The provisions suggested by the EBA to address the requirements of strong authentication are welcomed and Intercede is in broad agreement with the aims and proposal.
We would however propose that some of the recommendations made around certain use cases are revisited. Many years' experience in the industry and familiarity with the requirements have shown us that credential issuance and renewals are not the same and should not be considered as such. Where a consumer is involved, the user journey and experience is of paramount importance to customer satisfaction and retention.
Specifically, a credential renewal should not require a full repeat of what some consider to be an arduous enrolment process. It should be entirely possible to use the expiring credential to approve the issuance of its successor without reenrolment (this method is used frequently for smart card issuance and for SCEP machine certificate renewals for example). Additional checks can easily be included in the issuing system to selectively block credential renewal by policy type or by individual credential.
In addition to the protection of authentication elements, we believe a further threat exists that may challenge the excellent work undertaken thus far to construct PSD2. An improved method of strong authentication should offer not only non-repudiation and integrity, but should also seek to protect the privacy of the user. Should the issued strong credentials directly contain personally identifiable information such as names or account numbers? Privacy legislation needs to be complied with in order to maintain the robustness of the solution in the eyes of privacy advocates who would strongly oppose any decision where an individual’s privacy is not protected when communicating sensitive data online via mobile devices.
In acknowledging an individual’s right to privacy, we believe that the EBA should seize the opportunity to respect the privacy of its vendors and customers by strongly advising that all authentication credentials are anonymised. Users account information can then be mapped to an anonymous identifier known only to their bank.
This level of indirection has significant additional benefits in terms of being able to support credentials for the same account on different devices, whilst retaining the ability to independently revoke each one by disassociation from the owner's account at the relying party.
Whilst Intercede understand the need to offer exclusion clauses in the discussion document, it must be acknowledged that exclusions are difficult to manage. The larger the number of clauses that carry an exclusion, the more complex the system becomes to manage.
It is a widely held belief that the introduction of a high security authentication capability must be to detrimental to the user experience. For example, making a password more complex, requiring additional devices, typing in codes, getting SMS notifications etc. However, a number of technological advances in the past 4-5 years has challenged this view.
There are now solutions such as RapID and FIDO, readily available on the market, which provide the simplest of user experiences whilst delivering high strength cryptographic authentication and signing. Furthermore, these systems no longer rely on complex hierarchical trust relationships and policies that have made deployments at scale so challenging in the past.
With such strong credentials delivered through a user experience that is so much simpler that traditional password / SMS / OTP methods, these represent solutions that can be used for a wide range of transaction types. This effectively removes the need for password based solutions, thus reducing costs, improving security and making the user experience very much simpler. Each transaction is protected by the strongest cryptography ensuring that not only the monetary value of the transaction is assured, so is the reputation and integrity of the vendor.
Current best-of-breed solutions are capable of providing a customer with a simple registration and onboarding process that delivers a trusted credential to their mobile device in seconds. There is no complicated registration process, no SMS delivery of one-time password credentials and most importantly, no more insecure usernames and passwords to remember. Authentication can be all challenge-response and signature-based using standards that have been at the cornerstone of internet security for over twenty years.
With the advent of this strong, yet convenient authentication credential, the convergence of high security and a simple, elegant user experience into one solution meets the requirements of both the customer and the security architect.
The time for complex passwords has gone. For example, OTP over SMS has recently been re-evaluated by NIST (The National Institute of Standards and Technology) and is no longer regarded as an acceptable factor for authentication.
Customers rightly expect security, but not at the expense of convenience. The two are no longer mutually exclusive.