Expectations for Strong Customer Authentication in 2020

First, some important dates:

Back on the 16th of October, the European Banking Authority (EBA) formally released an opinion that postponed the implementation of the Strong Customer Authentication (SCA) requirement, changing it from the 14th of September (2019) to the 31st of December (2020). 

For issuers, there are still some important dates to keep in mind before the 31st of December. The exact deadlines can vary by region, but in Europe, these are the requirements:

• By March 15th, Visa will require issuers across Europe to follow EMV 3DS 2.1, followed by a mandate for 3DS 2.2 by September 14th.
• Mastercard will require EMV 3DS 2.1 by October 18th.
• By December 2020, it is a safe assumption that all use of OTP by SMS will be gone in Europe.

With the move towards 3DS 2.1 and 2.2, it is clear that a lot of issuers will move towards an out-of-band challenge, where the end-user typically completes the SCA in an app on their phone. This follows the trend towards single device mobile banking with end-users doing all banking on their smartphones.

Likely, there are already more users using mobile banking apps than web-based banking in Europe, and by the end of 2020, it is quite possible that mobile banking will pass web-based banking for number of transactions.

But how will this impact security? With more app-based SCA, it is clear that the use of biometric sensors, such as fingerprint readers, will become even more common. But as we’ve described before, this will only cover the inherence factor.

Basically, it will let the app know pretty well that there is a person involved in the payment transaction. But this by itself does not protect from fraud: using a fingerprint cannot guarantee that the user knows what is being verified and that the app is not modified.

Finally, here are five predictions we have about what will happen in the new year:

• There will likely be a publicised mass attack on a banking app also here in Europe
• Large software companies such as Facebook, Apple, and Google will try to become banks
• We will see new innovative attacks, perhaps even video-based phishing based on deepfakes
• Attacks on enterprise and banking infrastructure will become more common. With SCA becoming more common on the consumer side enterprise systems might be considered a softer target.
• Passwords will (hopefully!) become less common. We’ll see more secure apps used instead, such as our Okay solution.

If you want to learn more about the future of open finance, SCA and the rise of mobile banking in Europe, follow us on LinkedIn to take part in the conversation, or take a look at our security solutions.