SMS-based 2FA is the Best Approach to Meet New EU Guidelines

Written by

The latest EU figures show that €794m of losses occurred from fraud on card internet payments in 2012, up by 21.2% from the previous year. Further, according to the British Retail Consortium, internet fraud related to online payments is expected to pose the single most significant threat to businesses over the next two years.

These figures highlight the need for companies to consider the measures they have in place to protect online payment systems and, of course, customers. To drive this, the European Banking Authority (EBA) has set out minimum requirements for payment services providers (PSPs) in all 28 EU member states to implement by August 2015. Stipulations include the need for PSPs to “carry out strong customer authentication,” a requirement specified to mean the employment of two or more elements to verify a person’s identity.

Why SMS-based 2FA?

The EBA’s guidelines state that the authentication method used must meet the following criteria: “mutually independent… not reusable… non-replicable… and cannot be stolen off the internet.”

PSPs operating in countries where compliance to the requirements are mandated by their national authorities will also need to find a solution that is easy for their customers to use, cost-effective and easy to deploy. This means that while there are many different types of two-factor authentication (2FA), not all of them can realistically be used for this purpose.

Biometric data is one example which offers a strong authentication method but poses usability problems in a mobile environment and can cause issues related to data protection and privacy. For example, fingerprints can become unreadable due to cuts or bruises and glasses can prevent an iris from being recognized. Thus, in its current form there is a distinct lack of understanding and practicality which makes this type of 2FA a difficult investment to commit to.

In contrast, SMS-based 2FA is a solution which companies can viably invest in now due to its user-friendly nature, economic cost structure and security effectiveness. Practically, this solution involves the use of a process consumers are already familiar with in their day-to-day lives – receipt of an SMS, which in this case contains a one-time password (OTP). 

"SMS-based 2FA is a solution which companies can viably invest in now due to its user-friendly nature, economic cost structure and security effectiveness"

Entering the code into an online portal (following the initial log in using a password) completes the authentication process  – meeting the EBA’s security requirement of “strong customer authentication” while ensuring it is user-friendly, universally accessible, simple to deploy, and cost effective.

Given the expansive reach, familiarity and convenience of SMS, sending security codes via this medium provides an effective solution for service providers looking to provide increased security for their customers whilst adhering to the EBA’s guidelines.

Implementing SMS-based 2FA

Effective deployment of SMS-based 2FA across multiple countries is not as simple as it sounds, and for this reason, PSPs can choose to work with OTP SMS specialists. These companies can handle the mission-critical nature of the messaging service in terms of speed, delivery rate and coverage.

Working with a reputable provider will ensure that PSPs have access to a strong infrastructure in order to transmit SMS traffic securely and can provide real-time visibility checks of whether a mobile number is valid or not. This significantly reduces the likelihood of OTP failure, making the solution significantly more accurate for those implementing it and effective for those using it.

The EBA’s guidelines have put the idea of strong online security measures at the forefront of many internet businesses and with less than a year to make changes, PSPs are looking at their options.

That means cybersecurity professionals must look at how they can effectively implement their authentication strategy – and educate users – in order to adhere to the guidelines of the EBA at the start of August. For those that don’t, the pressure is on to make the argument which justifies their non-compliance both to the EBA and, potentially, their customers. 


About the Author

Thorsten Trapp co-founded tyntec in 2002, bringing his deep technical knowledge of telecommunications combined with the ability to spot emerging trends and develop products and services to meet industry demand. Thorsten believes that the next challenge the telecommunications industry faces is to master the convergence of telecommunications and emerging IP-based communication systems


What’s hot on Infosecurity Magazine?