Snippet: SMS OTP's technology’s extreme vulnerability is increasingly hard to ignore, and questions over its usability have become more pressing as PSD2 nears. Research indicates that consumers' resistance to its poor user experience is stronger than ever.

A month into 2019, the financial services and payments industries are buzzing as the deadline for complying with Europe’s revised payments services directive (PSD2) approaches. A particular cause of concern is the implementation of the regulatory technical standard for strong customer authentication (SCA), which has been a hot topic in boardrooms and at industry events for what seems like years now. Pursuing PSD2 compliance has led to a renewed focus on (and rigorous evaluation of) customer authentication solutions – and some conventional and well-known authentication methods have come under fire as a result.

Read: Dos and Don'ts for the successful implementation of PSD2

The most notable of these are one-time passwords delivered via SMS – SMS OTPs or mTANs. First introduced in the early 80s, these have become the standard solution for user authentication, widely deployed by many financial institutions across the globe for their relative cost-effectiveness. But whether they truly meet the requirements for SCA under PSD2 is the question institutions now have to face.

Many industry experts have argued that they don’t, because they rely on an intrinsically weak communication channel. Industry expert Dave Birch endorsed this view on his LinkedIn a couple of days ago, when he quoted a digital security vendor saying, “the SMS channel is fundamentally insecure and there are doubts over whether it actually complies with [PSD2]”. Recent research on the state of strong authentication also caused advisory firm Javelin Strategy and Research to advise organizations to “sunset” the use of OTPs due to the “vulnerabilities inherent” in the technology.

For more on the decline of one-time passwords read our white paper, OTP: Security past its expiration date.

Just as the technology’s extreme vulnerability is increasingly hard to ignore, questions over its usability have become more pressing as PSD2 nears. In Europe, research indicates that consumers resistance to its poor user experience is stronger than ever. No-one has ever enjoyed using OTPs, but they really do seem intolerable to more people now, whether because they are using their mobile phones more to transact or because they’re increasingly exposed to alternative authentication methods. They’re demanding a choice, surveys say.

Given that positive customer experiences have become a key focus area for most financial institutions and Gartner estimates that, by 2022, organizations with great customer experience during identity corroboration will earn 20 percent more revenue compared to those that don’t, mTANs seem set for a last, short farewell tour before permanent retirement. (Some late-movers will, after all, settle with the devil they know, at least until their customers start making eyes at the competition.)

Waving goodbye to SMS OTP, we can reckon on a leap forward in user authentication and a new era where robust security and a great user experience are part of the same innovative – and compliant – banking or payments experience. Despite understandable worries over PSD2, that’s something to look forward to!

Note: SCA under PSD2 is one of many topics covered in Facing Up to Financial Crime, a 35-page, UK-focused white paper from the Emerging Payments Association to which Entersekt contributed. Released in London , its headline findings were shared at the World Economic Forum. Download it here.

Subscribe to our blog.

Lelanie de Roubaix


Research and communications are not only two of Lelanie’s areas of expertise, but passions as well. She heads up Entersekt’s marketing communications team and is the company’s go-to person for industry and market research. A perpetual learner, Lelanie’s thirst for knowledge and sense of curiosity matches her perfectly to the dynamic fintech industry.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.