SCA Industry Challenges
First published: 27/03/2020
When implementing Strong Customer Authentication (SCA), most organisations face a number of challenges. And after having discussions with different players across the PSD2 SCA industry, we have found that some are much more uniform than others, regardless of company size or type of bank. As a result, we have put together a list of the top 8 SCA challenges, which over the next 8 weeks, we will be diving deeper into one at a time.
Challenge 1 | SCA Security and 2FA
While it is easy to think that PSD2 and SCA boils down to 2-factor authentication and dynamic linking, the security requirements in the RTS reaches much further than that. There are strong requirements for security that protects not only the authentication itself, but also the authentication process. This is an aspect of the RTS that tends to be overlooked, especially by the business-centric part of issuer organisations.
Challenge 2 | The taxonomy of SCA Mechanisms
There are many mechanisms at work throughout the SCA process. PC-smartphone authentication, low bandwidth, and other constraints are some of the elements that are causing headaches. Looking at the authentication path from an end-user perspective, we dive deeper into these elements and the challenges they pose.
Challenge 3 | SCA for Low-tech Phone Users and Fallbacks
Even though most people use smartphones with proper Internet access, some users will continue to use their low-tech phones with bad bandwidth. That is why the challenge of how to ensure RTS SCA compliance for low-tech phone users, or when the bandwidth fails, is something all issuers will have to face. Of course, ensuring the user experience for these users is important even if they represent just a small percentage of total users. But how do we solve these issues?
Read more about SCA for low-tech phone users >>
Challenge 4 | The Mobile OS headache
A vast majority of mobile users do not have an updated OS on their phones. Either they neglect to perform the necessary updates, or the manufacturers stops supporting OS updates on the device. This is a major issue, especially among Android users, and creates a permanent security risk. What implication does that have for SCA compliance, and which strategies would be best suited for managing security for this user base?
Challenge 5 | Innovative Malware Attacks
Malware is probably the most innovative type of attack that SCA solutions should shield from. However, these types of attacks are hard to predict due to their innovative nature. How can we best predict where the next attack is coming from? And, how can we neutralise these attacks?
Challenge 6 | The Cost of SCA Integration
Implementing an SCA solution can be very costly. Some solutions might be costly by themselves, but then there is the cost of the actual implementation. Is it possible to take part of the cost out of the equation, and, how can you cope with the potential SDK “spaghetti plate”?
Read more about the cost of SCA integration >>
Challenge 7 | Enrolment and Re-enrolment
The enrolment and re-enrolment stages are critical in the SCA process. There are many ways to enrol or double-check the enrolment of a user, and this is critical to the security of the authentication. How can it be done? How can it be done with a mobile-only solution?
Challenge 8 | SCA for Corporate Transactions
SCA was designed to protect individuals. However, corporations wiring funds are more likely to be targeted by hackers. Whether starting the transaction on a treasurer’s PC, or using a CFO’s mobile phone for approval on the move, how can we protect a corporate transaction? Can it be done in a PSD2 SCA compliant way? These are the challenges we are facing each day, and that we constantly working on handling in the Okay SCA solution. Are you facing any particular challenges? Please let us know.