2018_4039 Qualification of SMS OTP as an authentication factor

Question ID:

2018_4039

Legal Act:

Directive 2015/2366/EU (PSD2)

Topic:

Strong customer authentication and common and secure communication (incl. access)

Article:

COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations:

Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication

Article/Paragraph:

Disclose name of institution / entity:

Type of submitter:

Other

Subject Matter:

Qualification of SMS OTP as an authentication factor

Question:

Please clarify whether a One-Time Password (OTP) sent via SMS to a mobile phone qualifies as an ownership factor (“something only the user possesses”), and shall be subject to Article 7 of the RTS on strong customer authentication and secure communication.

Background on the question:

The SMS OTP qualifies as an ownership factor (“something only the user possesses”) because it is received on a device that the cardholder owns and that has been securely associated with the cardholder by the issuer.

This ensures a valid alternative authentication method for cardholders without a smartphone with biometric capabilities.

Date of submission:

28/06/2018

Published as Final Q&A:

05/10/2018

Final Answer:

Paragraph 35 of the EBA opinion on the implementation of the Commission Delegated Regulation (EU) 2018/389 (Regulatory Technical Standards on Strong customer authentication and secure communication) clarifies that “For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”.

In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements under Article 7 of the Delegated Regulation, provided that its use is ‘subject to measures designed to prevent replication of the elements’, as required under Article 7(2) of this Delegated Regulation. The possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.

In addition, regardless of whether a strong customer authentication element is possession, knowledge or inherence, Article 22(1) of the Delegated Regulation requires that “payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication” and Article 22(4) of the Delegated Regulation states that “payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards”.

Status:

Final Q&A

Answer prepared by:

Answer prepared by the EBA.