Response to consultation on RTS specifying the requirements on strong customer authentication and common and secure communication under PSD2

Go back

Question 1: Do you agree with the EBA’s reasoning on the requirements of the strong customer authentication, and the resultant provisions proposed in Chapter 1 of the draft RTS?

Chapter 1 is trying to redefine strong authentication apparently without taking into account or referencing the large preexisting work in this field. In the context of a Commission’s delegated regulation, it is especially surprising to overlook what has been developed in the context of the eIDAS regulation (EU) 910/2014, whose scope includes strong cross-borders authentication. For instance, eIDAS Implementing Regulation (EU) 2015/1502 already defines dynamic authentication (which is a more precise and technologically-neutral expression for “authentication code”), as well as the three types of authentication factors.
More importantly, (EU) 2015/1502 addresses many other authentication aspects which are not covered in Chapter 1, but are still important to achieve a strong level of authentication (such as enrolment procedure, deliverance, activation, renewal, etc). All standard authentication frameworks (such as NIST SP 800-63 [1] or ISO 29115 [2]) take these aspects into account to specify strong authentication, so their absence from Chapter 1 is disconcerting.
Also in practice it is likely that the eIDAS interoperability framework will be used by banks and PSPs for cross-border authentication of European citizens to their online services, so it would make sense to build a bridge in the RTS with eIDAS’ dispositions about authentication. Such a bridge has been proposed in a revision of the Anti-Money laundering Directive (AML4) by enabling notified eID means under eIDAS for digital on-boarding, and a similar bridge in PSD2 would certainly make sense.
[1] http://csrc.nist.gov/publications/PubsSPs.html#800-63
[2] http://www.iso.org/iso/catalogue_detail.htm?csnumber=45138

Question 3: In particular, in relation to the protection of authentication elements, are you aware of other threats than the ones identified in articles 3, 4 and 5 of the draft RTS against which authentication elements should be resistant?

ISO 29115 chapter 10 has an extensive list of threats for the 3 categories of credentials: http://www.iso.org/iso/catalogue_detail.htm?csnumber=45138

Question 9: With regards to identification between PSPs, do you agree that website certificates issued by a qualified trust service provider under an e-IDAS policy would be suitable and allow for the use of all common types of devices (such as computers, tablets and mobile phones) for carrying out different payment services ?

The argument at paragraph 75 in favor of using website certificates issued by a general Certificate Authority is rather weak. In practice website certificates are not “implemented”, they are installed (i.e. copied) on web application servers to configure their behavior with regard to the SSL/TLS protocols. As such, switching from a DV/EV SSL certificate to a qualified website authentication certificate (QWAC) would require very little configuration work. This work has to be performed anyway routinely by all PSPs due to certificate expiration.
Therefore, in my view the only real argument against option 1 comes from the doubts about the availability of the QWACs (paragraph 74), and on this topic I would like to make a few remarks:
- A recent ENISA report about QWACs [1] establishes that more than 70 European CAs currently offer SSL certificates which are recognized by the main browsers, and more than 50 of these are already qualified TSPs for other types of certificates. Also 18 TSPs are currently members of the CA/Browser Forum, offer EV certificates and qualified TSPs for other types of certificates. So today there is a large number of TSPs which could potentially offer QWACs with reasonably low efforts.
- Despite this large number of potential candidates, so far only a few TSPs have stated their intent to offer qualified website certificates. From my discussions with CAs, my understanding is that some TSPs are looking for a significantly profitable use-case before adding QWACs to their portfolio (an obstacle that ENISA calls “lack of market demand”). By selecting options 1, the PSD2 RTS would de-facto create a significant market demand, and this would certainly decide these hesitant TSPs to offer QWACs.
- Member States have expressed their confidence in the near-future availability of qualified website certificates by making them mandatory for the eIDAS nodes of the interoperability framework which will support cross-border authentications. According to the cryptographic specifications of the interoperability framework [2], until 2018 either EV or qualified certificates may be used, and qualified certificates are mandatory in 2018.
As described in paragraph 73, QWACs offer the highest level of security for all parties, which is what would be expected from PSD2. As there is no disadvantage and no serious risk, option 1 should be selected.
[1] https://www.enisa.europa.eu/publications/qualified-website-authentication-certificates
[2] https://ec.europa.eu/cefdigital/wiki/download/attachments/23003348/eidas_-_crypto_requirements_for_the_eidas_interoperability_framework_v1.0.pdf

Please select which category best describes you and/or your organisation

[Public administration"]"

Please select which category best describes the services provided by you/your organisation

[Other"]"

If you selected "Other", please provide details

We develop and run all kinds of public online services to citizens and companies, and we will also operate the eIDAS nodes for cross-border authentication.
Disclaimer: I am the Luxembourg representative in the eIDAS Expert Group. The comments posted here are personal and do not represent an official LU position.

Name of organisation

Luxembourg Government IT Center