Will SMS OTP authentication methods be compliant with the upcoming PSD2 regulation?

As PSD2 actual implementation deadline approaches (September 2019), the financial industry prepares to upgrade its authentication methods for PSD2-compliant ones.

In this context, SMS OTPs solutions, one of the most used ways to authenticate customers today, is challenged as per its compliance to PSD2.

The European Banking Authority published an “opinion paper” in June 2018, bringing several elements all intended to clarify that question. Those have led to the conclusion that SMS is not an appropriate method to deliver an OTP and that the complete SMS OTP approach should  be replaced by more secure authentication methods such as biometric authentication.

Several press articles, especially in France, reflect this view point.

In parallel, professional organizations such as ECSG1 are in discussions with the European Authorities, seeking relevant ways to make PSD2 effective.

We at Gemalto have been among the first to explain the SMS security weaknesses as a mechanism to deliver OTPs, and the risk of non-compliance with PSD2 and its RTS (Regulatory Technical Standards). We were first to develop and promote alternative authentication solutions that will satisfy these needs, such as mobile authentications and biometric methods.

Considering today’s wide usage of SMS OTPs, it is understandable that the banking sector expresses the wish to have more time to complete the migration from SMS OTP to other methods.

Gemalto is committed to helping its customers organize and optimize the move from todays to future technologies, and provide consumers with secure and convenient authentication tools that perfectly comply with the new European regulation.

Download our white papers about PSD2 at https://www.gemalto.com/financial/ebanking/psd2, or contact me at Jean.Lambert@gemalto.com for more information.

  • The European Cards Stakeholders Group is made up of PSPs, vendors, payment schemes, merchants and processors, and works on the harmonization of card-based operations in the Single Euro Payments Area (SEPA).

Leave a Reply

Your email address will not be published. Required fields are marked *