Two-factor authentication (2FA) – symbiosis of regulatory requirements and technical innovations

• Two-factor authenticationthroughMaSifromNovember 2015bindingfor Internet payments

• Technological trendsprovide new, secure identificationmethods

In recent years, the classical retail banking business has been characterized increasingly for its transformation. Along with the progressive digitization and the rapid growth of e-commerce industry, however, an increased amount of incidents of on-line identity loss occurred.

Figure 1: Number of policing detected data espionage cases in Germany; increasing up to 2012, slight decrease in 2013 and 2014

A countermeasure in online banking has long been the identification of a user by means of the combination of two of the following three different and in particular independent factors:

• knowledge (for example, static password)
• possession (for example mTAN)
• Being (for example fingerprints).

For further reduction of identity theft  the Guideline on the safety of Internet payments has later been published by the European Banking Authority, whereby the respective national financial supervisors were encouraged to convert it into national law. In Germany this demand was made obligatory on the part of the BaFin in November 2015 as minimum requirements for the security of Internet payments (MaSi).

As part of the implementation of initial regulatory guidelines, the factor possession was established in the form of  mTAN as market standard. Within a short time, however, this also proved to be increasingly safety-critical, and hackers succeeded in October 2015 to debit more than one million euros from foreign accounts. It is also assumed that the mTAN method is increasingly classified as safety-critical, and alternative authentication methods based on biometric criteria are required.

Through the implementation of new identification technologies and the ever increasing integration of technical devices in everyday life, it is now, however, perfectly possible to replace the safety-critical factor possession by the (supposedly) safe factor being. In addition, according to experts, in 2020 biometric identification methods will be available to the majority of users.

Figure 2: Predicted widespread use of biometric identification methods in Germany

One of the most common proceedures of biometric identification methods is the scan of a fingerprint using a smartphone. In addition, Barclays already introduced an identification using the vein structure via infrared scan to its business customers segment. In addition, there are a number of methods for identification with reference to a face or iris recognition or analysis of the heartbeat.

Because of disproportionately rising sales on mobile devices, an increased  focus on biometric identification methods for mobile use is required. For the consideration of the digital market, biometric identification methods provide a regulatory compliant, low risk and customer-friendly transformation of established two-factor authentication methods.