• Stefan Kostic, CEO at IPification


• 14.02.2022 10:30 am
#Authentication , Stefan has more than 12 years of experience in the fintech and telecom industries and has spearheaded business development across the Asia Pacific region for over 8 years before joining IPification. As the Chief Executive Officer of Benefit Vantage Limited & IPification, he is focused on growing the revolutionary mobile authentication technology globally to secure mobile/digital life. IPification has been already recognized and awarded by some of the leading global organizations and enterprises.

In 2015, the Payment Services Directive (PSD2) was passed by the EU aiming to provide consumers and businesses with an easier and safer way to manage their online payments. 

To do this, PSD2 intended to break down banks’ monopolies on user data by introducing new services as intermediaries between the users and tha banks, as well as demanding strong customer authentication (SCA) which has caused many frustrations among businesses.

Many think that it is not possible to have both strong customer authentication AND a great user experience, and this is causing the biggest concerns with good reason: if 53% of mobile visits are abandoned if a page takes more than three seconds to load, what can a business expect after adding additional friction in the checkout process? 

Well, it may seem that way, but that isn’t exactly the case, so sit down with your coffee and get ready for a myth-busting session. 

And let’s get this out of the way - strong customer authentication is a good thing, it’s there to protect you and your business. In fact, with the right combination of authentication solutions, it’s possible to preserve or even improve your current user experience. 

Let’s start from the beginning. 

What is Strong Customer Authentication? 

The Strong Customer Authentication requirement demands companies to use at least two out of three authentication factors: 

1) something a user knows - a password, a pin, or an answer to a security question, but note that payment card numbers, CVV, or expiration dates aren’t considered valid. 

2) something a user is - biometric authentication via fingerprint, face ID, voice ID, etc. 

3) something a user has - a smartphone, a hardware token, smart card, wearable device, smartphone, or another piece of hardware that the user possesses. 

And when should strong customer authentication be used? At all times, except for a few exceptions. 

Under the directive, any transaction under €30 is allowed to go through without SCA. But - the exact amount threshold depends on the fraud rate of the certain bank, kind of like how credit scores work. Furthermore, every fifth transaction under €30 will still require SCA, or when the combined value of the last four transactions goes over €100.

While these exceptions exist, it’s clear that they won’t apply too frequently. So instead, let’s focus on choosing the best combination of authentication factors to use in such a way that doesn’t deteriorate your user experience and your conversion rates. 

Myth: Strong Customer Authentication Ruins Your User Experience 

Currently, most companies worldwide rely on some combination of username/password and SMS OTP user authentication. But while technically in accordance with the directive, these solutions simply aren’t safe enough nor do they boast great user experiences. 

Passwords are notoriously easy to hack or breach, and when 65% of users reuse their passwords across multiple websites, they just aren’t worthy of the risk. 

And remember last year when the Colonial Pipeline was taken down by a single breached password? And this isn’t a lone case. Just one visit to HaveIBeenPwned should be enough to showcase that passwords simply aren’t up to standard anymore. 

On the other hand, SMS OTP used for two-factor authentication comes with the SS7 design flaw in the switching protocol that enables hackers to reroute or intercept the OTPs you receive over SMS. And then there’s SIM swapping with an 80% success rate. 

Security-aside, SMS OTP also has quite a low delivery and conversion rate, and it quite frankly just adds friction to the authentication process. You’ve been there, in a hurry and then the 2FA prompt pops up: you type in the number, wait for around ten seconds for the code to arrive - if it arrives - and then type it back in. 

A more secure alternative to SMS OTP would be authenticator app-based 2FA where you generate your code in a 3rd-party app on your phone such as the Google Authenticator, but the user experience deteriorates even further.  

On the other hand, biometrics and mobile IP-address based authentication bring unmatched user experiences. 

Biometrics such as fingerprint ID or Face ID are also easily accessible on most smartphones today, albeit with some data privacy concerns as to the outcomes of having biometric data stolen. But that’s just the point of strong customer authentication, in the right combo, authentication solutions would cover for each other’s weaknesses. 

Then, there is the mobile IP-address-based authentication such as IPification. These solutions usually leverage mobile network operator tech infrastructure to verify users within milliseconds, and against their unique mobile ID key that the operator holds. It’s bank-grade security with a seamless user experience. 

Now, precisely which solutions you choose will depend on your specific case, but it’s important to remember to choose complementary solutions. And if your primary method of authentication includes passwords, ensure that the second one is both secure and convenient - otherwise, you risk losing business.