Replace SMS OTP with device fingerprinting for secure and frictionless authentication

SMS OTP Replacement Device Identification

To improve, streamline, and protect payments in the EU (European Union) and EEA (Europe Economic Area), the European Banking Authority (EBA) offers guidance in the form of PSD2 (Second Payment Services Directive)

The goal of PSD2 was to enforce a common standard to help prevent purchases with nefarious intent, leading to customer financial losses, credit card chargebacks, and other consequences. Strong Customer Authentication can be accomplished in various ways as long as a company meets two of the three requirements of Knowledge, Possession, and Inherence. In short, a customer must provide SMS OTP, Face ID, or a device fingerprint in addition to a username and password.

Many vendors chose to add SMS OTP when SCA came into force on December 31, 2020. While compliant, this introduced extra challenges for the customers. While making an online purchase, they would need to find their phone and input an SMS OTP in addition to the usual credentials they would use. Many companies saw a noticeable decrease in completed transactions as a result. 

However, passive identification methods such as device fingerprinting can remove customer friction while remaining compliant with SCA.

Get a custom walk-through from our team.

This article will walk through PSD2, EBA, and SCA and how they relate to each other as part of secure payment processes within the EU and EEA. We'll also discuss what it means to be PSD2 compliant and how device fingerprinting can replace SMS One-Time Password as part of a comprehensive SCA strategy for businesses. 

Key terms to know in this article

Before diving into the subject, let's familiarize ourselves with key terms used throughout this blog post: PSD2, EBA, and SCA.

What is the European Banking Authority, and what role does it play in payment regulation?

In the European Union, the European Banking Authority (EBA) is a regulatory body that aims to maintain financial stability in the EU's banking sector and safeguard the integrity, efficiency, and orderly functioning of the banking system. In the context of PSD2, the EBA has a pivotal role in shaping the development of payment services across the EU. It sets regulatory technical standards, issues guidelines on implementing PSD2, and ensures consistent application of the rules across all member states.

What is PSD2 (Second Payment Services Directive)?

Established in late 2020, the PSD2 sets the minimum payment services regulations standards to be implemented by EU Member States. The UK implemented PSD2 before Brexit, so while the UK is no longer a Member State of the EU, it currently follows the same guiding principles and processes for regulating payment services as Member States subject to EU regulation.

Who needs to be PSD2 compliant?

Any organization operating within the EU and EEA that carries out payment transactions or provides payment-related services must be PSD2 compliant. Organizations that must comply include banks, credit card companies, merchants, and even fintech firms. Non-compliance can result in penalties, legal action, and damage to the business's reputation.

Why should a business be PSD2 compliant?

Being PSD2 compliant has several benefits, including, most obviously, the adherence to legal requirements to do so. In addition, these standards help businesses provide a more secure payment process and will reduce instances of fraud across the entire payment journey. 

Operating as a PSD2-compliant business

Businesses need to employ a key feature of PSD2, strong customer authentication (SCA), to be PSD2-compliant.

What is SCA?

Strong customer authentication requires a user to provide at least two authentication factors when initiating an electronic payment, adding an extra layer of security, making it harder for unauthorized parties to access consumers' financial data, and reducing the risk of fraud.The SCA verification ensures that the person paying has two or more of the following security features present:

  1. Something You Know (Knowledge): Like a password or PIN
  2. Something You Have (Possession): Like a chip card, device fingerprint or SMS OTP (one-time password)
  3. Something You Are (Inherence): Biometrics like a physical fingerprint or Face ID

These verifications must be independent, offering 2FA or Two-Factor Authentication. 

The requirement for independence as part of two-factor authentication means that the breach of one factor shouldn't compromise the other factors listed above. An example would be the use of a card (something the user possesses) and a PIN (something only the user knows) – the theft of the card should not automatically compromise the security of the PIN because the two factors are independent.

It's pertinent for a business to set these up correctly, or it could create a greater risk of fraud or inaccurate visitor identification.

When does a customer need authentication with SCA?

Multiple places in the customer payment process need protection through strong customer authentication. 

Payment services providers need to offer 2FA during the following instances:

  1. At Login: A customer logs in to their payment account online.
  2. During Checkout or Payment: A customer starts the checkout or transaction process.
  3. Completing High-Risk Actions: A customer takes an action that may indicate a higher risk of account abuse or payment fraud.

Why does a strong SCA strategy matter for preventing fraud?

By verifying users through multiple ways, businesses can ensure that only legitimate and trusted individuals are allowed access to their systems.

Relying on a single identification method can leave companies vulnerable to attack and fraud. For example, if passwords are the only form of authentication used, attackers may be able to enact an automated credential stuffing attack and gain access to confidential data. Similarly, using more than one type of single sign-on mechanism may provide more protection from hackers attempting to reuse credentials across multiple accounts.

Using various identification techniques such as passwords, device fingerprinting, and single-sign-on or other methods provides an additional layer of security, protects sensitive information, and helps prevent unauthorized access or malicious activities from outside parties.

Businesses must implement a comprehensive mix of identification strategies, including passwords, two-factor authentication, biometrics, and machine learning algorithms. Following the framework we mentioned earlier around something you know, own, and can help create strong levels of protection and help mitigate the threat posed by malicious actors.

Does a device fingerprint qualify as an SCA element within PSD2?

Yes! A device fingerprint, which identifies a specific device based on its unique characteristics, can be considered an element of 'possession' (something you have). 

As with other SCA authentication methods, businesses cannot rely solely on one level of authentication, such as device fingerprinting. However, it can be used with one of the other SCA authentication methods, Knowledge and Inherence, creating a comprehensive authentication strategy. 

Including device fingerprinting as part of a layered approach to SCA can serve as a valuable first line of defense, helping to identify known devices and flagging unfamiliar ones for further authentication. Integrating device identification with other authentication methods (username, password, or Face ID) can create a more comprehensive and effective SCA strategy.

Interested in how this works? You can check out our demo on how to replace SMS OTPs with browser fingerprinting.

Why should businesses use device fingerprinting instead of a SMS OTP?

SMS OTP added unnecessary user friction

SMS OTP lowers overall conversion rates for customers looking to make a transaction. Added friction happens when the user waits for the text message to arrive on their device. Sometimes, there’s a carrier delay, an incorrect phone number, or several other reasons the OTP doesn’t get delivered as the customer expects. An unfortunate result of these delays with SMS OTP is an incomplete purchase. Device fingerprinting works seamlessly in the background of the user’s actions, providing a fast and reliable authentication without requiring a second action from the customer. 

SIM Swapping Fraud

The growing risks of SMS mobile-based fraud worldwide have increased the need for alternatives to relying on one-time passwords sent through SMS. For example, SIM swapping in cell phones poses a considerable security risk to SMS-based authentication methods. 

SIM swapping happens when a fraudster successfully convinces a mobile carrier to transfer another user’s phone number to a new SIM card in the hands of the fraudster. This can have several snowballing effects, including gaining access to accounts with SMS 2FA implemented.

SMS Pumping Fraud

With SMS traffic pumping, fraudsters exploit premium rate numbers, two-factor authentication (2FA), and one-time password (OTP) mechanisms to generate fake SMS traffic through mobile apps and websites. Learn more about stopping SMS Pumping.

Increasing SMS OTP Costs

Each text message sent to verify a login, purchase, or suspicious activity costs businesses per text, causing costs to regularly increase for organizations processing thousands of daily transactions and repeated logins. Device fingerprinting can be an at-scale, cost-effective alternative to costly SMS OTP.

Conclusion 

PSD2 and SCA have fundamentally transformed the EU's payment landscape, raising the bar for security and customer protection. While meeting compliance requirements can be challenging, especially regarding SCA, adopting a layered approach that includes device identification can help businesses balance security and user experience. As we move forward, it's clear that these regulations will continue to shape the future of digital payments.

Replacing SMS OTPs as part of an SCA process with highly accurate device identification platforms, such as Fingerprint, provides businesses with always up-to-date identifiers and do not require manual maintenance, added user friction, and any instances of SMS abuse from fraudsters attempting to gain unauthorized access to accounts. 

Continue this conversation with one of our team members.

Share this post