Strong Authentication and the security of digital payments

Strong Authentication and the security of digital payments

What is Strong Authentication and how does it work?

According to the Cyber & Digital Protection survey by Lexis Research for Europe Assistance on a sample of the Italian population, cybercrime is a growing phenomenon and Strong Authentication, or Two Factor Authentication (2FA), is considered one of the more effective protection methods against cybercrime.

In fact, 2FA guarantees greater security than the traditional “username and password” combination. After all, hackers are able to intercept, steal and compromise even a strong and unique password.

How does Strong Authentication work? It is an authentication method that verifies at least two elements of different nature. It means that the user cannot use two elements of the same category. Furthermore, the two elements must be independent to avoid that the violation of one compromises the reliability of the other.

Therefore, during the authentication process, 2FA requires the user at least two different elements of the following categories:

  • Knowledge: something the user knows (for example: a password or PIN);
  • Possession: something the user has (for example: a smartphone or a security token for home banking);
  • Inherence: something the user is (for example: the fingerprint, the voice stamp, the retina or the iris, biometric recognition).

Once the user has entered the username and has clarify the digital identity, the system asks them to prove the latter through the first authentication factor, ie the password. At this point, to gain access to their account, the user must use an additional factor which generally belongs to the “Possession” category and corresponds to a numeric code received via SMS or through a security token.

A classic example of Strong Authentication is the access to a current account. In this case the user needs an ID, a password and a Onetime password (OTP). The OTP is generated through a token and is valid only for a single login session or transaction.

Strong authentication is essential for protecting password managers, e-mail accounts, social media accounts and transactions related to online purchases.

2FA and Strong Customer Authentication: are they the same thing?

Strong Customer Authentication (SCA) is typical of banking and financial services. Its application became mandatory for online banking following the entry into force of the European directive PSD2 (Payment Services Directive 2).

The SCA aims to optimize the online transactions security, improve the User Experience and protect buyers and merchants during online purchases. In fact, the SCA frees the user from remembering codes or passwords, allowing them to use, for example, their biometric data.

More specifically, Strong Customer Authentication applies to customer-initiated online payments (Cardholder Initiated Transactions -CIT) or purchases made on e-commerce sites. Instead, it is not necessary in the following cases:

  • Merchant Initiated Transactions (MIT): the merchant processed these transactions without the active participation of the cardholder. In fact, there is a contract between the parties that defines the terms of the payment. One example is subscription services;
  • Mail Order and Telephone Orders (MO.TO.): This category includes transactions carried out remotely by the merchant or by automatic systems by manually entering card data on a virtual terminal;
  • Transactions under 30: however, there is a limit of € 100 or 5 transactions from the same card in 24 hours;
  • Low-risk transactions: the bank carries out a real time risk analysis for each transaction (Transaction Risk Analysis – TRA). Based on the results, the bank decides whether or not to apply the SCA. However, exempt transactions are subject to an amount limit. This limit varies according to the overall level of fraud recognized by the financial institution. In any case, the amount can reach up to 500 euros;
  • Transactions to trusted payees: the cardholder can ask their bank to consider a specific merchant as a trusted payees to avoid authenticating future payments. In this case, only the first transaction will need the SCA.
Articolo precedenteWhat is the NIST Cybersecurity Framework?
Articolo successivoTwo-Factor Authentication vs Strong Authentication