How are banks implementing strong customer identification? How can Fast Identity Online (Fido) standards can be used in authentication to improve security and ease of use in online banking?
Most European banks had made relatively extensive adjustments to their online banking systems as of mid-September 2019. Account access protection, in particular logging onto online or mobile banking, as well as initiating payment, has been converted to procedures that meet Payment Services Directive 2 (PSD2) strong customer authentication (SCA) requirements.
The biggest changes were when logging onto online banking. This is now only allowed if the user authenticates strongly, which is equivalent to two-factor authentication (2FA). In all implementations considered, the first factor is a password, also known as a PIN in many banks.
How (and when) the second factor is checked differs. Many banks may now require additional entry of a transaction authentication number (TAN) from a TAN procedure; some banks may also rely on linking devices to SCA in online banking.
For 2FA in mobile banking, banks often already make use of iOS and Android biometric processes in connection with device linking. The following implementation issues can be identified: passwords – the first factor of authentication in online banking is still a password, a knowledge-based factor; proprietary 2FA procedures – banks have proprietary processes specially designed to secure access to the online banking account; and multiple apps – most users cannot understand the point of an extra TAN app you need to install alongside the banking app.
Standards needed
Fido standards can be used in online and mobile banking to improve the situation. The two main objectives of Fido are: to enhance online security through standardised infrastructure for asymmetric encryption in connection with the devices’ biometric sensors, available directly on all platforms; and improve user experience by replacing passwords and native integration with the resulting often familiar and easily understandable use of technology.
The standards do not only focus on the business-to-employee area, but also explicitly on the business-to-consumer area, which makes it superior to certificate-based procedures, for example.
Online banking registration can be significantly improved with Fido, more precisely through W3C’s Web Authentication (WebAuthn) application programming interface (API) support for an increasing number of users. Instead of a password and a TAN, biometric interfaces can be used for a fully password-less and PSD2-compliant login.
Mobile banking protection
The Fido Universal Authentication Framework (UAF) standard was developed for the implementation of device linking, biometrics and transaction security in the context of mobile banking. The advantages are apparent:
• less implementation effort due to existing comprehensive documentation or use of existing FIDO-certified software development kits (SDKs);
• reduced documentation effort for compliance declarations and internal information management; and
• simplified IT infrastructure through a central Fido server that can serve UAF and Fido2/WebAuthn together, which eliminates the additional need to implement and operate a proprietary application for key management and signature verification on banks’ servers.
The decision to use Fido should be seen as part of a bank’s IT strategy. Gradual integration into existing online and mobile banking infrastructure is recommended. The following requirements must be met for the introduction of Fido. First is the user interface (UI) concept: Fido is changing the way users log in. If the user has enabled Fido, no password, and therefore no password input field, is required. Second is the WebAuthn support in online banking: based on the UI concept, online banking must be adapted, and if Fido2/WebAuthn is used, the browser’s WebAuthn API must be supported.
Level of maturity
In the run-up to PSD2, many banks apparently focused on rapid implementation to meet SCA regulatory requirements, more or less doing their own thing. The fuzzy formulations in PSD2 certainly contributed to the current situation. In retrospect, one might ask why all the use cases from a customer point of view before and after PSD2 were not executed together in a timely and uniform manner, and concrete specifications, or at least implementation recommendations, were drafted based on existing standards.
Fido standards have now reached a level of maturity and distribution that makes productive use possible, especially in the regulated banking environment. With the modern process, a significant increase in usability and security can be achieved with relatively simple means without new proprietary dependencies.
Lenildo Morais has a Master’s in computer science, and is a teacher, researcher and project manager.
