Does PSD2 Practically Eliminate SMS-OTP?

The payment services directive 2 (PSD2) effective date (Sept 14th, 2019) is approaching quickly. While open banking APIs are a big topic in PSD2, I want to focus on the new rules regarding Strong Customer Authentication (SCA) that are also part of this new PSD2.

A Single Factor is Too Weak

Server side credential stealing attacks on passwords and phishing attacks are large scale threats these days.

Consequently, there is a need for two factor authentication in the financial sector – especially for high risk transactions.

SMS-OTP is a Common Second Factor Authentication Method

Today, SMS-OTP (called mobileTAN in Germany) is a common second factor authentication method for financial transactions.
On the other hand we have seen several concerns about SMS-OTP security and NIST putting SMS-OTP on the deprecation path by marking it a “restricted authenticator”.

This begs the question whether the strict PSD2 SCA requirements would rule out the use of SMS-OTP or not.

Does PSD2 Lead to SMS-OTP Elimination?

The EBA stated that SMS-OTP would comply to PSD2, but at the same time the EBA emphasized that “payment service providers shall ensure that the processing and routing of personalized security credentials and of the authentication codes generated in accordance with Chapter II take place in secure environments in accordance with strong and widely recognized industry standards”.

This sounds more like a “yes, but” than an unconditional “yes” – especially in the light of recent SS7 attacks and real-time man-in-the-middle attacks like EuroGrabber.

So, I was curious to see what financial institutions would do with that? Would they simply keep using SMS-OTP as today?

Now we have the answer: They won’t continue using SMS-OTP.

Recently some German savings banks (Berliner Sparkasse) and Postbank (a Deutsche Bank subsidiary) announced their deprecation of SMS-OTP.

This is encouraging news for us consumers – especially in the light of recent reports on increased online banking fraud due to SMS-OTP vulnerabilities.

Let’s encourage the banks to follow large international banks like MUFG and start supporting internationally standardized authentication methods like FIDO that meet PSD2 SCA requirements and provide great convenience and security instead of introducing a new wave of proprietary methods.