Password-free login procedures as a key player in digital transformation
PSD2 and Open Banking open up new possibilities in the digital transformation of banking. A promising approach here is FIDO, which offers strong yet user-friendly authentication mechanisms. And is applicable to many other areas, our authors write. The Payment Service Directive 2 (PSD2) requires banks in the EU to offer interfaces for accessing customer accounts. This allows third-party providers to offer new cross-bank services. With this opening of the banks, the EU hopes to create incentives for more innovation and competition. Switzerland is also aiming in the direction of opening up with its open banking efforts. Even if this is based on self-regulation, it will have to face the same challenges as the EU. In order for third-party providers to be allowed to use these interfaces, the consent of the account holder must be obtained. The Regulatory Technical Standard (RTS), which complements PSD2, forces banks to strongly authenticate the customer for such consents. This means that authenticity is proven by means of two independent security features from the areas of “knowledge” (e.g. password), “possession” (e.g. mobile phone) and “inherence” (e.g. fingerprint, Face ID).
Challenges with third-party access
While customers used to have to access account information directly from their bank, this will now also be possible via third parties (so-called Third-Party Providers, TPP). This creates new challenges for the parties involved, especially if the information is obtained from several banks in parallel. Suppose a customer wants to manage the account information of his three banking relationships via a TPP. Then each of the three banks would have to obtain the customer’s consent by means of strong authentication – which could be cumbersome, as there is a variety of strong authentication mechanisms (PhotoTAN, mTAN, SecureID, etc.) at the different banks today. Such a procedure is not comprehensible for most customers and probably even unacceptable. It can therefore be assumed that the effort to achieve alignment in authentication means will grow with PSD2.
Standards contribute to simplification
The use of standards and the use of smartphones as security tokens could bring simplification. One possible standard would be FIDO (Fast Identity Online), which provides a normalised interaction between different authentication mechanisms. In particular, FIDO can easily combine established authentication methods on smartphones (for example, Face ID, fingerprint or voice) with those on the server side. The FIDO standard is based on public key encryption. The server side, in this case the bank, knows the customer’s public key. The customer’s key pair is generated on his smartphone in a secure module (Trusted Platform Module, TPM), whereby the private key never leaves this module and is protected by means of Authenticator. In order to use the private key, the authenticator requires a characteristic from the area of “knowledge” or “inherence”. Together with the possession of the device, this would fulfil the requirements of the RTS. This also ensures that the bank’s systems do not receive any of the user’s biometric information. This information is only stored on the smartphone and is used by the authenticator to unlock access to the private key.
What would this look like in the scenario described?
If the three banks in question supported FIDO, the customer would be able to confirm their consent simply by using their fingerprint, Face ID or voice. PSD2 and Open Banking open up new possibilities for the digital transformation of the banking customer business. Because user-friendly strong authentication mechanisms can promote innovation in this environment. FIDO will play a crucial role in this thanks to broad native support from the device manufacturing industry. As bank customers are also citizens of a country, a canton and a municipality, the same concepts could be reused without additional effort for the citizen to ensure access to e-government services in a simple and secure way. The use of standards that incorporate the authentication means of today’s smartphones would allow for an overall reduction in the cost of developing, operating, maintaining and supporting government portals. At the same time, the experience of citizens when using government services would be improved, while respecting privacy and data protection rights. This should actually also fit into the Confederation’s “Digital Switzerland” strategy, which focuses on people in order to optimally integrate them into the transformation processes of the digital society. Whether citizens or bank customers: In the end, it is the same people who use the login procedures that the service providers (banks, public authorities, etc.) make available to them. The implementation of the FIDO standard, which supports the authentication means of today’s smartphones, is a very good example of how service providers can meet high demands for both security and usability with technical innovation. In other words, as a key player in the digital transformation, FIDO2.0 can fully play to its strengths – simple, fast, secure – and thus achieve high user acceptance. And it is precisely this that decides decisively whether a digitalisation project is successful.