Snippet: We are all familiar with the sound of our mobile devices pinging or vibrating to let us know that something has arrived that we might be interested in. There are now numerous methods employed by mobile operating system vendors and app developers to draw our attention to the fact that new content is available: everything from badges to banners, alerts and various other types of messages.

We are all familiar with the sound of our mobile devices pinging or vibrating to let us know that something has arrived that we might be interested in. There are now numerous methods employed by mobile operating system vendors and app developers to draw our attention to the fact that new content is available: everything from badges to banners, alerts and various other types of messages.

A recent enhancement of this notification process is the ability to “push” messages that require certain actions. Specifically, in the area of authentication and the ability to sign onto or into something, notification mechanisms are used to push alerts to our mobile devices, where we can confirm or decline requests. Due to its convenience and security, the use of push authentication is on the rise and expected to grow exponentially – not least because it presents a way of meeting the requirement of strong customer authentication (SCA) mandated by the European Banking Authority’s Revised Payment Services Directive (PSD2).

According to PSD2’s current draft Regulatory Technical Standards (RTS) on SCA, financial institutions and third-party providers (TPPs) will need to ensure that their platforms provide SCA. It is most likely that the final RTS will define SCA to entail multi-factor authentication, in which more than one identity-proving factor must be employed, with one of them being a possession factor (“something you have”).

Securing from the inside out

As solution providers look to promote and recommend their implementations of push authentication, financial institutions need to consider what it will take to integrate this technology into their existing ecosystem. Mobile-first, push-based solutions are largely delivered through web-based integration, with either on-premises or cloud-based deployments, and as such can be integrated very quickly. Yet integration is only the first step in implementing SCA. Financial institutions will need to consider compliance with SCA, in addition to their own internal governance processes. Solution providers are working on how to answer the compliance question for their own solutions, but banks’ security departments will need to ensure the required level of protection for the organization itself as well as the customer. Internal governance processes include a disaster recovery process and security validation steps, such as penetration and scalability testing.

Good push authentication solutions make use of complex techniques, addressing authentication over isolated channels, often using X.509 certificate technology and NIST-approved encryption. This ensures that communication between the customer and the institute is secure, while also meeting the requirement to have multiple possession factors, thereby providing attested end-to-end guarantees for both parties with non-repudiation. Such solutions take time for internal governance teams to validate and verify – actions that are required by the RTS to confirm compliance.

A financial institution’s push authentication solution needs to provide a smooth customer experience, ideally without the need for the customer to first search for their hardware device. However their solution works, it is essential that the bank inform their customers of the pending change – something that also takes planning, as simply sending an e-mail about a change in security processes will result in a surge of contact center calls. Furthermore, solutions that add friction to the authentication process lead to abandoned transactions, ultimately increasing customer frustration and dissatisfaction with the bank.

Push authentication is Entersekt’s specialty, and we make it our business to keep our technology up to date with international regulations. Entersekt pioneered its push technology back in 2008, receiving the US patent for it in 2014 and the European patent this year, which means that we have a proven track record of harnessing its potential for online and mobile authentication. We can provide your organization with a PSD2-compliant authentication solution that delivers a winning user experience and establishes a trusted platform on which you can innovate for decades to come. Banks across the globe can attest to the successes they have experienced after implementing our solutions – imagine what we could do for you.

Subscribe to our blog.


Simon Rodway

VP: Customer Delivery

Simon Rodway is an experienced software solutions designer and architect who supports Entersekt’s solutions teams in delivering best-in-class services for our clients. His expertise and knowledge take Entersekt’s solutions from strength to strength across the world. His extensive global experience in the information technology and software development industries ensures a refined industry perspective in growing Entersekt’s presence across the world.

Entersekt Logo

Entersekt is an innovator of customer-centric fintech solutions. Financial services providers and other enterprises rely on our patented mobile identity system to provide both security and the best in convenient new digital experiences to their customers, irrespective of the service channel. With us, they can concentrate on their innovation roadmap, while delivering intuitive, low-friction digital experiences to their customers.