PSD2 progressively began entering into force between January 13, 2018, and September 14, 2019. However, there are still different understandings of the regulation in terms of regulatory compliance. One of those topics concerns SMS OTP (one-time-password) and whether it is an approved authentication method. Is it applicable for online payment verification? If yes, does it count as a possession or knowledge element under SCA? To find out, we did some research and provided answers. Keep reading!
SMS one-time-password (OTP) is a well-known, simple form of authentication. It enables users to authenticate themselves with a dynamic code from an SMS message. Often used for 2FA (two-factor authentication), SMS OTP is commonly used as a second factor necessary for gaining access to a particular network or service, usually combined with a static PIN/password. Although two passwords are better than one, SMS OTP is not the most reliable method for verifying identity. That is due to an array of risks revolving around the method. Some of them include SIM swapping, SIM hacking, intercepting the message, account takeover, etc.
Until recently, SMS OTP was one of the most convenient ways of authenticating an online transaction or logging into a payment account. The user would simply enter the received OTP into their payment application and approve the transaction. In such cases, SMS OTP commonly contains additional information regarding the transaction, including the transaction amount and the payment beneficiary. To conduct 2FA, banks and payment service providers combine static PINs and SMS OTP, PIN being a knowledge element, and SMS OTP representing a possession factor.
The second payment services directive (PSD2) enforces Strong Customer Authentication, demanding online payment authentication using two out of three security elements. Those elements include Knowledge, Possession, and Inherence. By definition, SMS OTP, which is a possession element, in combination with a static PIN/password, is an acceptable authentication method conforming to the PSD2 SCA requirement. SMS OTP alone is not a possession element. The SIM card associated with the respective mobile number represents possession.
For a device to be considered as possession, there needs to be a reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device.
In this context, a one-time password sent via SMS would constitute a possession element and should therefore comply with the requirements under Article 7 of the Delegated Regulation, provided that its use is ‘subject to measures designed to prevent replication of the elements’, as required under Article 7(2) of this Delegated Regulation. The possession element would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number.
To conclude, SMS OTP is PSD2 compliant when combined with a static PIN/password or another authentication method. This method needs to include either knowledge or an inherence security element.
However, SMS OTP is subject to a variety of security concerns. A considerable amount of risk revolves around using SMS as a channel. This is primarily due to possible interception of the message and man-in-the-middle attacks. Further on, SIM swaps performed to receive the message originally sent to the victim, containing OTP, present a threat. Being a well-known authentication method, fraudsters have more than enough knowledge necessary to crack the system.
Although SMS OTP is PSD2 SCA compliant, EBA's opinion on the matter is a bit more complex. Another component introduced by PSD2 raised questions about SMS OTP compliance, that being Dynamic Linking.
Dynamic linking aims to specifically link each transaction to its amount and the recipient of the payment. The end goal is to prevent man-in-the-middle and similar attacks. Dynamic linking connects the transaction amount or order details to the authentication code and sends it to the user. If any of the information is altered, a new authentication code will be generated, and the fraudulent attempt would fail. One of the requirements of Dynamic Linking states that the payment information must be protected.
In addition, regardless of whether a strong customer authentication element is possession, knowledge or inherence, Article 22(1) of the Delegated Regulation requires that “payment service providers shall ensure the confidentiality and integrity of the personalised security credentials of the payment service user, including authentication codes, during all phases of the authentication” and Article 22(4) of the Delegated Regulation states that “payment service providers shall ensure that the processing and routing of personalised security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognised industry standards”.
We are talking about an SS7 - telephony signaling protocol, which is not secure. Any information regarding the transaction amount or the order details in the SMS has to be encrypted. The decryption of the content would require significant effort on the user side, cause confusion, and create friction. The conclusion drawn from EBA's opinion the following; SMS OTP for Dynamic Linking is not PSD2 compliant unless the content of the message is not protected with additional encryption or sent through a secure channel.
Although it is among the top authentication methods, use it with caution. Consider it as an alternative authentication method rather than a standard one. Enabling SMS OTP as a fallback method is a good practice; if all else fails, you can rely on SMS OTP. Another tip is to consider delivering OTP through a more secure channel. Most banks have their own mobile applications which use secure TLS/HTTPS protocols to communicate with the server. Also, if the population is less tech-savvy, i.e., the older population which is not familiar with smartphones, they will appreciate the option to use SMS OTP as one of their primary methods of authentication.