authentication factors:

Knowledge: something they know (a password or PIN code)
Ownership: something they have (a card, a mobile phone)
Inherence: something they are (biometrics, e.g. fingerprint or iris scan).

RTS standards also require various cybersecurity mechanisms be in place in order to mitigate device exposure to risk and ensure secure transactions and payment authorisations.

Payment service providers need to support purchase and login scenarios that utilize SCA while at the same time minimizing the amount of friction incurred by their users, which can result in customer frustration and abandonment. Common forms of additional authentication use one-time passcodes sent through separate, “out-of-band” communication channels like SMS (text message) or email. While SMS and email are widely-used authentication methods, both are subpar user experiences that lead to friction. Likewise, SMS and email are insecure channels and can be compromised by malware, social engineering, “man-in-the-middle” attacks, and other techniques used by fraudsters.

Best-in-class multifactor authentication methods are transparent to the end customer and allow good consumers to transact with the least amount of friction possible, while at the same time are secure communication channels.

The InAuth Solution: InAuthenticate®


Delivered as an SDK, InAuthenticate is a secure two-factor authentication solution built into an organization’s mobile app. It provides a secure means of delivering 2-way, contextual messages to a registered, trusted device through a financial institution’s branded mobile app.

In the context of PSD2, when payment services providers require strong customer authentication for a browser transaction, InAuthenticate pushes to the customer’s registered, trusted mobile device a contextual message with details about the specific transaction. The customer opens and approves or declines the transaction within their bank mobile app. The in-app message can only be received by the intended device, and there is no risk of the message being intercepted, replayed, spoofed, or altered.


InAuthenticate Technology

Trusted Path

Trusted Path is our secure channel of communication, providing an encrypted pathway between the InAuthenticate SDK and InAuth server to send sensitive messages. Trusted Path leverages banking-grade cryptographic algorithms to provide strong protection. Unlike regular HTTPS communications which are susceptible to interception, InAuth’s Trusted Path operates at the messaging layer of the communication stack in order to ensure complete, end-to-end
protection and protect against data leakage, session hijack, interception, and replay attacks. Only the intended device can receive communications sent through Trusted Path, and messages are digitally signed, preventing repudiation.

InPermID

Messages sent through the Trusted Path can only be read by devices identified with an InPermID, our permanent device identifier for mobile apps. InPermID survives app uninstall/reinstall, operating system upgrades, and application upgrades and cannot be spoofed. This allows your organization to recognize and differentiate returning devices with confidence. The mobile device can act as a trusted second factor of authentication, proving the possession or “something you have” element of authentication.

Device Integrity Screening and Risk Analysis

InAuthenticate provides many of the cybersecurity elements required by the RTS including malware detection, geolocation inconsistency cross-checks, anti-tamper verification, and cloaked root / hidden jailbreak detection.

InAuthenticate can be used by both payment services providers as well as aggregators when there is a requirement for Strong Customer Authentication.

InAuthenticate is the tool needed to help achieve Strong Customer Authentication for PSD2 while mitigating against security threats. InAuthenticate’s ability to utilize the device as a second factor of authentication and securely push contextual authentication messages to registered, trusted devices, allowing account and payment service providers to meet many of the challenges of PSD2.

Find out more

Whitepaper: PSD2 – Banking on the Customer to Make Open Banking a Success

Compliance can be a burden, no doubt about it. With ever-increasing regulation, banks need to ensure the agenda set by regulators will not be lost in a mere compliance exercise, but will concurrently enable customers to enjoy the flexibility, simplicity, and security they both need and demand. This InAuth Whitepaper elaborates on the criteria of […]

Use Case: Delivering Strong Customer Authentication to support PSD2 Compliance

InAuthenticate® is the tool needed to help achieve Strong Customer Authentication for PSD2 while mitigating against security threats. InAuthenticate’s ability to utilize the device as a second factor of authentication and securely push contextual authentication messages to registered, trusted devices allows account and payment service providers to meet many of the challenges of PSD2.