On September 14, 2019, the time has come: the EU Payment Services Directive PSD2 (Payment Services Directive 2) comes into force. From now on, online merchants must ensure that they use two-factor authentication (2FA) for all payment processes on the Web that exceed a limit of more than € 30. It aims to increase the security of online payments by authenticating customer identities multiple times and significantly increasing the hurdles to hacker attacks.
Although the 2FA is already used in some organizations, the acceptance rates are still quite low: it means for users to take an extra step and makes the customer experience a bit more cumbersome. Convenient one-click payment methods are no longer possible because a 2FA requires more than just a click.
It is one of the most useful measures against the ubiquitous threat of identity theft and theft and makes it nearly impossible for hackers to make digital attacks.
What is two-factor authentication?
Stealing a password is relatively easy for a hacker or a bot. It is much harder to steal a password and to access a mobile device – like a front door, which is secured with several different locks. 2FA services give unauthorized persons considerably more effort to “break in”.
Not only does dual-factor authentication provide more security, it can also be used to validate a user who is re-enrolling in a service or app. In this way, an identity can be proven perfectly using a combination of two different and independent components. In addition to something known to the user (such as a password), something that the user owns (such as a mobile phone) is also included. Usually a security code is created, which is sent via SMS to the mobile phone and can be used once. Even at the ATM, a two-tier authentication takes place: in addition to the card (something that the user owns), a PIN number (something known to the user) is also needed.
Why is two-factor authentication useful?
The sad truth is that our data is constantly under attack today. Passwords can be cracked using methods such as phishing, keylogging, and brute force attacks. For many users, this means stolen bank details and identities or fake, often embarrassing social media posts. For companies, a data theft can be detrimental to business. Spammers, scammers and hackers are a surefire way to drive customers to the competition.
Most of us would have difficulty finding someone whose accounts have never been cracked. A prominent example is the hacked official Twitter account of the news and press agency Associated Press, From this account tweets were sent in 2013 with the message that the White House was attacked and the president injured. A pretty drastic example, it illustrates why so many companies are worried about protecting their data. And why they rely on two-factor authentication to easily, quickly and cost-effectively validate user identities and reduce the risk of fraud.
Also interesting: “Collection # 1”: Record with millions of passwords discovered
Two factor authentication via SMS
By now almost every person in the world is able to receive text messages – around five billion people own a mobile phone, half of which are smartphones. Due to this widespread distribution of mobile phones use many Internet giants SMS as a tool for 2FA. Many a user opens a letter, some people open an e-mail – but nothing reaches the 95 percent read rate of SMS messages.
However, implementing two-factor authentication via SMS on a global scale can be extremely complicated: each country has different rules and limitations – which makes it difficult for companies of all sizes, know-how and the complex network of relationships with network operators to handle, which are necessary for the implementation of an efficient solution. For example, customers in India can only receive certain types of text messages (A2P-SMS) between 9 am and 9 pm. If you do not know this restriction, your messages will be rejected, which can negatively impact acquisition and retention.
Two-factor authentication via WhatsApp
Meanwhile, two-factor authentication can also be done via WhatsApp. With over 1.5 billion users, WhatsApp is the world’s most popular messaging app and is used for both personal and business communications. WhatsApp is encrypted end-to-end, which makes users feel safe. 2FA is used in many places to gain access to services, from financial institutions, healthcare systems to government websites. Security and identity protection have the highest priority here and end-to-end encryption, in which only the communication partners can decrypt the message, provides additional protection.
Essentially, 2FA works with WhatsApp in the same way as with SMS: the user simply receives a WhatsApp message instead of an SMS. This is particularly advantageous in situations where coverage by mobile operators is irregular. WhatsApp messages can be sent over mobile data or wireless networks. Travelers who do not have global data coverage and people living in uncovered areas can still complete their 2FA registrations. In addition, the company that sends the 2FA notification does not have to mess with different network operators or allow their messages to be received on all applicable mobile networks – WhatsApp is global and universal.
Two-factor authentication via Authenticator app
Some platforms now offer their customers an option to 2FA. So it is possible for users to authenticate themselves both by SMS and by mail or via a verification app. Authentication via App creates secret codes based on a key (usually a QR code that needs to be scanned) and the current time on a user’s personal device. The key is known only to the user, the code is generated again and again depending on the time. The principle behind it is called OATH TOTP (Time-based One-Time Password). The advantage: Authenticator apps work even when the smartphone is offline.
Nothing is 100 percent secure, even two-factor authentication is not. However, a 2FA is another hurdle for criminals and provides additional protection for the user. Every bit of extra security is important, especially in online payments. Whether via SMS, WhatsApp or Authenticator app – in a society where most have at least one mobile device in their pocket, it should not be too much of an inconvenience to retrieve a security code that helps fight hackers and identity theft.
You might also be interested in this: New PSD2 guideline: This is how the payment traffic in the EU is changing
Omar Javaid is president of Vonage’s API Platform Group. He is responsible not only for all product-strategic aspects, but also for Sales, Operations and Developer Relations of Nexmo, the Vonage platform for communication APIs.