PSD2 hastens the demise of SMS OTP

Lelanie de Roubaix|31 January 2019
PSD2 hastens the demise of SMS OTP

A month into 2019, the financial services and payments industries are buzzing as the deadline for complying with Europe’s revised payments services directive (PSD2) approaches. A particular cause of concern is the implementation of the regulatory technical standard for strong customer authentication (SCA), which has been a hot topic in boardrooms and at industry events for what seems like years now. Pursuing PSD2 compliance has led to a renewed focus on (and rigorous evaluation of) customer authentication solutions – and some conventional and well-known authentication methods have come under fire as a result.

The most notable of these are one-time passwords delivered via SMS – SMS OTPs or mTANs. First introduced in the early 80s, these have become the standard solution for user authentication, widely deployed by many financial institutions across the globe for their relative cost-effectiveness. But whether they truly meet the requirements for SCA under PSD2 is the question institutions now have to face.

Many industry experts have argued that they don’t, because they rely on an intrinsically weak communication channel. Industry expert Dave Birch endorsed this view on his LinkedIn a couple of days ago, when he quoted a digital security vendor saying, “the SMS channel is fundamentally insecure and there are doubts over whether it actually complies with [PSD2]”. Recent research on the state of strong authentication also caused advisory firm Javelin Strategy and Research to advise organizations to “sunset” the use of OTPs due to the “vulnerabilities inherent” in the technology.

Just as the technology’s extreme vulnerability is increasingly hard to ignore, questions over its usability have become more pressing as PSD2 nears. In Europe, research indicates that consumers resistance to its poor user experience is stronger than ever. No-one has ever enjoyed using OTPs, but they really do seem intolerable to more people now, whether because they are using their mobile phones more to transact or because they’re increasingly exposed to alternative authentication methods. They’re demanding a choice, surveys say.

Given that positive customer experiences have become a key focus area for most financial institutions and Gartner estimates that, by 2022, organizations with great customer experience during identity corroboration will earn 20 percent more revenue compared to those that don’t, mTANs seem set for a last, short farewell tour before permanent retirement. (Some late-movers will, after all, settle with the devil they know, at least until their customers start making eyes at the competition.)

Waving goodbye to SMS OTP, we can reckon on a leap forward in user authentication and a new era where robust security and a great user experience are part of the same innovative – and compliant – banking or payments experience. Despite understandable worries over PSD2, that’s something to look forward to!

Note: SCA under PSD2 is one of many topics covered in Facing Up to Financial Crime, a 35-page, UK-focused white paper from the Emerging Payments Association to which Entersekt contributed. Released in London today, its headline findings were shared at the World Economic Forum last week. Download it here.

About the author

Lelanie de Roubaix

Lelanie de Roubaix

Marketing communications specialist

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.