Fraud and Security: 2FA Considerations for PSD2

Raili Liiva

10 Oct 2017 -

5 min read

Raili Liiva

10 Oct 2017


2 min read

The second Payment Services Directive (PSD2) is less than three months away from enforcement. While the regulation’s text is lengthy, a key component of the law is its extended reach in comparison to the first directive. PSD2 applies to all payment service providers and affiliates, including account information service providers and payment initiation service providers. In addition, the law applies when at least one part of the transaction is in the European Union. This means that payment service providers and their affiliates outside of the EU must comply with the law when the payer is in the EU. The additional geographical reach guarantees the same level of security expectations for all EU residents regardless of the location of the payment service provider.

Strong authentication requirements updated

The idea of PSD2 is to give consumers more rights with their data and security. Before PSD2, if a user had a weak password and was hacked, it was the user’s fault and their issue. Hopefully, the firm worked with the user to restore any losses that occurred from the hack for the sake of PR alone. However, the new directive puts the responsibility of strong customer authentication (SCA) on payment service providers and their partners. Yes, that means that if a user has a weak password, no two-factor authentication, and is hacked, blame is placed on the firm providing the service. And the firm must restore any loses the customer encountered by the next business day.

Change signup and login processes to force 2FA

The shift in responsibility will likely encourage any firm that handles payments, or sends and receives funds in any way, to force two-factor authentication. While the number of firms offering 2FA has increased in the last few years, it’s often hard to find where to enable it and it’s not necessarily encouraged; rather, the option is there if the user wants it, somewhere in the account settings. Users who do not use 2FA see it as inconvenient and do not believe that they are at risk (they are though.) Thus, firms do not want to force 2FA.

It’s time to change that.

The basic definition of “strong customer authentication” is presented in article 4(30) of PSD2. It states that authentication must be based on the use of two or more possible authentication elements, categorized as:

How does a firm “force” 2FA? Well, take two elements from the list above: knowledge and possession. As the username and password is already part of the sign up and login process (knowledge,) require that users provide a mobile phone number so that the service could send an SMS PIN code to the device (possession.) If current users have not provided a mobile phone number, ask for it with their next login and verify the number immediately.  

Next, direct the user to the account page, encouraging them to use a time-based one-time password (TOTP) app like Verigator and begin using TOTP codes to authenticate. This part would be difficult to force, but TOTP is more secure than SMS PIN codes. However, SMS is better than only using a password and proves possession. Also, the authentication process can trigger an SMS PIN code every time a user logs in, no matter what, so it’s simple to get this process started as a bare minimum for 2FA.

We've always recommended that users use 2FA every time they log in and again when they execute a sensitive transaction, like a payment. In January 2018, 2FA will be mandatory by law. 

And firms don’t have to build this from the ground up. We have the tool set ready to be deployed –both TOTP and SMS with one API, the 2FA user interface (yep, doesn’t have to be built either,) and a user app that syncs any service users use that also uses our API, automatically.

What's SMS service quality?

Raili Liiva

Sales Researcher

Raili leads Messente's 2-factor authentication solution and takes care of our SMS API clients. She is passionate about online security and is helping businesses protect their user accounts against hijackings.  

We're here to help you connect with your customers. Let's start talking.

Email again:

Further reading

Have you met 1oT? Mobile data connectivity for IoT companies.

24 Apr 2018

Last week, Lauri wrote a good piece about keeping things real, because businesses have simple business models...

Yuriy Mikitchenko

2 min read

A note on keeping things real

17 Apr 2018

Over the years, I've had the good fortune of talking to and doing business with many entrepreneurs and...

Lauri Kinkar

2 min read

Next-generation Omnichannel API is well underway

10 Apr 2018

Over the last few months we’ve been setting the direction of our Omnichannel messaging API and our development...

Uku Loskit

2 min read

You're protected from the pitfalls of grey routes

03 Apr 2018

“Grey routes” is a loosely used term in the telecommunications industry. Frankly, the industry-specific meaning of grey routes...

Joosep Pintsaar

2 min read