Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


By Thorsten Trapp, CTO and co-founder, tyntec

Concerned about the increase in internet fraud related to online payments, the European Banking Authority (EBA) recently decided that the implementation of a more secure framework for internet payments across the EU was needed. Released in December 2014, the EBA’s guidelines on the security of internet payments set out the minimum requirements that Payment Services Providers (PSPs) in all 28 EU member states will be expected to implement by 1 August 2015.

The guidelines require that PSPs “carry out strong customer authentication” to verify the identity and intentions of all customers in online transactions. This is a welcome development as the latest pan-EU figures showed that fraud on card internet payments alone caused €794 million of losses in 2012 (up by 21.2% from the previous year.

“Strong customer authentication” is defined as something that employs the use of two or more elements to verify a person’s identity, so two-factor authentication is an obvious choice as a minimum standard.

What is two-factor authentication?

Two-factor authentication (2FA)is a security process in which the user is asked to provide two means of identification in order to access private information or complete a task, such as an online payment. Typically, the process will require the user to make use of something they “have” such as a physical object, like a phone or a token, or a unique physical identifier, like a fingerprint, in addition to offering up information they “know”, like a password.

Choosing the right solution

Thorsten Trapp
Thorsten Trapp

The EBA’s guidelines stipulate that the authentication method usedmust meet the following criteria: “mutually independent”, “not reusable”, “non-replicable” and “cannot be stolen off the internet”. This means that while there are many different types of two-factor authentication, not all methods are compliant. In addition, PSPs will need to consider specific requirements determined by country-level mandates and will want a solution that is easy to use,cost-effective and easy to deploy.

Biometric data is one example which offers a strong authentication method but poses usability problems in a mobile environment and can cause issues related to data protection and privacy.Fingerprints can occasionally become unreadable due to cuts or bruises and glasses can prevent an iris from being recognised.No doubt this technology will improve with time but in its current form there is a distinct lack of understanding and practicality which makes it a difficult investment for PSPs to commit to in order to meet stipulated guidelines.

In contrast, SMS-based 2FA is one solution which PSPs can viably consider investing in now due to its user friendly nature, economic cost structure and security effectiveness. Practically, this solution involves sending a One-Time Password (OTP) via SMS to a registered mobile number – a process consumers are already familiar with in their day-to-day lives. It requires the end-user to enter his or her password online after which they will receive an OTP in the form of a text message which can be entered to complete the authentication process. As a result, OTP SMS, an out-of-band two-factor authentication, meets the EBA’s security requirements of “strong customer authentication”and is user friendly, universally accessible, simple to deploy, and cost effective.

Given the expansive reach and ubiquity of SMS, sending security codes via this medium provides an effective solution for service providers looking to provide increased security for their customers whilst adhering to the EBA’s guidelines.

The SMS-based 2FA implementation challenge

The EBA’s guidelines will no doubt spark a flurry of activity as PSPs look to strengthen their online security measures. However, it’s important that companies take the time to carefully consider how they can effectively deploy an SMS-based 2FA strategy.

From an implementation standpoint, PSPs would be wise to work with OTP SMS specialists who can handle the mission-critical nature of the messaging service in terms of speed, delivery rate and coverage.Using SMS-based 2FA as an example, working with a reputable provider will ensure that you have access to a strong infrastructure in order to transmit SMS traffic securely and can provide real-time visibility checks of whether a mobile number is valid or not. This significantly reduces the likelihood of OTP failure making the solution significantly more effective for those using it.

With the guidelines due to come into force in August, there really isn’t much time before we start seeing a major step forward in the levels of security implemented by websites and online services. These regulations will put the idea of strong online security measures firmly in the minds of PSPs and cause them to look at how they can implement effective 2FA strategies in order to adhere to the guidelines of the EBA,or risk having to justify their non-compliance.