One of the consequences ofentry into force of PSD2 (2nd Payment Services Directive) on January 13, 2018, and the publication of the associated technical rules (known as “RTS”) which will be applicable on September 14, 2019), is the announced death of the SMS OTP (“One Time Password”). In addition to the constraints on the banking sector in terms of payment issues, the impact of the text on other regulations is also questionable, particularly those governing electronic signatures.
The end of SMS OTP?
For many years now, consumers have been accustomed to authenticating themselves when making an online payment via a code received by SMS (a device known as “3d-secure”). This authentication method, which is designed to ensure that it is the cardholder who is making the payment, even if it is not infallible (a cell phone number can be misused) and even if it has an impact on the conversion rate of customer transactions, is now well accepted by both customers and merchants.
Via its 2018 annual report of the Observatoire de la sécurité des moyens de paiements, the Banque de France has detailed the operational implications of the text’s entry into force, particularly with regard to the terms and conditions for accessing an online payment account.
It specifies that strong authentication is required when the cardholder wishes to consult his or her account, carry out a bank transfer or card payment, or for a number of other sensitive operations.
Article 4 of PSD2 defines strong authentication as “based on two or more elements belonging to the categories: knowledge, possession, and inherence (biometrics) and results in the generation of an authentication code”. And in Article 9, the directive stipulates that the various elements must be independent, so as to guarantee “that, in terms of technology, algorithms and parameters, the compromise of one element does not call into question the reliability of the others”.
However, the SMS OTP constitutes only one factor, that of possession of the mobile receiving the code. As the received code is not mobile-independent, it cannot be considered as a second factor. The card number, its validity and its cryptogram are not considered as a knowledge factor because they appear “in clear” on the card and are, in fact, easily copied.
Towards a new authentication method?
Banks will therefore have to find a new way of authenticating their customers for transactions covered by PSD2, i.e. those concerning account management in the broadest sense. There’s another moment in life when the SMS OTP is very much in use today: when entering into a relationship for remote authentication of prospects or customers, for example, in the context of electronic signature of an account opening contract and a commercial credit proposal.
To be valid, an electronic signature requires identification and authentication of the signatory. Today, the market has embraced two practices: the collection (and analysis) of an identity document and the capture of an SMS OTP.
Electronic signatures have been governed by the European eIDAS regulation since July1, 2016. This requires that the signature medium be under the exclusive control of the signatory, and in the case of a remote signature, this obligation takes the form of a one-time code sent by SMS, which only the signatory can enter at the time of signing.
For years, this “activation” code has been an essential step in the electronic signature process. The question now is whether it will survive PSD2.
A first element of the answer is the harmonization of European texts regulating the financial sector, with concepts that have been transposed into the various texts. For example, the identification schemes defined by the eIDAS regulation quickly found their place in the transposition of the4th anti-money laundering and terrorist financing directive. Article R561-20 of the Monetary and Financial Code mentions these means of identification as new additional vigilance measures when entering into a remote business relationship (5th and 6th measures).
The main driver of these changes will undoubtedly be the sector’s aversion to risk. If a credible replacement for SMS OTP in terms of deployment, usability and security comes onto the market for secure payments, it will very quickly be deployed for other uses such as electronic signatures.