By Paul Jacquaye
Our journey of encouraging service providers to deploy authentication solutions across Africa has been fraught with euphoria and dysphoria. Our team have spent several hours with our principal partners marketing our solutions to several banks in different countries. Our presentations and proposals yielded a lot of interest, but very limited success. The products are very fit for purpose and many a bank executive will go quiet after receiving the pricing for the product and the options selected i.e. out of band, push notification, biometrics and price per user etc. This experience coupled with the fact that 2FA (two factor authentication) and MFA (multi-factor authentication) were not a mandatory requirement from regulators then.
Fast forward to 2020 and at least 2FA is a mandatory requirement in most jurisdictions across Africa. However, majority of the banks and payment service providers (PSPs) across the continent have met this requirement with the minimum acceptable compliance, SMS One-time password (OTP). Some not at all, especially the mobile money providers using USSD. SMS OTP has its drawbacks even though its use has grown exponentially due to the ease of deployment and affordability. For instance, SMS interception through social engineering and SIM swap incidences are abounding.
The growth of mobile banking and payment apps requires that financial institutions (FIs) and PSPs up their game. The exponential growth of eCommerce, fueling rise in Card-Not- Present transactions and mobile wallets, places at the doorsteps of the FIs and PSPs a responsibility to manage customer experience and confidence, whilst balancing risk mitigation and control.
A personal experience last week with a bank l was undertaking an online transaction is an example of how authentication friction can cause loss of revenue due to transaction abandonment. The SMS OTP took one hour, four minutes to arrive (although this was out of the ordinary for SMS OTP receipt which can take a few seconds to minutes). I abandoned the transaction and used different means to complete my transfer. This dampened my enthusiasm in continuing to do business with this bank. When I engaged the bank, their response was “sometimes it delays”. Really?
So, the question is, does SMS OTP meet the requirements set by regulators as strong customer authentication (SCA)? For example the European Banking Authority Payment Systems Directive 2 (PSD2) Article 4(30), defines strong consumer authentication as (multi-factor authentication) an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data. However, my personal experience highlighted above, the SMS OTP sent was to confirm but not to sign the transaction. Granted that l signed into internet banking page on my personal computer with my username and password to authorise a transaction initiated by a colleague and the SMS OTP is the second factor, it did not require me to use any of the transaction details for example, the recipient account number or the transfer amount. The SMS content must also be protected from alteration in transit and this cannot be guaranteed. One can therefore conclude that SMS based authentication can be used for logging in and not for signing the transaction. SMS authentication is also very risky for high value transactions.
With the coronavirus (Covid-19) disease growing across the world and the increase in remote banking due to stay-at-home orders, most banking transactions are now online. Unfortunately, fraudsters are simultaneously busy at work using varied manoeuvres to steal credentials of unsuspecting customers, to undertake fraudulent transactions across multiple channels. Hackers invest a lot of time and resources for a return on their investments, it is therefore incumbent on banks to invest in airtight authentication solutions to secure banking transactions and build customer trust. With strong authentication, friendly fraud can also be curtailed.
To solve our euphoric journey over the years for ourselves and the financial institutions, we have partnered with two leading global solution providers to offer Authentication as a Service (AaaS) across the African continent. Our authentication service enables Financial Institutions and Payment Service Providers to offer 2FA and MFA to their customers without incurring heavy costs of license acquisition. The solution encompasses hardware tokens, CAP devices, Android App and IOS Mobile Token App. As well as software development kit (SDK) for easy integration into existing banking solutions. The service provides functions like Device Binding, Jailbreak/Root detection, Anti-Debug, Anti-Hooking, Advanced Obfuscation, Secure Storage, Secure Channel (on top of SSL), PIN Authentication with randomized Secure Pin Pad, Biometric Authentication with Fingerprint, Facial Recognition, and Dynamic Code Verification (DCV) for protecting banks and card issuers against card-not-present fraud, among many other capabilities.
We will also provide FIDO2 (Fast Identity Online) as part of our roll out. I will address this in another article.