Can SMS be used for Strong Customer Authentication (SCA) under PSD2?
First published: 01/12/2020
updated: 21/10/2022
Erik Vasaasen
The short answer is: “Yes, but only for providing the possession factor, and even then there is room for discussing how suitable text messages are based on the official EBA opinions”. In this week’s post, we cover the evolution of PINs via SMS, whether or not they are compliant, who is responsible for their security, and if they prove SIM possession.
The Evolution of PINs Sent via SMS
Using text messages as part of the authentication process goes back to the mid-1990s. For many years, it was the main authentication mechanism when paying with a card online.
Back then, the assumption was that you would be using a PC to make your payments, and when authentication was required, you would receive a text message with a PIN on your mobile phone. Under regulations such as the EBA’s “Guidelines on Internet Payments Security” there was even a requirement that the authentication must use a separate channel on a separate device. So, using a text message actually fulfilled that requirement. But, with the advent of smartphones, the situation changed drastically: Payments are now frequently initiated on the customer’s phones, which means that there is just one channel (one device), which created an issue with the existing regulation.
The European Banking Authority (EBA) noticed this shift and most likely recognised that smartphones are here to stay. So, the Payment Services Directive 2 (PSD2) allows for payments to be initiated and authorised on the same device, as long as the SCA process is secure. We’ve written about this quite a bit, but is it still relevant to use SMS messages, and can they still be used when doing PSD2 compliant SCA?
Is SMS PSD2 SCA Compliant?
Some banks still use text messages with a PIN code that the customer has to enter into their online banking service to authorise transactions, but this is clearly not approved under the PSD2. Where an SMS might make more sense is to prove possession of a device (e.g. based on the phone number used) as part of an enrolment or re-enrolment procedure. If the SMS can be the possession factor, then (together with a password or PIN) you will fulfil the requirements under PSD2 to use two factors out of knowledge, possession, and inherence.
But, is the text message really sufficient to prove possession? In the Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2, it is stated that “Possession of a device evidenced by an OTP generated by, or received on, a device (hardware or software token generator, SMS OTP)” is compliant with the possession factor for SCA. A bit later, in paragraph 25, it is stated that the OTP is not compliant with SCA for the knowledge factor and that it is not compliant if it’s the only compliant SCA element for EMV® 3-D Secure.
The Reasoning
Detailed in this EBA rulebook entry:
“In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements under Article 7 of the Delegated Regulation, provided that its use is ‘subject to measures designed to prevent replication of the elements’, as required under Article 7(2) of this Delegated Regulation. The possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.
In addition, regardless of whether a strong customer authentication element is possession, knowledge or inherence, Article 22(1) of the Delegated Regulation requires that “payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication” and Article 22(4) of the Delegated Regulation states that “payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards”.
A possible interpretation is that if the SMS contains a PIN, which is used in a secure environment (something we at Okay provide), it could be used as the possession factor together with a password or PIN as the knowledge factor to prove the authenticity of the user. Enrolling or re-enrolling the customer is an example of such a use-case.
Who is Responsible for the Security of the SMS?
There are two issues that we have with this EBA opinion.
The first has to do with the statement that the “payment service provider shall ensure the confidentiality and integrity of the personalised security credentials”. What is the practical implication of this when you’re talking about SMS messages, which are sent in clear text? Does the EBA expect the payment service providers to ensure that the text message is not replicated?
The first thing any banking malware does is to capture the text messages, which are then transferred to the attacker. And, what if the end-user is using an old device with known security vulnerabilities? Is the payment service provider responsible for the security of the SMS before it is received by the user or by the app?
Is the SMS the Only Way of Proving SIM Possession?
The second issue has to do with “the possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number”.
A naive interpretation here is that the SMS would work as an indirect proof of the possession of the SIM, but this is not the only technical solution to verify the possession of the SIM. A much more secure way is to do this on the network operator side, using a solution similar to Boku Authenticate, where the network operator verifies the owner of the SIM without sending a text message.
In our view, it is not really clear that a text message can be used as part of a re-enrolment procedure. At the same time, we also believe that the EBA is very aware of the market, and it is unlikely that they’ll totally forbid the use of text messages. But, it is unclear enough that we believe issuers must cover for this uncertainty, and only use OTP by SMS as a very last resort. One important measure is that the user is authenticated in a secure environment, something we in Okay can help you with.