Regulation, integration and push authentication: factors to consider in the run-up to PSD2

Simon Rodway|29 November 2017
Regulation, integration and push authentication: factors to consider in the run-up to PSD2

We are all familiar with the sound of our mobile devices pinging or vibrating to let us know that something has arrived that we might be interested in. There are now numerous methods employed by mobile operating system vendors and app developers to draw our attention to the fact that new content is available: everything from badges to banners, alerts and various other types of messages.

A recent enhancement of this notification process is the ability to “push” messages that require certain actions. Specifically, in the area of authentication and the ability to sign onto or into something, notification mechanisms are used to push alerts to our mobile devices, where we can confirm or decline requests. Due to its convenience and security, the use of push authentication is on the rise and expected to grow exponentially – not least because it presents a way of meeting the requirement of strong customer authentication (SCA) mandated by the European Banking Authority’s Revised Payment Services Directive (PSD2).

According to PSD2’s current draft Regulatory Technical Standards (RTS) on SCA, financial institutions and third-party providers (TPPs) will need to ensure that their platforms provide SCA. It is most likely that the final RTS will define SCA to entail multi-factor authentication, in which more than one identity-proving factor must be employed, with one of them being a possession factor (“something you have”).

Securing from the inside out

As solution providers look to promote and recommend their implementations of push authentication, financial institutions need to consider what it will take to integrate this technology into their existing ecosystem. Mobile-first, push-based solutions are largely delivered through web-based integration, with either on-premises or cloud-based deployments, and as such can be integrated very quickly. Yet integration is only the first step in implementing SCA. Financial institutions will need to consider compliance with SCA, in addition to their own internal governance processes. Solution providers are working on how to answer the compliance question for their own solutions, but banks’ security departments will need to ensure the required level of protection for the organization itself as well as the customer. Internal governance processes include a disaster recovery process and security validation steps, such as penetration and scalability testing.

Good push authentication solutions make use of complex techniques, addressing authentication over isolated channels, often using X.509 certificate technology and NIST-approved encryption. This ensures that communication between the customer and the institute is secure, while also meeting the requirement to have multiple possession factors, thereby providing attested end-to-end guarantees for both parties with non-repudiation. Such solutions take time for internal governance teams to validate and verify – actions that are required by the RTS to confirm compliance.

A financial institution’s push authentication solution needs to provide a smooth customer experience, ideally without the need for the customer to first search for their hardware device. However their solution works, it is essential that the bank inform their customers of the pending change – something that also takes planning, as simply sending an e-mail about a change in security processes will result in a surge of contact center calls. Furthermore, solutions that add friction to the authentication process lead to abandoned transactions, ultimately increasing customer frustration and dissatisfaction with the bank.

Push authentication is Entersekt’s specialty, and we make it our business to keep our technology up to date with international regulations. Entersekt pioneered its push technology back in 2008, receiving the US patent for it in 2014 and the European patent this year, which means that we have a proven track record of harnessing its potential for online and mobile authentication. We can provide your organization with a PSD2-compliant authentication solution that delivers a winning user experience and establishes a trusted platform on which you can innovate for decades to come. Banks across the globe can attest to the successes they have experienced after implementing our solutions – imagine what we could do for you.

About the author

Simon Rodway

Simon Rodway

Pre-sales solution consultant, UK

Subscribe to our newsletter for our latest news, press releases and events

logo entersekt

Entersekt is an international software development company based just outside of Cape Town, South Africa.

We are leaders in authentication, app security, and payments enablement technology, offering a highly scalable solution set with a track record of success across multiple continents.