right  Talk To Us!

Multi-factor authentication and the PSD2

Over the past ten years we have seen identity theft and fraudulent account access become the primary motivators behind data theft and cyber-crime. If you haven’t been the direct victim of a fraudster yet, the chances are you know someone that has. You will certainly have been affected indirectly. Ever wondered why your insurance premiums keep going up, despite another year without a claim? It’s not because of a nationwide increase in accidents, but the costs associated with fraud prevention and detection. It won’t have escaped anyone’s notice that we’re being asked to prove “we are who we say we are” more frequently than ever. Some form of identification is required every time we go online, log in to an app or call a customer service centre.

The evolution of authentication

There was a time when all you needed was an address, a date of birth and an account number to access services online. However, the vulnerabilities of using information that is easily accessed by “bad actors” required a greater degree of security; hence the introduction of usernames and passwords. For applications with a greater degree of risk (i.e., access to financial records or sensitive personal data) additional security steps were put in place. Most often, this would take the form of several pre-agreed security questions and answers. These are examples of what’s called knowledge factor authentication (i.e., something you know). Other examples include passphrases, passcodes, PINs and patterns. If you own a smartphone, you’ll be familiar with these techniques. Thus, a two-step knowledge factor example would be to state specific letters from your password, followed by the answers to one or more security questions.

Multi-step versus multi-factor

In the constant battle between cyber-criminals and cyber-security professionals the criminals are often a step ahead. Social engineering is frequently used to uncover security credentials, rendering a two-step process insufficient. With the advent of the latest update to the Payment Services Directive (PSD2), at least here in Europe, businesses involved in financial transactions will be obliged, from September 2019, to employ multi-factor authentication. Multi-factor authentication differs significantly from multi-step authentication. There are three universally recognised factors; knowledge (as we’ve seen previously) ownership and inherence. The new PSD2 regulations call for the use of any two of these three for any given transaction.

Examples of multi-factor authentication

So, what do we mean when we talk about knowledge, ownership and inherence? Put simply, it’s something you know, something you own and something you are.Here are some examples:
  • Knowledge - passwords, PINs and security questions
  • Ownership - hardware keys, ID cards and one-time tokens
  • Inherence - biometrics and behaviours
You might argue that tokens should fall into the knowledge category, but they are only known for a brief period of time and can only be used once.

Phone transactions

When it comes to transacting over the phone, choosing the right two factors isn’t straightforward. Voice biometrics, for example, lends itself to being used over the phone, for obvious reasons. However, keys and cards are not practical, and although security questioning has been a staple of call centres for some time, it’s not exactly a customer favourite. The tiresome call and response of security questions adds friction to the customer experience and isn’t a fool-proof process. So, is there a better way? Thankfully, there is. Essentially, it’s a two-factor combination of biometrics and tokens, both of which can be done over the phone. In the world of biometrics, it’s a process known as text-prompted verification. It’s gained popularity amongst contact centre service providers as both factors can be automated, allowing transactions to be incorporated within IVR or self-service applications. Here’s how it works: A caller is prompted to repeat a randomly generated five- or six-digit number sequence, as a means of validating their identity claim. Initially, voice biometrics is used to verify the caller, which counts as one factor, based on their previously having enrolled in the system. Secondly, speech recognition technology is used to verify that the numbers spoken match the requested sequence. The latter is the equivalent of possessing a one-time token, which counts as a bona-fide second factor. For any business that takes identity verification seriously, but particularly for organisations that need to comply with the new PSD2 regulations, multi-factor authentication is essential. However, use of multiple factors can be complicated if multiple technologies are required to implement them. If multi-factor authentication can be implemented using a single system, from a single vendor, the economics of procurement and deployment are obvious. If you would like further information about text-prompted verification, or the role of voice biometrics in fraud prevention, email This email address is being protected from spambots. You need JavaScript enabled to view it. or call us on +44(0)1908 27 38 38.


The Aculab blog

News, views and industry insights from Aculab

  • Eliminating Barriers to Communication with Live Audio Translation for Phone Calls

    In an increasingly interconnected world, clear and effective communication is more essential than ever. That’s why Aculab intends to help break down language barriers and foster cross-cultural communications.

    Continue reading

  • The End of the PSTN in the US

    As the technical world has evolved, so has the way we communicate. The gradual, global transition away from the Public Switched Telephone Network (PSTN) is the most noticeable change in recent years. This begs the question, is the PSTN in the US headed towards a slow end as we transition into the digital era?

    Continue reading

  • Revolutionising the Landscape of Remote Authentication

    In a time where borders blur and workplaces extend beyond the confines of traditional offices, the significance of remote authentication has taken centre stage. As we advance, so does the need for secure and efficient ways to verify and authenticate our identity remotely. Finding the balance between security and user convenience is key when seeking to implement successful remote authentication.


    Continue reading

  • Choosing The Ideal Communication Platform: Key Considerations to Optimise Your Business

    Communication Platforms as a Service have become a necessity in the current digital age; allowing businesses to obtain frictionless means of communicating effectively. However, as technology rapidly evolves, so must communications. Much of the platforms on offer today are homogenous, so choosing the best fit for your business can be difficult. In this blog, we have shared some key points and trends for to consider, so your business can amplify communications and increase operational efficiency!


    Continue reading

  • 10 questions people are asking about The Big Switch Off

    With The Big Switch Off fast approaching, people naturally have questions and concerns ahead of the shutdown. The transition from conventional networks to digital technology is unavoidable in the fast-evolving world of telecommunications. In this blog, we address ten common questions people have about the Big PSTN Switch Off, shedding light on the topic and providing clarity.


    Continue reading