By now, most people in the payments world understand the role of the European Payment Services Directive 2 (PSD2) in formalising, for the first time, the requirements for Strong Customer Authentication (SCA). PSD2 also outlines the many use-cases which were required by law from September 14, 2019.
An authentication is considered strong if it dynamically combines at least two out of three types of authentication factors: inherence, possession or knowledge. In other words, “something you are,” “something you have,” and “something you know.”
Inherence factors – something you are – refers to biometrics: namely face, fingerprints and voice authentication. These identifying features are the top three for which mature authentication methods are already present in today’s market. The upside of any inherence factor is that it’s distinctive, while the downside is that once this particular authentication method has been compromised (which is easiest to achieve with fingerprints), it cannot be changed and thus becomes unusable forever.
Possession, – something you have – is a convenient and powerful method of authentication, as it allows embedding a relatively complex authentication algorithm in the possessed device. The obvious downside of it is that anything possessed, such as card, phone or token, can also be lost or stolen.
Finally, knowledge factors do not require any special devices and as such are the cheapest and most convenient. However, they have the inherent disadvantage of relying on human memory. The most typical example of a knowledge factor is a password. If it is too easy to remember, it is probably easy to guess, and if it is too complex, it is hard to remember.
It is barely surprising that passwords like “123456,” “qwerty” and “password” are among the top 10 most common passwords for the last decade. On the flipside, in organizations with strict password policies, 20%-50% of customer support calls are for password resets, according to Gartner Group.
Finding the right authentication method
To explore opportunities for relying on knowledge-based authentication factors without the downsides and vulnerability of password-based authentication, we joined forces with PixelPin – a UK-based startup that provides a picture authentication solution, designed and build by world leaders in cybersecurity.
We deployed the PixelPin authentication as part of our PSD2-compliant access-to-account test environment, which exposes APIs implemented according to the Berlin Group NextGenPSD2 standard.
Here’s how our joint solution works:
- A third-party application sends a payment initiation request to our environment on behalf of an account owner. In the response to the request, our system indicates that an authentication will be performed and sends back a URL to which the account owner should be redirected
- PixelPin’s solution allows user to upload a personal picture or choose a gallery image, then memorize four touchpoints on it and that will be their login. According to studies conducted by MIT research teams, the brain dedicates around 30% of the cortex for visual processing (compared to around 8% for touch and 3% for hearing). This means that when presented with visual information such points on a personal picture, the brain is better able to categorise and store that information. This increased processing leads to a greater chance of remembrance, which is seen in PNAS studies where the average person can remember more than 2000 pictures with at least 90% accuracy over a period of several days. PixelPin incorporates all these intrinsic biological practices to create a better, more memorable user experience.
- Once the authentication is successful, the third-party application sends a cryptographic token to Credorax’s API. Credorax’s banking system then validates the token and confirms it can proceed with the payment.
Many regulators and lawmakers are following the Second Payment Services Directive with the standards and rules they introduce across the globe. This makes SCA, which is presently a European phenomenon, a strong candidate for global adoption as a standard authentication method, at least in financial services.
However, a knowledge-based factor could potentially become the weakest link of the whole customer authentication mechanism. And even though it is possible to impose extremely complex password policies on users, there’s little doubt these will simply result in a high level of password lockouts and password reset support calls, leading to a drastic increase in the total cost of ownership.
Under these circumstances, it might be the perfect time to find a better way for knowledge-based user authentication. We believe that our joint proof-of-concept with a leading company in the field is a blueprint of such future solutions which will soon become prolific in the market.
At Credorax, we’re always looking for solutions like these to make online experience better for our merchants and their customers. To learn more about our solutions, or to join forces on a collaboration project, contact us: firstname.lastname@example.org.