Our latest insights

It’s 2021: Do You Need Two Channels for Strong Customer Authentication?

Share this post

It’s 2021: Do You Need Two Channels for Strong Customer Authentication?

Okay did its first compliance audit back in 2016. At the time, the audit framework was provided by the European Central Bank (ECB), in the form of the 2014 “Assessment Guide for the Security of Internet Payments”. Here, one idea sticks out: when a multi-purpose device is used for the ownership element, the payment and SCA should be done in a separate or independent channels. This was smart considering how internet banking was done ten years ago.

Eventually, the ECB recognised that banks would start using apps as a possession factor because two factors were already needed to use the app. Payments then could be initiated with just a password. However, given that viruses and malware were quite common, this caused a lot of security problems. In this context, requiring a separate channel for SCA also makes a lot of sense.

During our 2016 audit, the requirement for an independent channel made us have some lengthy discussions. How could we best ensure that our own SCA channel would be both separate and independent from the rest of the mobile device’s operating system? The solution we ended up implementing was to use a separate voice call that could run in tandem with our SDK. This would allow a one time PIN from the voice call to be entered into a secured screen displayed by the SDK.

Looking ahead, we might see future regulation on how to delegate payment authorisation to IoT devices, and how merchants instead of banks can perform SCA. These topics we are already discussing and working on today.

Be sure to read this article in full at okaythis.com/blog.

Who is Okay?
Okay is the fully PSD2 compliant Strong Customer Authentication platform that provides transaction and authentication security to apps, shielding the entire authentication process from any threats. We help all issuers, remittance services, and e-wallet providers comply with PSD2’s SCA requirements to deliver multiple authentication methods, including biometrics and strong security mechanisms at the point of transaction. Want to get to know us better? Visit okaythis.com.

More To Explore

Login or Register

Don't have an account?

Are you part of the Payments Association community?

Not yet set up your login for the Payments Association Community Platform? Set it up now

Set up a free account for instant access to our content

You don’t need to be an Payments Association member to view the majority of our content. Simply enter your details below once to set up your login details and get access to our library of whitepapers, podcasts, consultation papers, webinars and more.

First Name*
Last Name*
Company Name*
Job Title*
Username*
Business Email Address*
Password*
Confirm Password*
Agreement*
The Payments Association exist to help drive the industry forward. As such the Payments Association may contact you about any future content or events that we think you may have a legitimate interest in. We will store your information securely and will never share your details with third parties other than the relevant resource(s) sponsor(s)/curator(s). You may opt out at any time. By clicking register you are agreeing to the terms of our Privacy Policy.

← back