Back when we started designing the Okay solution, we made the following assumptions:

• The user-base is moving towards single-device users, and that device will at least in the short-term be a smartphone, with no physical token or dongle.
  
• A large percentage of the user-base will run their apps on devices that don’t receive security updates. It is a safe assumption that many of these devices can be infected with malware, and might already be infected.
  
• There will be a lot more competition on the product side within the bank and fintech markets.

While we made these assumptions before the PSD2 was finalised, we had read earlier guidelines from the EBA on payments and electronic money that influenced our train of thought. This also led us to assume that the regulatory frameworks wouldn’t get more lenient, based off how the official requirements appeared to increase in strictness.

So did we make the correct assumptions? Let’s break it down further.

“The user-base is moving towards single-device users, and that device will at least in the short-term be a smartphone, with no physical token or dongle.”

This assumption is correct, in the sense that the web is now “mobile-first”, with the highest percentage of traffic now coming from mobile devices. While there are fewer statistics on the use of physical dongles, there are hardly any new banks that use physical devices. It seems safe to say that new banks and fintech-initiatives are going for an “app first” strategy.

“A large percentage of the user-base will run their apps on devices that don’t receive security updates. It is a safe assumption that many of these devices can be infected with malware, and might already be infected.”

This second assumption is also correct, as when talking about security updates, the situation has not gotten much better. There are more than 2.5 billion active Android devices today, coming from 180 different manufacturers. Only about two-thirds of these run a version released after Oreo in August 2017.

Combined with the fact that only devices released after January 31st, 2018 are guaranteed two years of security updates, it would be a conservative estimate to say that two-thirds of all Android phones thus no longer receive security updates. The situation on the iPhone side is a bit better, however: 900 million possible devices still receiving the latest updates, if the phone is not older does not come before 2015.

“There will be a lot more competition on the product side within the bank and fintech markets.”

We are still a bit unsure when it comes to this last assumption. This is because investments in fintechs have varied somewhat over the last few years. But, at least for 2018, and most likely 2019, there has been a massive growth in new companies, bringing with them new concepts and new innovations.

We are seeing a lot of this innovation taking place in Europe and in Asia. In countries like China, a lot of payments are now going through apps such as WeChat. Meanwhile, in Europe, there are new, innovative banking and finance apps launched on a nearly daily basis.

The rapid explosion in innovation creates an interesting problem for both new and existing companies: They experience market pressure from innovation and regulation, but at the same time, a lot of potential users are running their apps on platforms that might not have gotten a security update in years.

One option is of course to simply say that “we don’t care about users with older smartphones”, but this can be hard to justify to investors.

Instead, we suggest another option: the Okay solution. Take a look at our offerings, where we use an approach that already assumes innovative malware is targeting your app.