FIDO authentication standards offer European financial institutions an easy way to comply with the European Union’s Payment Services Directive (PSD2) regulations, the FIDO Alliance argues in a new paper.
The final draft of the PSD2’s Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) requires financial institutions to use multi-factor authentication for certain kinds of online transactions. That doesn’t have to be onerous for the end user, though: Both authentication mechanisms can take place on a single device, as long as they originate from separate secure execution environments. And as FIDO argues in a summary of its new paper, “[m]ost consumer-grade devices, such as laptops and mobile phones, are shipping with these security capabilities already built in, as well as on-device biometric authenticators.”
That’s all that is required for FIDO-compliant authentication, which supports the combination of “something you have”, such as security keys, with “something you are”, such as a fingerprint. Meanwhile, FIDO’s privacy requirements will ensure that a given company’s solutions comply with other aspects of data and privacy protection in government regulations.
With a growing number of FIDO-certified products on the market, major names in IT like Google and Facebook starting to back the Alliance’s standards, and the new PSD2 regulations virtually mandating them, European financial services firms are likely to find a compelling argument in FIDO’s new report, available for free from the FIDO Alliance website.