PSD2, Strong Authentication, and What BFSI Need to Know


The “2020 Gartner Market Guide for User Authentication”  (Published 26 June 2020 – ID G00729931) made it abundantly clear to anyone who wasn’t already aware that criminals are getting more sophisticated when it comes to assuming identities, making it difficult to determine if someone is really who they say they are. And the risks to the financial services industry are particularly troubling. According to the report:

  • “Many banks seem to be doubling down on weak OOB (out of band) methods. Some regulators are urging banks to find a “path to reduce reliance on text based one-time passcodes (SMS OTP),”36 but this seems elusive.”
  • “The revised Payment Security Directive (PSD2) is shaping the way banks authenticate customers. However, we still see inconsistent interpretation of the requirements and very few net new approaches.”

Greater Risk Means Greater Liability for Providers

With PSD2, payment service providers are on the hook for security risks and must have a documented security policy in effect that details their security controls and risk mitigation procedures, including, but not limited to strong customer authentication for their customers. This regulation was incorporated into PSD2 to reduce the growing fraud associated with online payments.

In order to qualify for the PSD2 standard, strong customer authentication must be multi-factor, including at least two of the following three elements

  • Something  you know, such as a password, PIN, mother’s maiden name, etc.
  • Something you have, such as a smartphone, token, credit card, etc.
  • Something you are, such as the unique characteristics of the human body (voice, face, fingerprint, palm, etc.)

This multi-factor authentication (MFA) must be used whenever customers access their payment accounts online to initiate electronic payments or conduct any action through a remote channel, which carries a higher risk of payment fraud or other abuses. Other requirements include dynamically linking transactions to a specific payee, generating a unique authentication code for remote transactions, such as payments made over the internet or via smartphones. This ensures that if anyone tries to change the amount or the identity of the payee, an invalidation code is generated, voiding the payment.

As described in the Gartner report, most banks and other financial services organizations are still using one-time passwords (OTP) via SMS or other weak out-of-band methods. While these technically meet the PSD2 requirement for something you have and something you know, they don’t provide the type of robust security these organizations need. A PIN or OTP sent to a mobile device only proves that the person attempting to log in is in possession of the mobile device and not necessarily the owner of the payment account.

Add to this that SIM swapping is a growing threat among scammers who attempt to get their subjects to reveal personal information, and the need for something beyond something you know and something you have is glaringly obvious. 

PSD2 requires payment service providers to ensure processing and routing of personalized security credentials and authentication codes are conducted in secure environments using strong methods that comply with accepted industry standards. In fact, payment service providers are fully responsible for payments that weren’t executed properly. They may have to refund the total amount of the unauthorized transaction immediately. However, when an authorized end-user is grossly negligent or attempting fraud, the payment provider is absolved of liability.Strong Authentication Using Biometrics is the Answer

This makes it crucial for financial service providers to adopt strong, secure MFA to minimize the risks associated with identity theft. A single successful scammer can be costly. One of the most cost-effective and easy to implement solutions is biometric authentication. Not only does it provide robust security, but the ease of use by the customer will make adoption far more likely while simultaneously increasing customer confidence that their data is safe. Adding biometrics to what you have or what you know provides the strongest authentication without introducing friction.

Financial institutions need to balance: 

  • The customer experience to maximize adoption and ensure acceptance of a legitimate transaction
  • Minimize fraud by identifying legitimate customers
  • Manage operational costs

This can be difficult under the best circumstances, but when the threat landscape is already broad, and growing, finding the right mix can seem nearly impossible. Protecting corporate assets means protecting customer assets but customers are already on edge with a near-daily barrage of data breach reports, injecting even more challenges. 

What’s a financial services provider to do? Biometrics are already a part of the customer security landscape. Most online and mobile customers are familiar with securing their devices with the unique characteristics of the human body; whether that’s face or fingerprint ID to open their lock screen, or voice commands on their computers, the technology isn’t new. Customers who have adopted these methods for unlocking their devices are well aware of the speed, security, accuracy, and convenience this technology offers.

But as with nearly any technology, there are numerous ways to implement it; each offering its own benefits and drawbacks.

Considerations When Selecting Your MFA Approach

Organizations have options when it comes to implementing an MFA solution, including native and non-native device authentication, on-device or Cloud-based processing, and the biometric modalities to deploy.

  • Native vs. Non-Native. Native means the biometric abilities available on the users’ mobile devices. But this means the bank is subject to the technology capabilities of their customers’ smartphones and the different ways these methods are built into the devices. By using non-native methods, organizations can be assured that the security measures and user experience are consistent across device types and operating systems. Additionally, non-native methods provide higher levels of accuracy and anti-spoofing.
  • On Device vs. Cloud-Based Processing. Biometric matching can take place on the user’s device or in the Cloud, offering organizations yet another choice. On-device matching prevents users’ biometric data from leaving their device, but limits users to only enrolled devices. This poses problems if a customer loses their phone or forgets it, preventing them from authenticating until they have their device or re-enroll with a different device. Cloud-based biometric matching allows users to authenticate across devices from a single enrollment. This can reduce overall operating expenses since customers will not need to contact the call center for assistance if their device is lost, forgotten, or stolen. Additionally, Cloud-based matching offers far greater fraud protection.
  • Biometric Modalities. The last choice is to decide which modalities to allow customers to use to authenticate. By employing mobile devices, there are some limitations based on device options, which is why it’s good to offer a variety of choices, including face, fingerprint, palm, and voice. Any device with a camera and microphone can capture face, palm, and voice, but fingerprints are limited to mobile devices that have a fingerprint capture option.

How ImageWare Authenticate Can Help

ImageWare’s Authenticate solution provides a Cloud-based MFA based on a REST interface, self-service portal for user management, and APIs for integration via OIDC and SAML, as well as auto-provisioning for trials and operational implementations. With ImageWare Authenticate, customers can use their mobile devices without the need for any special equipment, and because matching is done in the Cloud, they can authenticate across multiple devices.

With a 300% increase in cybercrime since the beginning of the COVID-19 pandemic, every sector can benefit from tightening security.  Even before the pandemic, the FBI was recommending MFA with technology, such as biometrics. ImageWare Authenticate is not new to the market. Released more than five years ago as GoVerifyID, our Cloud-based MFA was ahead of the curve, delivering fast, accurate biometric identity verification to the masses.

Companies must authenticate consumers for services ranging from mobile banking and money transfers to downloading or accessing high-value assets from health records, bank statements and insurance documents to a sporting event or concert tickets. ImageWare Authenticate helps organizations better secure their applications and data while ensuring a low-friction end-user experience by enabling users to scan biometrics with an easy-to-use mobile app on their iOS or Android device.

ImageWare Authenticate supports fingerprint, palm print, voice, and face biometrics, with frictionless anti-spoofing for face included. Combining biometric modalities delivers increased accuracy over a single modality.

Financial Customers We’ve Already Helped

ImageWare currently supplies both Landmark Credit Union in Wisconsin and Catlin Bank of Illinois with our ImageWare Authenticate MFA solution to verify employee identities for access to critical business applications.

“There’s no doubt that common, non-biometric two-factor authentication (2FA) is weak; we know that this is a common attack vector which leads to costly breaches,” comments Jeff Fauver, President, and CEO of Catlin Bank. “The ImageWare Authenticate solution provides the flexibility we need to protect application and network access. Today’s environment is forcing us to deal with remote access, and we’re happy to be working with a leader like ImageWare to secure our network perimeter.”

Contact ImageWare or request a demo today to see how we can help your financial institution comply with PSD2 and protect your assets and your customers’.

Gartner, Market Guide for User Authentication, Ant Allan, Tricia Phillips, David Mahdi, Kaoru Yano, 26 June 2020

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Download the report