2018_4039 Qualification of SMS OTP as an authentication factor

Question ID: 2018_4039
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Strong customer authentication and common and secure communication (incl. access)
Article: 97
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 7
Type of submitter: Other
Subject matter: Qualification of SMS OTP as an authentication factor
Question: Please clarify whether a One-Time Password (OTP) sent via SMS to a mobile phone qualifies as an ownership factor (“something only the user possesses”), and shall be subject to Article 7 of the RTS on strong customer authentication and secure communication.
Background on the question: The SMS OTP qualifies as an ownership factor (“something only the user possesses”) because it is received on a device that the cardholder owns and that has been securely associated with the cardholder by the issuer.
This ensures a valid alternative authentication method for cardholders without a smartphone with biometric capabilities.
Submission date: 28/06/2018
Final publishing date: 05/10/2018
Final answer: Paragraph 35 of the EBA opinion on the implementation of the Commission Delegated Regulation (EU) 2018/389 (Regulatory Technical Standards on Strong customer authentication and secure communication) clarifies that “For a device to be considered possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device”.
In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements under Article 7 of the Delegated Regulation, provided that its use is ‘subject to measures designed to prevent replication of the elements’, as required under Article 7(2) of this Delegated Regulation. The possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.
In addition, regardless of whether a strong customer authentication element is possession, knowledge or inherence, Article 22(1) of the Delegated Regulation requires that “payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication” and Article 22(4) of the Delegated Regulation states that “payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards”.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer