Can UX and SCA be BFF? Security measures often stand in the way of a good user experience (UX). Fortunately, the times are changing. User experience and strong customer authentication (SCA) can be perfectly combined, for instance in TrustBuilder Mobile Authenticator.
According to the latest estimates, there are just under 7 billion mobile users globally, and the number is only set to rise. Mobile devices have become the preferred access point to any type of application or information. For financial institutions, the smartphone is quickly replacing the traditional bank branch. As the number of mobile devices and their use for financial and business-critical applications increases, so does the number of mobile attacks. Without adequate protection, having a bank branch in your trouser pocket is just as safe as keeping your money in a stocking under your mattress.
PSD2 requires Strong Customer Authentication
That explains the need for strong customer authentication and the requirements for SCA in the PSD2 regulations that came into power earlier this year. PSD2 has the double aim of preventing fraud in electronic payments and of ensuring the privacy of consumers’ financial data, boosting consumer confidence in online transactions. Since the European Union set the Regulatory Technical Standards in 2019, SCA is quickly becoming the norm for secure online payments.
Not all security techniques are created equal
Strong customer authentication can be obtained by using different security techniques, but many of these techniques also have their flaws:
- The combination of username and password has the advantage that any user is acquainted with them. On mobile devices, however, this has its limitations: mobile keyboards are not always easy to key in a strong password containing special characters. After all, there is a reason why many people put a disclaimer about typos in their mobile messages. Caching username and password solves that problem but fails the security test: if someone else gets access to your mobile device, they can use these cached credentials.
- One-time passwords (OTP) have the advantage that they are limited in duration which protects them against phishing attacks. On the other hand, if not used correctly, OTP can pose a security risk, for instance when sent through SMS. Integrating OTP into an app, using a secure channel and device encryption, makes it safe. Integration into an app also makes OTP a lot more user-friendly than Google or Microsoft Authenticator, which forces the user to type in numbers from a different app.
When security and convenience go hand in hand
The above are perfect examples of what happens when user experience is sacrificed over security, or security is sacrificed over user experience. No consumer likes having to key in codes generated by a card reader when performing payments. If organizations (financial services or others) want to offer the best of both worlds, they need to turn to solutions that are both safe and easy to use.
For airtight security, rely on asymmetric cryptography, which uses separate, yet mathematically connected, cryptographic keys (public key and private key). Opposed to OTP, you can generate as many different unique client keys as you want. As an added security measure, TrustBuilder Mobile Authenticator uses device binding. One of the advantages of mobile devices is that user and device are the same. By using device binding, the application always knows that the authentication comes from a registered device. Using TrustBuilder Mobile Authenticator on a smartphone makes authentication even safer, as you are using another network (for instance 4G) to receive your authentication for your application than the network (for instance your wifi) you are using the application on. By using different networks (‘Out-of-band’), chances of being hacked are smaller.
For user convenience, go for passwordless authentication, for instance by using biometrics such as fingerprints or facial recognition as the second factor in MFA. Once TrustBuilder Mobile Authenticator has been used to onboard to an application, all you need to do is scan a QR code and confirm with a fingerprint. If an application is set up to send push notifications, scanning the QR code is not even required, just a fingerprint is enough.
A solution like TrustBuilder Mobile Authenticator has a lot going on in the background. The complexity remains hidden for the user. Organizations using TrustBuilder Mobile Authenticator can fully integrate the solution into their application, applying their own branding to the app. This creates an even better user experience. Without compromising on security.