SCA industry challenges
When implementing Strong Customer Authentication (SCA), most organisations come across a number of challenges. Through discussions with different actors in the PSD2 SCA industry, some issues have emerged that are shared across the industry, regardless of company size or whether you are an incumbent or challenger bank.
We have put together a list of the 8 SCA challenges that we will be diving deeper into. Over the next 8 weeks we will be dedicating one blog post per week to these challenges.
Challenge 1 | SCA Security and 2FA
While it is easy to think that PSD2 and SCA boils down to 2nd factor authentication and dynamic linking, the fact is that the security requirements in the RTS reaches further than that. There are strong requirements for security that protects not only the authentication itself, but also the authentication process. This is an aspect of the RTS that tends to be overlooked, especially by the business centric part of issuer organisations. >>
Challenge 2 | The taxonomy of SCA mechanisms
There are many mechanisms in work throughout the SCA process. PC-smartphone authentication, low bandwidth and other constraints are some of the elements that are causing headaches. Looking at the authentication path from an end-user perspective, we dive deeper into these elements and the challenges they pose. >>
Challenge 3 | SCA for low-tech phone users and fallbacks
Even though most people use smartphones with proper Internet access these days; however, some users will continue use their low-tech phones, and bandwidth will be an issue from time to for any user. The challenge of how to ensure RTS SCA compliance for low-tech phone users, or when the bandwidth fails, is something all issuers will have to face. Ensuring the user experience for these users is important even though they represent a small percentage of total users. But how do we solve these issues?
Challenge 4 | The mobile OS headache
A vast majority if mobile users do not have an updated OS on their phone. Either they neglect to perform the necessary updates or the manufacturers stops supporting OS updates on the device. This is a major issue, especially among Android users, and creates a permanent security risk. What implication does that have for SCA compliance and which strategies would be best suited to for managing security for this user base?
Challenge 5 | Innovative malware attacks
Malware is probably the most innovative type of attacks that SCA solutions should shield from. However, these types of attacks are hard to predict due to their innovative nature. How can we best predict where the next attack is coming from? And, how can we neutralise these attacks?
Challenge 6 | The cost of SCA integration
Implementing a SCA solution can be very costly. Some solutions might be costly by themselves, and then there is the cost of the actual implementation. It all adds up. Is it possible to take part of the cost out of the equation? And, how can you cope with the potential SDK “spagetti plate”?
Challenge 7 | Enrolment and re-enrolement
The enrolment and re-enrolment are critical stages in the SCA process. There are many ways of enrol or double check the enrolment of a user, and this is critical to the security of the authentication. How can it be done? And how can it be done with a mobile-only solution?
Challenge 8 | SCA for corporate transactions
SCA was designed to protect individuals. However, corporations wiring funds are more likely to be targeted by hackers. How can we protect a corporate transaction? From starting the transaction on a treasurer’s PC to a CFO’s mobile phone for approval on the move. Can it be done in a PSD2 SCA compliant way?
These are the challenges we are facing each day and that we constantly working on handling in the Okay SCA solution. Are you facing any particular challenges? Please let us know.