This webinar discusses getting ready for Strong Customer Authentication (SCA) requirements under PSD2. SCA requires authentication using two or more elements to help prevent fraud. The document outlines the motivation for SCA, defines its three elements, and discusses its potential negative impact on user experience. It suggests introducing SCA incrementally to help adoption and providing frictionless experiences. WSO2 Open Banking is highlighted as enabling effective SCA through customization flexibility, authentication freedom, and adaptive authentication capabilities.
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
Get Strong Customer Authentication Ready for PSD2
1. Get Strong Customer Authentication
Ready for PSD2
Kaveen Rodrigo
Senior Software Engineer
2. Webinar Outline
● Motivation for this webinar
● Defining Strong Customer Authentication (SCA)
○ SCA in the context of Open Banking flows
○ Three elements of SCA
○ User experience impact of SCA
● Providing better SCA experiences for customers
● How WSO2 Open Banking enables SCA
4. Stakeholders Not Ready For SCA
● Financial Conduct Authority UK pushes SCA deadlines 18
months ahead.
○ Acknowledges the complexity of SCA requirements and customer
adoption
○ Phased roll out of PSD2 SCA
https://www.fca.org.uk/news/press-releases/fca-agrees-plan-phased-implementation-strong-customer-authentication
6. What’s SCA Trying to Solve?
• PSD2 allows accredited third parties to gain access to customer
accounts/payments with customer consent
• Ensures the consenting customer is not a fraudulent entity
attempting to gain access
7. 1. Initiating Application
5. Perform Transaction
TPP ASPSPPSU
2. Request Consent
4. Sent Consent Status
3. Confirm Consent
8. Benefit of SCA for Open Banking
• Transactions only take place with user consent
• Gives assurance to banks and users that the request was
understood and agreed upon (WYSIWYS)
• Promotes transparency throughout the transaction to
consumers and the bank.
• Strongly authenticates the user to avoid any fraudsters
8
9. Strong Customer Authentication
• SCA is an mandatory requirement for PSD2
implementers
• Authentication should take place in two or more
elements
9
‘strong customer authentication’ means an authentication
based on the use of two or more elements
- PSD2
11. What is Considered as SCA?
✅ User identifier and password (Knowledge) and SMS one
time password (Possession).
✅ Private pin (Knowledge) and OOBA fingerprint
authentication (Possession/Inherence)
User Identifier and password (Knowledge) and Security Pin
(Knowledge)
11
12. Unwanted Effects of SCA
• Existing internet banking customers who aren’t familiar with
multi-factor authentication
• Continued use of SCA may tire customers and cause friction to
minimum risk transactions
• Hindrance to user experience
12
14. Introducing Customers to SCA
● Strategy to roll-out SCA incrementally to help adoption
of open banking:
○ Easing the SCA process on initial roll-out
○ Getting customers to adopt an SCA compliant second
factors
14
15. 15
Authorisation User Interfaces
“Consumer research has shown that people find a recognisable ASPSP login
page and process reassuring and increases their confidence in the journey”
● Customer Experience Guidelines 7.2
16. 16
Clarity of Consumer Consent
“Research amongst consumers has shown that the summary information
step acts as a confirmation of exactly what they have consented to”
● Customer Experience Guidelines 7.2
17. 17
Use of Decoupled Authentication
“Research shows that consumers are familiar with decoupled authentication
when making a payment or setting up a new payment ... Many welcome the
additional level of security decoupled authentication provides.”
● Customer Experience Guidelines 7.2
TPP Bank TPP
Consumption Device
Authorisation Device
1 2
3
4
18. 18
Adaptive Authentication
With adaptive authentication, SCA is only applied in scenarios where the
transaction risk is high, therefore the the SCA process is applied intelligently.
Transaction amount
> 30 Euros
Transaction amount
< 30 Euros
Basic Authentication Second SCA element
Basic Authentication
Authenticated
With SCA
Authenticated
With CA
20. Customization Flexibility
● WSO2 Open banking provides flexibility to customize the SCA
flow
○ Custom Authenticators
○ APIs for consent management
○ Authorization portal customization
20
21. Authentication Freedom
• WSO2 Open Banking is built on top of
the WSO2 Identity Server and comes
with the same flexibilities
• Already existing zero-code pluggable
authenticators
Authenticator = SCA Element
https://docs.wso2.com/display/OB140/Adding+Custom+Authenticators
21
22. Adaptive Authentication Capability
• WSO2 Open Banking provides flexible adaptive authentication
scripting
• WSO2 Open Banking business intelligence provides
out-of-the-box transaction risk analysis and fraud detection
https://docs.wso2.com/display/OB140/Integrate+Open+Banking+Business+Intelligence
22
23. Takeaway Points
• SCA is an integral part of PSD2 Open Banking
• The implementation strategy will play an important role in the
adoption of open banking
• Special thought on UX is necessary when selecting factors for
SCA
• Flexible SCA options will encourage different consumer groups
to adopt open banking
23
25. Lean More On WSO2 Open Banking
More Information http://wso2.com/solutions/financial/open-banking/
Try out WSO2 Open Banking https://openbanking.wso2.com
Get in Touch openbankingdemo@wso2.com