Okay LogoOkay Logo
Go back to Okay blog

Part 1/8: SCA Industry Challenges - Security and 2FA

First published: 13/01/2020

updated: 21/10/2022


There is no denying that two-factor authentication (2FA) has significantly improved authentication security. But is 2FA enough to cover the requirements of strong customer authentication (SCA) under PSD2

Passwords and passwords resetting systems have proven to be a prime target for hackers, and thus a simple password protection is a known security risk. Adding a second factor to the authentication process - whether it is is possession, inherence or knowledge - does help fight cyber crime, but is it enough to keep it secure?

Security Requirements in the RTS

Through discussions with different players in the industry, we have noticed a lack of focus on the security of the 2FA process itself. In our opinion, this is a huge oversight.

The security of the 2FA process should be prioritised in order to fully protect the overall authentication process. Although the RTS does not specify a required level of security, it requires security implementation on many of the steps. A few including:

  • protecting the transaction, its information and the authentication,
  • protecting the dynamic linking and
  • preventing from new innovative attacks.

Without proper security throughout the authentication process, one of the factors can easily be broken, and a fraudster will be able to take control of the smart phone and compromise the security of the authentication.

A good example of this is from Welivesecurity, where they discovered a trojan malware that could break into Paypal’s security even with 2FA activated. 

The Fight Against Hackers

As we, the security industry, steps up our game, so will the hackers and fraudsters. At Okay, we believe that malware is the most innovative vector for attacks. Hackers will either try to use malware to start mass attacks, or they will use attacks to specific targeted individuals. Company treasurers or individuals who are wealthy in their own right are prime targets for attacks. 

In order to be fully PSD2 SCA compliant, the solution where the authentication happens has to be secured properly. Thus, 2FA is just part of the PSD2 SCA solution.

At Okay we have taken this to heart, leaving us extra ‘paranoid’ about security. As a result, we always assume that there will be an attack on our security, it is just a matter of when. This mindset has been the driving force behind the building our SCA solution to include security mechanisms to protect the authentication process and the transaction. 

How is your security around transactions and their authentication processes? Join in on the conversation via LinkedIn.

— — —

This is the 1st article in a series about the challenges in the SCA industry. Read the next article in the series Challenge 2 - The taxonomy of SCA mechanisms.

Follow us on LinkedIn