Is This The End Of Mobile SMS Authentication ?
The question is whether SMS Marketing authentication will always be valid when the strong Client Authentication required by the European directive on payment services is going to enter into force.
Banks and online payment service providers sometimes offer SMS to verify the identity of a person who wishes to transfer or confirm a payment. They send a text message with a one-time password to that person’s mobile phone and that person must enter this one-time password in the blank application or on the online payment site.
A question arises, however: will SMS authentication always be valid when the Client Authentication (SCA) required by the PSD2 (Payment Services Directive) will come into force. In August 2016, the European Banking Authority (EBA) published its RTS (Regulatory Technical Standard) project for strong client authentication.
In order to know if SMS-based authentication will continue to exist, we will describe 3 scenarios. And determine which of the three best meets the requirements of this RTS.
Scenario 1: Authentication with two devices (2da)
In this case, the user must use two different devices: one to access the site of his bank or the bank appliance, and the other to authenticate himself or authenticate a payment. The first device, called a bank device, is usually a PC, a laptop or a mobile (smartphone, tablet). The second device, called the authentication device, is a mobile device that receives the SMS. We assume here that the user authenticates to the bank site or appliance using the one-time password sent by SMS (a password or a PIN).
This solution conforms to the RTS when used to connect to the bank site or appliance. The solution may be compliant to sign a transaction, but only if two conditions are met. First, the SMS must contain details of the transaction (eg amount and beneficiary). Secondly, the content of the SMS must be protected between sending and receiving on the mobile. This latter obligation is not obvious as SMSs are rarely protected.
Therefore, SMS-based authentication can be used to connect, but not to sign.
Scenario 2: Two-app authentication (2aa)
Unlike the first scenario, this approach does not require two different devices, but two apps that work simultaneously on the same device. Apps interact via app-to-app communication. These apps are called respectively the bank application and the authentication application. The authentication application asks and receives the SMS.
Standard SMS-based authentication is not compliant for two reasons. The first one, the SMS can be intercepted and modified during its sending. The second reason, the SMS can be intercepted by a malware on the mobile, which does not comply with the principle of channel separation of the RTS.
This solution can become compliant if the content of the SMS message is protected through an end-to-end secure channel that ends with the authentication app so that only the app can decrypt the SMS. But it is not the standard approach.
Scenario # 3: Application Authentication (1aa)
In this case, the user uses a single device and a single application to initiate and authenticate his transactions. The user does not use any other device or authentication application.
This scenario is not in conformity with the requirements of the PSD2 because there is no separation of the channels. Using the SMS does not allow it.
We are still awaiting the final version of the strong Client Authentication requirements of PSD2. If nothing changes over the published project, it is clear that SMS-based authentication will encounter major difficulties in meeting the requirements of the new directive, particularly with regard to the payment validation process. Web Development company