PSD2, Dynamic linking and FIDO authenticators

 

The latest shifts in the area of financial technology associated with European Union regulation PSD2 (Payment Services Directive) will affect many ordinary people who have gotten used to using online banking on a daily basis (or even from time to time). This is because PSD2 innovations are dependent on a means of strong authentication. So, if you decide to try a new fintech application, you must be ready to provide that means.

With PSD2, you can improve your user experience dramatically by looking for and trying different solutions that satisfy your needs. However, different fintech solutions will have different requirements for strong authentication. Does that mean users will be forced to add a key fob to their keychain each time they decide to start using a new application?

The FIDO (Fast IDentity Online) approach eliminates the situation described above by providing a universal standardized solution for strong authentication. A user can use a single FIDO-compliant authenticator for an unlimited number of desired resources. Nevertheless, a user must have some awareness of the subject to be able to choose a true FIDO device.

RTS (Regulatory Technical Standards) on SCA (Strong Customer Authentication) (Article 5 of Directive (EU) 2018/389) on demand of PSD2 (Article 97(2) of Directive (EU) 2015/2366) — among other authentication capabilities — describes dynamic linking. With dynamic linking, payment service providers provide the following requirements:  

  1. the payer is made aware of the amount of the payment transaction and of the payee;
  2. the authentication code generated is specific to the amount of the payment transaction and the payee agreed to by the payer when initiating the transaction;
  3. the authentication code accepted by the payment service provider corresponds to the original specific amount of the payment transaction and to the identity of the payee agreed to by the payer;
  4. any change to the amount or the payee results in the invalidation of the authentication code generated.

 

In practice, this means that a user should able to approve or decline the transaction, but they need to see all of the information about the transaction — including the amount and the payee — just after first submitting the request for the transaction, but before final confirmation. Moreover, it must happen directly on their authenticator. Behind the scenes, this approach allows the application of a sequence of encryption steps to eliminate the threat of altering or spoofing the transaction.

To use the FIDO universal approach in PSD2 use cases, a FIDO authenticator must provide a feature known as Transaction Confirmation (WYSIWYS - What You See Is What You Sign). If a FIDO authenticator implements the feature — whether it is a hardware token or mobile phone — then there is a way to see and confirm the transaction using the authenticator’s capabilities. Of course, the most convenient option to view the transaction information is a mobile phone.

All you need to know is that if you are going to purchase a FIDO authenticator for your fintech applications, you need a WYSIWYS or Transaction Confirmation capability. Not every device provides this feature by default.