Using 2FA is About to Get much More Common

Is PSD2 the newest android in the upcoming Star Wars movie? Nope, it is some much more prosaic - a European Union directive that will make it much more likely that you'll be using multifactor authentication in the future, if you're not doing so already.

PSD2 is The Second Payment Services Directive, imposed by the European Banking Authority of the European Union (EU) in 2018, to take effect on September 14 this year. It requires that any website which accepts payment supports at least two, if not more, factor authentication to help improve security. This is called Strong Customer Authentication (SCA).

What is Multifactor Authentication?

Multifactor authentication (MFA), and two-factor authentication (2FA), are used to make logging into a system or a website more secure, typically by inputting something you know (such as a password), getting a one-time passcode on something you have (such as a phone) or automatically sending a signal from something you already registered (such as your mobile device). Adding a second layer of security, or even more, makes it less likely that someone who obtained your password could break into your accounts.

The Regulatory Technical Standard goes further in defining SCA. It generally applies only for transactions over a certain amount, typically €30, or beyond a certain number of transactions . For example, knowing an old authentication code doesn't mean you can get a new one. In addition, you can't make more than five failed authentication attempts within a time limit, typically fifteen minutes.

The Problem with Biometrics

As with multifactor authentication in the U.S., biometric methods – also known as “something you are" -- could also be used for the second authentication method, such as fingerprints. But biometric methods aren't necessarily the best choice for the second factor. Not all smartphones support them, and not all people feel comfortable using them. And even some smartphones that do support biometrics have found that they have errors, such as security holes or being able to log in with a stick of gum rather than a fingerprint.

Adding the Encryption Factor

Another possibility for the second factor is WhatsApp. Because it is end-to-end encrypted, it is more secure than some other channels such as email for sending one-time passcodes. With the new WhatsApp Business API, even large companies can now benefit from WhatsApp's encryption technology with the scalability and reliability that enterprise transactions require. Many Europeans already use WhatsApp, so they're familiar with WhatsApp's security features and use of use.

Payment Transactions Require More

For mobile and online payments, PSD2 also requires a unique authentication code that is sent to the user.

Finally, once a user completes a financial transaction, the payment system has to send information back to the user so the user knows what purchase has just been made. This information includes the authentication code, data about the merchant, and the amount of the payment. Just this part is going to be pretty complicated, because there isn't a well-defined way yet to take the authentication code and combine it with this data.

Merchants are also concerned that the new security requirements will make customers less likely to buy products online.

What does this mean for you?

Because PSD2 is so complicated, companies are unlikely to develop EU-only versions of their systems or websites that support multifactor authentication for their EU clientele. Consequently, merchants will implement PSD2 and SCA-compliant multifactor authentication for all payments, just in case.

What that means is, as a consumer, you'd be wise to be prepared to use multifactor authentication for payments in the future. As many as one in four internet sales will likely use multifactor authentication, as opposed to the small percentage using it now, according to Mastercard. (The good news? Regular customers may become exempt from the SCA rules.)

If you're a vendor, you have even more of a reason to support multifactor authentication. It will be the law, even if you only rarely have EU customers.

Another reason? When SCA gets implemented, criminals may move to systems that are seen as being less secure. So even if you're not required to implement PSD2 and SCA, you may wish to implement multifactor authentication anyway – that is, if you're not doing so already.