Okay LogoOkay Logo
Go back to Okay blog

Can Strong Customer Authentication (SCA) be Web-based?

First published: 18/06/2021

updated: 21/10/2022

artifact

A question we often face during customer discussions is whether or not we support web browser-based authentication. Our answer so far has remained the same: we focus on mobile-based authentication, particularly by helping payment service providers (PSPs) secure customer authentication through their smartphone apps. In this post, we explain why this is the case and discuss some signs hinting at browser-based authentication becoming more popular in the future.

The Three Factors: Possession, Knowledge, and Inherence

As we've discussed before, under PSD2, you are required to provide two out of three authentication factors when engaging in SCA. The options are possession (something you own), knowledge (such as a password), and inherence (something you are). 

For the possession factor, most app-based SCA uses a "device fingerprint" based on the hardware properties of the device. These properties are first collected during onboarding to make it possible later on to verify that the SCA is taking place on the same device. For knowledge, passwords and secret codes are the most used. The last factor, inherence, is typically collected by a biometric sensor, such as a fingerprint reader.

Can 'Possession' be Collected by a Web Browser?

With a mobile app, the factor of possession typically gets implemented using a device fingerprint. However, the situation for web browsers is different. Here, the closest equivalent is "cookies," which can identify a user towards the website every time it is visited. While cookies are helpful for security purposes, they can be cleared by the end-user, making them less permanent than a device fingerprint based on hardware properties. 

As cookies are transferred for every access, this also means that - in theory - they can be copied by a man-in-the-middle type attack. For web browsers, an alternative to cookies is to try to mimic mobile apps by looking at the unique properties of the web browser. You can test how unique your web browser is by visiting amiunique.org. The only real issue here is that two identical PCs would have similar properties.

Can 'Knowledge' be Collected by a Web Browser?

With a web browser, the knowledge factor can be implemented by requiring the user to enter a secret code or a password. As you may already know, Okay's SDK can prompt the user for a secret code, which provides the knowledge factor.

This also works on a web browser, and it is something that many users have gotten painfully used to over the years. Yet, the challenge with both web-based browsers and mobile SDKs is that most people don't like to remember passwords. There is also a strong tendency to avoid using a password manager and instead use the same password everywhere (which makes a user extremely susceptible to hackers). I'm sure many people still use the same secret pin code on their luggage lock as they do on their debit card. As such, I strongly recommend using haveibeenpwnd.com, which allows you to check how many times your email address has been part of a password and/or account leak. 

Can 'Inherence' be Collected by a Web Browser?

The last factor is inherence, or something you are. On the web browser side, even though many modern laptops come with fingerprint readers, it is still not a universal design. A quick check of a hardware pricing comparison tool showed that 792 out of 1685 laptops released in the last 18 months have a fingerprint reader, which is a bit less than half. When we compare this to mobile phones, the installed biometry has been a standard feature for smartphones for many years.

Of course, just like one could argue that many laptops don't have fingerprint scanners, another could argue that many users still do not use smartphones. But let's leave the challenges that come with low-tech phones to another discussion.

Dynamic Linking and Secure Execution Environments

In addition to the three factors listed above, SCA has two more requirements to be PSD2 compliant. The first is dynamic linking, which means you can follow the transaction details throughout the entire payment process. The second is that the authentication must happen in a secure execution environment

Out of these two requirements, it is particularly the secure execution environment that is problematic. Given the long history of insecure web browsers, it is not advisable to consider a web browser secure.

WebAuth and a Possible Future for Web Browser Authentication

I can already hear someone asking, "Well, what about using "WebAuthn?” WebAuthn is a technology that the W3C consortium has been working on over the past six years that builds secure authentication right into the web browser. With WebAuthn, public key-based credentials are stored in authenticators, which communicate with web applications through the web browser. WebAuthn is undoubtedly attractive, and it has good potential to let users avoid using passwords for authenticating with websites in the future. 

However, when doing PSD2 compliant SCA, a couple of problems need to be considered. For instance, the requirement for the transaction to be verified in a secure environment makes it challenging to do SCA on a computer web browser when the transaction details are displayed in the same web browser that the transaction was initiated in. While the authenticator and the fingerprint reader can be secure, trusting that the customer's web browser is secured isn't a good idea. 

Additionally, although it is possible to link a secure hardware device to WebAuthn, it doesn't quite align with the requirement to see and use the transaction details while verifying them.

Yet, perhaps the most extensive practical issue with Webauthn is that many end-users (or even most) don't know what web browser they're using. The credentials are linked to the browser, so if they switch to another web browser, whether by their own choice or by the OS vendor's choice, chances are they'll get confused when their credentials no longer work.

At Okay, we monitor technology such as WebAuthn closely, as we know there will always be a percentage of users without smartphones looking for an alternative to mobile-based SCA.

—————

If you are interested in discussing how to secure customer authentication for your banking app, you can reach out to us at hello@okaythis.com.

Follow us on LinkedIn