The Financial Conduct Authority has made it official: as of March 14th 2022, firms should comply with requirements for Strong Customer Authentication (SCA) concerning online commerce
The new regulation implies that banks and other payment services providers need to check that the person requesting access to an account or trying to make a payment is who they claim to be. This new regulation aims to enhance the security of payments and limit fraud during this authentication process.
Before SCA, e-commerce security was based on a single static password asked to customers. However, the number of interactions we make digitally is increasing exponentially. Consequently, fraud is becoming a significant problem, with criminals stealing more than £750m in the first half of 2021 -Jana Mackintosh, the managing director of payments at UK Finance-. SCA emerges as a solution to the aforementioned problem; it is a European requirement introduced to make online payments more secure and reduce the risk of fraud.
Ensure your business is compliant with SCA
Why are passwords not enough?
Passwords cannot be considered a secure authentication procedure since they are:
- not secure: we end up re-using the same or very similar, simple or repeated credentials in order to remember them. This dramatically reduces security.
- uncomfortable for the user: among other things, security policies require frequent rotation and the use of complex, non-repeated passwords, which make them difficult to remember.
- ineffective: passwords are easy to breach and sometimes easy to steal; theft through MITM attacks, data breaches of sites with passwords stored in the clear, attacks on passwords, etc
Strong authentication: The 2-factor authentication (2FA)
SCA opts for new levels of authentication, which involve asking customers for two of the three followings: something they know, something they own, and something they are. That is, an authentication that requires the use of at least two authentication factors (2FA) chosen from among these three groups:
- Knowledge: something the user knows, such as a password or PIN. Disadvantage: the security of passwords is deficient, as discussed above.
- Possession: something the user possesses, such as a debit card or a message to a cell phone.
Disadvantage of OTP-SMS: nowadays, it is not difficult to find cases of identity theft, cloning of user SIMs or messages intercepted by Trojans, among others.
- Inheritance: something inherent to the customer, such as the face, voice or fingerprint.
Depending on the operation to be performed, the factors must be combined, including more factors if the risk is higher. In addition, its use is encouraged by Royal Decree-Law 19/2018, which approved the transposition of Directive (EU) 2015/2366 that made it mandatory to use strong authentication no later than January 1st, 2021.
The role of Biometrics
Why not identify ourselves as we do in the physical world? Why is the Internet based on a system of users and passwords and not on real identities and real people?
Forget about passwords
Biometrics allows us to just be us and forget about everything else… In less than 1 minute, from anywhere, needing just a mobile device or a computer, Artificial Intelligence engines hosted in the cloud verify the identity of the person with an accuracy of 99%. This is how biometrics allows people to be identified by their natural attributes.
Once a customer registers or completes an onboarding process, he or she can carry out an infinite number of procedures with a simple selfie or by speaking for 3 seconds, without SMS codes or passwords. This not only offers a lighter and more seamless user experience but also greatly reduces the costs associated with manual verification processes.
Increases security and reduces identity fraud
Doble authentication systems, such as passwords or SMS codes, are tied to the device and not to the person, so when that device is stolen or hacked, all of that person’s personal information is exposed. However, your biometrics cannot be used by anyone other than you; identity verification systems are key to avoiding this type of fraud and transmitting confidence to both entities and users. The advantages of biometrics include:
- Privacy: it belongs to you and no one else. It cannot be spoofed, cloned, or intercepted.
- Security: it allows us to move from presumption to certainty. We are sure that the user is who he/she says he/she is, taking into account the previous advantage.
- Voluntary: it is the user who has the decision to make use of it.