PSD2 & GDPR – Why your pet’s name may no longer be good enough
PSD2 and strong customer authentication
The deadline for EU member states to implement PSD2 is January 2018. This mandates that banks open up access to certain of their services to third parties and mandates that strong customer authentication (SCA) is used to assert identity when accessing these services or performing risky functions – eg making a payment.
GDPR penalties for data breach
The GDPR applies from May 2018 and governs, amongst other things, the way in which personal information, including security credentials, should be looked after. Failure to comply could give rise to negligence claims under the GDPR guidelines and penalties can include fines of up to £20m or 4% of worldwide turnover.
Need for two-factor authentication
Two-factor authentication (2FA) is generally deployed as SCA for high risk transactions. The factors can be any two from three distinct types of credentials: something you know (eg a password or a PIN), something you have (ie a handset or a fob) and something you are (ie inherent biometrics such as face or fingerprint). The greater the use of 2FA, the greater the incidence of lost credentials (eg a stolen phone or a forgotten password) and the greater the need for secure recovery process when that occurs. Given that the GDPR sets the bar on how personal data is processed, it follows that equally strong processes must be followed to re-assert identity if any of these credentials is lost.
Securing password reset
To maintain the chain of trust and ensure that there are no weak links, the process for recovering from a forgotten password or stolen handset should also use a 2FA process – but not the same credentials as have been lost and potentially compromised. In practice this means that a password reset must also use 2FA. If the reset process is not as strong as the authentication process that reset weakness could be a target for a fraudster and the organisation could be deemed negligent – leaving it at risk of penalties under the GDPR.
Verifying customer identity seamlessly
Organisations will face a balancing act. When a customer is re-establishing identity, if the service provider makes it as complex as the original sign-up and registration process either their customer service costs will escalate or their customers will start voting with their feet. They need to find a robust yet cost effective and seamless way of enabling customers to re-asserting their identity. With fraudsters exploiting the proliferation of shared mailboxes, easier access to ancestry information and the growth of personal data being shared on social media, we need to look other factors that are less easy to compromise.
Selfie-based facial verification
Selified’s facial verification service provides a simple and cost effective way to carry our 2FA using something you are (ie facial biometrics) as one of the factors. This could either be compared with the face on record or with a government issued ID document having a picture eg a driving licence or passport. Asking someone to take a simple selfie when requesting a password reset will prevent the fraudulent use of that person’s credentials and lower the organisations risk of fraud and exposure to sanctions under the GDPR.
PSD2 and GDPR are coming into force. Over the next two years we will see major change in the relationship we have with our financial institutions and enabling access to our own data. Selified verification service provides organisations with the tools to provide great customer service and protect brand reputation.