Why mobile authentication needs to be seamless and secure

Can UX and SCA be BFF? Security measures often stand in the way of a good user experience (UX). Fortunately, the times are changing. User experience and strong customer authentication (SCA) can be perfectly combined, for instance in TrustBuilder Mobile Authenticator.

According to the latest estimates, there are just under 7 billion mobile users globally, and the number is only set to rise. Mobile devices have become the preferred access point to any type of application or information. For financial institutions, the smartphone is quickly replacing the traditional bank branch. As the number of mobile devices and their use for financial and business-critical applications increases, so does the number of mobile attacks. Without adequate protection, having a bank branch in your trouser pocket is just as safe as keeping your money in a stocking under your mattress.

PSD2 requires Strong Customer Authentication

That explains the need for strong customer authentication and the requirements for SCA in the PSD2 regulations that came into power earlier this year. PSD2 has the double aim of preventing fraud in electronic payments and of ensuring the privacy of consumers’ financial data, boosting consumer confidence in online transactions. Since the European Union set the Regulatory Technical Standards in 2019, SCA is quickly becoming the norm for secure online payments.

Not all security techniques are created equal

Strong customer authentication can be obtained by using different security techniques, but many of these techniques also have their flaws:

  • The combination of username and password has the advantage that any user is acquainted with them. On mobile devices, however, this has its limitations: mobile keyboards are not always easy to key in a strong password containing special characters. After all, there is a reason why many people put a disclaimer about typos in their mobile messages. Caching username and password solves that problem but fails the security test: if someone else gets access to your mobile device, they can use these cached credentials.
  • One-time passwords (OTP) have the advantage that they are limited in duration which protects them against phishing attacks. On the other hand, if not used correctly, OTP can pose a security risk, for instance when sent through SMS. Integrating OTP into an app, using a secure channel and device encryption, makes it safe. Integration into an app also makes OTP a lot more user-friendly than Google or Microsoft Authenticator, which forces the user to type in numbers from a different app.

When security and convenience go hand in hand

The above are perfect examples of what happens when user experience is sacrificed over security, or security is sacrificed over user experience. No consumer likes having to key in codes generated by a card reader when performing payments. If organizations (financial services or others) want to offer the best of both worlds, they need to turn to solutions that are both safe and easy to use.

For airtight security, rely on asymmetric cryptography, which uses separate, yet mathematically connected, cryptographic keys (public key and private key). Opposed to OTP, you can generate as many different unique client keys as you want. As an added security measure, TrustBuilder Mobile Authenticator uses device binding. One of the advantages of mobile devices is that user and device are the same. By using device binding, the application always knows that the authentication comes from a registered device. Using TrustBuilder Mobile Authenticator on a smartphone makes authentication even safer, as you are using another network (for instance 4G) to receive your authentication for your application than the network (for instance your wifi) you are using the application on. By using different networks (‘Out-of-band’), chances of being hacked are smaller.

For user convenience, go for passwordless authentication, for instance by using biometrics such as fingerprints or facial recognition as the second factor in MFA. Once TrustBuilder Mobile Authenticator has been used to onboard to an application, all you need to do is scan a QR code and confirm with a fingerprint. If an application is set up to send push notifications, scanning the QR code is not even required, just a fingerprint is enough.

A solution like TrustBuilder Mobile Authenticator has a lot going on in the background. The complexity remains hidden for the user. Organizations using TrustBuilder Mobile Authenticator can fully integrate the solution into their application, applying their own branding to the app. This creates an even better user experience. Without compromising on security.

Author

Frank Hamerlinck

Frank Hamerlinck

As co-founder of global trade management leader Porthus, customer experience platform NGDATA, and strategic consulting services company innacco, Frank embodies the entrepreneurial mindset. His 20+ years of ICT experience is complemented by his position as ‘Entrepreneur in Residence’ at iMinds and coach at Netwerk Ondernemen.

Related articles

Tapping into new revenue sources with embedded finance
Service providers that are embedding financial services into their nonfinancial offering are not only delivering more value to their customers, they are also opening up new revenue streams to complement their current revenue model. Both financial services companies and platform companies reselling embedded finance stand to gain.
How personas help protect digital ecosystems
Personas are a great way to make user administration of an Identity and Access Management (IAM) solution less complicated. But as TrustBuilder CTO Carlo Schüpp explained during a recent Digital Identity Meetup, personas also come in handy when securing the digital ecosystems that many companies are currently building.
Argenta signs long-term partnership with TrustBuilder
Banking and insurance group Argenta has broken open its existing contracts with TrustBuilder. For the next five years, Belgium's fifth largest bank will continue to protect its applications for customers with TrustBuilder's IAM solution. As a part of the new agreement, Argenta will switch to our cloud-native version TrustBuilder.io.

Book a meeting

Engage in a chat with our product people to discuss IAM trends and challenges, and our solutions.

Request a Maturity Assessment

Take our Maturity Assessment to find out how you can accelerate your digital transformation.

Schedule a demo

Experience the power of TrustBuilder.io Suite through a demo, personalized to your challenges.

Contact us

Visit our offices, send us a mail, call us, or simply fill out a contact form.