Okay LogoOkay Logo

SCA Security and 2FA

03/02/2020

artifact

There is no denying that two-factor authentication (2FA) has significantly improved authentication security. But, is 2FA enough to cover the requirements of strong customer authentication (SCA) under PSD2? 

Passwords and passwords resetting systems have proven to be a prime target for hackers, and thus a simple password protection is a known security risk. Adding a second factor to the authentication process - whether it is is possession, inherence or knowledge - does help fight cyber crime, but is it enough to keep it secure?

Security requirements in the RTS

Through discussions with different players in the industry we have noticed a lack of focus on the security of the 2FA process itself. In our opinion that is an oversight. The security of the 2FA process should be prioritised in order to fully protect the authentication. Although the RTS does not specify a required level of security around the authentication process, it requires security implementation on many of the steps: Protect the transaction, its information and the authentication, protect the dynamic linking and prevent from new innovative attacks, just to mention a few. 

Without proper security throughout the authentication process, one of the factors can easily be broken, and a fraudster will be able to take control of the smart phone and compromise the security of the authentication. A good example of this is from Welivesecurity; they discovered a trojan malware that could break into Paypal’s security even with 2FA activated. 

The fight against hackers

As we, the security industry, step up our game, so will the hackers and fraudsters. At Okay we believe that malware is the most innovative vector for attacks. Hackers will either try to use malware to start mass attacks, or they will use attacks to specific targeted individuals. Company treasurers or individuals who are wealthy in their own right are prime targets for attacks. 

In order to be fully PSD2 SCA compliant the solution where the authentication happens has to be secured properly. Thus, 2FA is just part of the PSD2 SCA solution. At Okay we have taken this to heart and we are paranoid about security. As a results we assume that there will be an attack on our security, it is just a matter of when. This mindset has been the driving force when building our SCA solution with security mechanisms to protect the authentication process and the transaction. 

How is your security around transactions and their authentication process?