Expectations for Strong Customer Authentication in 2020
2019 was an exciting and challenging year in the payment and strong customer authentication industry. With New Year’s Eve just behind us, this is a good time to look forward to 2020, both for what we know will happen and for some speculation on what might happen.
Important dates for SCA in 2020
First, some important dates: Back on the 16th of October 2019 the European Banking Authority (EBA) formally released an opinion that postponed the implementation of the Strong Customer Authentication (SCA) requirement, originally intended for the 14th of September 2019, to the 31st of December 2020.
For issuers, there are some important dates before the 31st of December. The exact deadlines can vary by region, but in Europe, these are the requirements: By March 15th Visa will require issuers across Europe to follow EMV 3DS 2.1, followed by a mandate for 3DS 2.2 by September 14th. Similarly, Mastercard will require EMV 3DS 2.1 by October 18th. By December 2020 it is a safe assumption that all use of OTP by SMS will be gone in Europe.
The continued shift to mobile banking
With the move towards 3DS 2.1 and 2.2, it is clear that a lot of issuers will move towards an out-of-band challenge, where typically the end-user does the SCA in an app on their phone. This follows the trend towards single device mobile banking, where end-users do all their banking on their smartphone. Likely, there are already more users on app-based mobile banking than web-based banking in Europe, and by the end of 2020, it is quite possible that mobile banking will pass web-based banking for number of transactions at least for some countries.
How will this impact security? With more app-based SCA it is clear that the use of biometric sensors such as fingerprint readers will become even more common. But, as we’ve described before, this will only cover the inherence factor. Basically, it will let the app know pretty well that there is a person involved in the payment transaction, but this by itself does not protect from fraud. Using a fingerprint does not guarantee that the user knows what is being verified and that the app is not modified.
Predictions for 2020
Finally, five predictions about what will happen in the new year:
- There will likely be a well-publicized mass attack on a banking app also here in Europe
- Large software companies such as Facebook, Apple, and Google will try to become banks
- We will see new innovative attacks, perhaps even video-based phishing based on deepfakes
- Attacks on enterprise and banking infrastructure will become more common. With SCA becoming more common on the consumer side enterprise systems might be considered a softer target.
- Passwords will (hopefully!) become less common. We’ll see more secure apps used instead, such as our Okay solution.