Solutions
Product
Services
Resources
Company
Developer
hello@okaythis.com

Kverndalsgata 8,
3717 Skien,
Norway

Solutions
Embedded Finance Providers and BaaS
Banks
BtoC and BtoB Fintechs
Corporate Sector
Okay Passwordless
Products
Okay KYC
Okay PSD2 SCA
Okay ACS
Okay IAM
Services
Advisory Services
Risk and Security Audits
Integration and Professional Services
Application Management Services
Resources
Blog
Glossary
Patents
PSD2/3 Resources
Company
About
Get In Touch
Partners
Developers
iOS SDK Guide
React Native Module
Android SDK Guide
Server Documentation
API Documentation
©2025 Okay. All rights reserved
Privacy & Policy
Terms & Condition
Back to Blog

Part 1/8: SCA Industry Challenges - Security and 2FA

Published: 13.01.2020

Updated: 13.01.2020

Author: Fabien Ignaccolo

There is no denying that two-factor authentication (2FA) has significantly improved authentication security. But is 2FA enough to cover the requirements of strong customer authentication (SCA) under PSD2? 

Passwords and passwords resetting systems have proven to be a prime target for hackers, and thus a simple password protection is a known security risk. Adding a second factor to the authentication process - whether it is is possession, inherence or knowledge - does help fight cyber crime, but is it enough to keep it secure?

Security Requirements in the RTS

Through discussions with different players in the industry, we have noticed a lack of focus on the security of the 2FA process itself. In our opinion, this is a huge oversight.

The security of the 2FA process should be prioritised in order to fully protect the overall authentication process. Although the RTS does not specify a required level of security, it requires security implementation on many of the steps. A few including:

  • protecting the transaction, its information and the authentication,
  • protecting the dynamic linking and
  • preventing from new innovative attacks.

Without proper security throughout the authentication process, one of the factors can easily be broken, and a fraudster will be able to take control of the smart phone and compromise the security of the authentication.

A good example of this is from Welivesecurity, where they discovered a trojan malware that could break into Paypal’s security even with 2FA activated. 

The Fight Against Hackers

As we, the security industry, steps up our game, so will the hackers and fraudsters. At Okay, we believe that malware is the most innovative vector for attacks. Hackers will either try to use malware to start mass attacks, or they will use attacks to specific targeted individuals. Company treasurers or individuals who are wealthy in their own right are prime targets for attacks. 

In order to be fully PSD2 SCA compliant, the solution where the authentication happens has to be secured properly. Thus, 2FA is just part of the PSD2 SCA solution.

At Okay we have taken this to heart, leaving us extra ‘paranoid’ about security. As a result, we always assume that there will be an attack on our security, it is just a matter of when. This mindset has been the driving force behind the building our SCA solution to include security mechanisms to protect the authentication process and the transaction. 

How is your security around transactions and their authentication processes? Join in on the conversation via LinkedIn.

Sign Up for Our Newsletter

Unlock updates, insights, and exclusive content delivered to you.

— — —

This is the 1st article in a series about the challenges in the SCA industry. Read the next article in the series Challenge 2 - The taxonomy of SCA mechanisms.

Related Articles

2FA - The Risks of Sending OTP via SMS

Security
23.03.2020

How to Evaluate the Security of Your Mobile Banking App (Part 1)

Security
20.04.2020