Are SMS safe enough for SCA and PSD2?
Last editedMay 2023 1 min read
Since the mid-90s, SMS has been the main authentication method for online banking and online payments. With the great evolution of mobile platforms, SMSes are far from being reliable enough to guarantee safe authentication on their own.
Back in the early days, European Banking Authority’s (EBA) regulation had clear guidelines on internet payment security that required authentication to occur using a separate device from the one being used to process the payment. The sole purpose of using a code sent via SMS was assuming that users were making a purchase on a PC, and the SMS code sent to a mobile phone would fulfil the said requirement.
With the introduction and maturation of smartphones, this scenario changed drastically, and customers now use their phones regularly to make purchases online. In this case, the same device is used to process the purchase and authentication, which doesn’t fulfil the regulatory requirements.
SMS still has a place in strong customer authentication and can be PSD2 compliant
Even though SMSes can’t be considered safe on their own, they are still an asset for user authentication in online banking and online payments.
With the revised Payment Services Directive (PSD2), all merchants in the Europen Economic Area are mandated to implement strong customer authentication (SCA) to validate transactions.
According to SCA guidelines, there is a basic requirement that needs to be met for a transaction to be validated — they need to provide two independent pieces of information. This process has become known as two-factor authentication or 2FA.
Usually, these pieces of information can be organised into three categories:
Something they own (e.g., smartphone)
Something they know (e.g., PIN code)
Something they are (e.g., fingerprint)
When paired with an additional piece of information, one-time codes sent via SMS can still be considered secure and PSD2 compliant.
The SMS would fall into the “something they own” category, and then would need to be supported by a secondary piece of information, like a PIN code on the payment platform, for example.
SMS will persist as an important part of SCA
Even if the evolution of mobile phones and other technologies might have taken some shine away from SMSes, they will still be an important part of customer authentication. When combined with a second piece of information, SMSes can still be considered valid authentication tools.
Their importance for the foreseeable future will be guaranteed by the fact that users actually prefer them as an authentication method when doing online payments. Most likely, the fact that they are still a very practical form of authentication makes them ideal to enhance the user experience.