Okay LogoOkay Logo

SCA for low-tech phones and fallback options

14/02/2020

artifact

Today it is easy to assume that everybody has a smartphone and are able, and willing, to use it for all tasks, including banking. That is not always the case though. A significant number of users either won’t or can’t use a smartphone for banking purposes. How do we deal with that? How can we offer a PSD2 SCA compliant authentication without a smartphone?

These are questions that are often brought to the table by long established banks and enterprise banks. These are the type of banks that most often have to deal with users not being able to use smartphones for authentication, and thus have to provide an alternative SCA metode for their clients. 

Challenger banks and neo-banks on the other hand, does not have to deal with the same issues. The reason is quite clear: Challenger banks are basing their entire business model on the fact that their user are able to do everything on a smartphone. In therms of technology these banks have an easier job in becoming SCA compliant. Since they do not have an old client base they need to facilitate, they are free to build client base that are comfortable and willing to use their smartphone for all banking purposes.  

When is a fallback needed?

There are some typical scenarios where there is a clear need for a fallback option to the smartphone SCA solution:

  • Enterprise users that don’t want to use or can’t use a personal smartphone in their work
  • Users who do not have a smartphone
  • Situations where there is no wifi or mobile internet
  • When there is doubt about the integrity of the user’s smartphone

There are no official number for how large the non-smartphone market is. In some cases we have heard numbers as hight as 20 % of the customer base that do banking without smartphones. For any bank that represents a significant number of clients, and the banks have to supply these user with a fallback alternativ for SCA. 

What are the fallback options?

So, when a client can’t or won’t use their smartphone for SCA, what are the technical alternatives and do they keep the authentication process SCA compliant? Let’s take a look at the different alternatives and how they stand in terms of compliance:

  • The conventional  way is to use a code generator, or a dongle. Traditionally this was a time based code generator, where you press a button and got a code which authenticate you. The obvious disadvantage is that dongles are expensive and inconvenient to users, particularly since they have to support dynamic linking with the transaction details in order to be SCA compliant. 
  • Another common mechanism is to use SMS OTP sent to the user’s dumb-phone. As we have talked about before; SMS is very vulnerable to malware, and using OTPs make the user vulnerable to phishing. This is thus not considered a SCA complaint option. 
  • A less used option is to use a voice call to the user. In the call the transaction details are repeated to the user, or the user is either asked to enter a TAN from the screen during the call, or to enter a TAN from the call on their computer. This is a SCA compliant option, and it is this mechanism that we in Okay have decided to support as the alternative to smartphone SCA. 
  • An older alternative, no longer is legal in Europe, is to use printed listings of TAN codes. Surprisingly some banks have been used this method until the end of last year.
  • A last, and perhaps obvious, alternative is to ask the users to go to a physical bank location, bringing their physical identification with them.

Each of these solutions have their disadvantages, but there are situations where an automated call to a landline would be a lifesaver, such as if there is an issue with your smartphone.