- Question ID
-
2018_4366
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- Paragraph
-
1
- Subparagraph
-
a
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
22, (2)(a)
- Name of institution / submitter
-
VBB AS
- Country of incorporation / residence
-
Norway
- Type of submitter
-
Other
- Subject matter
-
Showing a password after it has been masked
- Question
-
Article 22, 2(a) states that "personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication". Is it ok to offer the user a "show password"-button, so the user can verify that correct password has been entered, before fulfilling an authentication?
- Background on the question
-
In Bank “N” ID Web-client the users enter their security credentials in three different windows when authenticating. First you enter your SSN, then in the next window you enter your one-time-password and finally you enter the personal password. Our question is related to the latter; if the security credential is masked when displayed, can the user be offered a "show password"-button, so the entered password can be controlled by the end user in plain text before submitting it?
- Submission date
- Final publishing date
-
- Final answer
-
Article 22(1) of the Commission Delegated Regulation (EU) 2018/389 states that payment service providers (PSPs) shall ensure “the confidentiality and integrity of the personalised security credentials of the payment service user […] during all phases of authentication”. Article 22(2) continues by stating that for that purpose they should ensure that “personalised security credentials are masked when displayed and are not readable in their full extent when input by the payment service user during the authentication”; “personalised security credentials in data format, as well as cryptographic materials related to the encryption of the personalised security credentials are not stored in plain text”; and “secret cryptographic material is protected from unauthorised disclosure”. In other words, personalised security credentials (PSC) cannot be stored in plain text, PSCs shall be protected from unauthorised disclosure and they should be masked when displayed and not readable in their full extent. It follows that the PSP should not display the password if readable in its full extent. However, it could display one character of the password as and when the payment service user inputs it, while masking the other characters of the password.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.