The Fast IDentity Online Alliance (FIDO Alliance) called on the European Commission (6-page / 182KB PDF) to rethink proposals it outlined earlier this year regarding new regulatory technical standards (RTS) on strong customer authentication and common and secure open standards of communications under the revised Payment Services Directive (PSD2).
PSD2 provides new rights to account information service providers (AISPs) and payment initiation service providers (PISPs) to access payment accounts and payment account information held by banks and other account servicing payment service providers (ASPSPs). The provisions are designed to enable those businesses, which have emerged onto the payment services market in recent years, to help consumers to make payments and review information from their payment accounts. In return, PSD2 will subject AISPs and PISPs to regulation for the first time.
The detail of how AISPs and PISPs will be able to exercise their access rights is to be fleshed out in the new RTS, but those standards have not yet been finalised. The European Banking Authority (EBA), which is tasked with drafting the standards under PSD2, set out its recommendations earlier this year. However, the proposals were rejected by the Commission. The EBA subsequently issued an opinion which criticised the rival proposals the Commission had tabled. The Commission is ultimately responsible for finalising and implementing the RTS under the new Directive.
The EBA and Commission appear agreed on requiring banks to choose between providing AISPs and PISPs' rights of access via the same customer interface they use, or by providing a separate "dedicated interface" for those firms to use. The basic premise is that the dedicated interface should perform as well as the banks' own interface.
However, the bodies have disagreed on what contingency measures should be set for banks to provide for in the event that the dedicated interface experiences an outage or otherwise underperforms.
The Commission previously said that banks that choose to provide a dedicated interface would have to also offer a 'fall back' option to the fintechs if the dedicated interface became unavailable for more than 30 seconds at any one time or was otherwise underperforming. The fall back option, if triggered, would see the fintechs use the banks' own customer interface as a means of continuing to access the accounts and account information they need to provide their services to payment service users.
However, in an opinion issued in June, the EBA expressed a range of concerns with those proposals, including its belief that they would not accord to the "security requirements" set out in PSD2.
The EBA instead called on the Commission to require banks to "define transparent key performance indicators" for the dedicated interface they provide, and "abide by at least the same service level targets" as they set for their own customer interface in relation to "both the availability and the performance of the interface". It further called for the final RTS to require banks to "monitor and publish their availability and performance data on a quarterly basis".
Now, the FIDO Alliance has written to the European Commission (EC) to highlight its concerns about the Commission's 'fall back' option plans. The FIDO Alliance is made up of more than 250 organisations and aims to develop technical standards and advocate industry best practices on online authentication.
In its letter, the FIDO Alliance said it cannot see "any way" that the Commission's proposed 'fall back' option could "be implemented to the level of enhanced security called for in PSD2".
It raised security concerns with any approach which would involve "the use of single-factor authentication via usernames and passwords" in the fall back procedure, and with other options which might involve AISPs and PISPs 'logging in' to bank systems as if they were the customer, or the customers "sharing passwords" with the fintechs.
"Breach after breach has made clear that there is no such thing as a 'secure' or 'strong' way to use passwords; between phishing, key-logging malware, brute force attacks, man in the middle attacks, thefts of password databases, and frequent password reuse across accounts, attackers have numerous tools at their disposal to compromise password-protected accounts," the FIDO Alliance said. "Even the most complex of passwords are routinely, compromised – most often by phishing attempts; there simply is no way to deliver strong security in today’s environment through use of a password alone."
"Any approach where consumers are asked to share their password with another entity puts consumers at increased risk. Endorsing the practice of sharing passwords with third party entities by establishing this as a normal and trusted pattern of behaviour creates significant risk by training the user to be inherently more vulnerable to phishing attacks. Assumptions that password databases can be adequately protected are simply not supported by history," it said.
The FIDO Alliance said that the "most secure and efficient way" for consumers to enable third parties to access their bank accounts is through the use of Application Programming Interfaces (APIs), where authorisation is based on "public key cryptography" rather than "historic 'shared secret' such as passwords and one-time-passcodes which are inherently vulnerable to phishing attacks".
However, the body said that it recognised that some ASPSPs may not have developed "API-based dedicated interfaces in time to comply with current PSD2 guidelines" by the time PSD2 begins to apply on 13 January 2018. As a result, it said the European Commission could look to allow banks to enable third party access through a "shared credential option" for "a limited time", of perhaps six months or a year, but advised against providing for that as part of the RTS.
"We do not believe it is appropriate to include such a provision in the RTS itself," the FIDO Alliance said. "The RTS, by its nature, is an important technical standard that will guide the market for years to come. As such, the RTS should focus on setting a high mark for SCA (strong customer authentication) and common and secure communication under PSD2 – not articulate methods for stakeholders to avoid their responsibilities under this historic advancement in consumer protection policy."
"Inclusion of the 'fall back option' in the RTS itself would dilute its message, undermine the intent of PSD2 and its requirements for SCA, and place consumers at increased risk," it said.