Why hardware devices should be a key ingredient of banks’ strong customer authentication strategy

Frederik Mennes,

Strong customer authentication is an essential component of security and compliance for financial institutions, especially within online banking. While many banks use hardware authentication devices for customer authentication, some have adopted mobile-only authentication. As the adoption of mobile authentication apps has grown, the question of whether banks should adopt mobile, or hardware authentication, often arises.

In this article we explain why hardware authentication devices should remain an important security component of online banking applications. We also provide recommendations about the type of hardware authentication devices that should be used to protect organizations against evolving cybersecurity threats, as well as help ensure compliance with new regulatory initiatives.

Mobile-only approach to customer authentication will not be enough for EU compliance

In June 2023, the European Commission published its draft proposals for the Directive on Payment Services and Electronic Money Services (“PSD3”) and the Payment Services Regulation (“PSR”), which will become the successors of the revised Payment Services Directive (“PSD2”) and the revised E-Money Directive (“EMD2”). Article 88 of the PSR proposal stipulates that financial institutions must not use a single Strong Customer Authentication (SCA) mechanism, such as a mechanism based on smart phones, but instead support various authentication mechanisms. These requirements imply that financial institutions cannot adopt a mobile-only approach. Financial institutions will need to support other authentication mechanisms (such as hardware authentication devices), in addition to SCA mechanisms based on smart phones.

Furthermore, Article 88 of the PSR requires financial institutions to ensure that all users can perform SCA, including persons with disabilities, older persons, people with low digital skills, and those who do not have access to digital channels or payment instruments. This will require financial institutions to support various forms of strong customer authentication mechanisms to cater for the specific situation and needs of all their users. In practice, certain categories of users will prefer using a hardware authentication device. For example, people with limited eyesight often prefer using a hardware authentication device with a large display and with the ability to read text shown on the display to the user.

How fraudsters target mobile banking apps

Due to the relatively open nature of mobile operating systems (e.g. Android, iOS), mobile banking apps will remain a popular target of fraudsters in the foreseeable future. Fraudsters can employ a wide range of techniques to steal credentials or initiate fraudulent financial transactions, such as:

  • Banking Trojans – Banking trojans are specialized malicious programs created with the intention of stealing login credentials and financial data from mobile banking apps. These trojans may enter mobile banking apps through various means, such as app downloads. Once inside, they operate stealthily in the background, compromising the security of the app.  
  • Fake Banking Apps – These are malicious applications that imitate legitimate mobile banking apps to trick unsuspecting users into divulging their login credentials and sensitive financial information. Such fake banking apps are usually distributed through unofficial app stores (“sideloading”) or phishing websites.
  • Clickjacking – Clickjacking involves overlaying deceptive links on top of legitimate elements, like buttons, in the app's user interface. This enables the attacker to click within the app on behalf of the actual user.
  • Keylogging malware – This malware captures keystrokes and steals sensitive information, including login credentials.

The organization UK Finance publishes information about mobile banking fraud losses in its Annual Fraud Report. The most recent report shows that mobile banking fraud increased by 33% in 2023 compared to 2022, resulting in losses of £34.2M.

Systemic threats from nation-state actors against mobile banking apps

Systemic risk barometers, such as the risk barometers of the US Depository Trust & Clearing Company (DTCC) and the Bank of England, indicate that cyber risks have emerged as a main concern for economic stability, especially in the financial services industry. This is the consequence of successful cyber-attacks, which can lead to severe disruptions and major losses for targeted firms.

A specific type of cyber risk for the financial services industry consists of preventing citizens and corporations in a certain nation from accessing their online bank accounts. This risk would reduce trust in the nation’s banking system and could prevent people and corporations from using their money, slowing down the nation’s economy. For example, during the August 2023 DDoS attack by Russian hacktivists against Czech banks and the Czech stock exchange, hackers cut online banking access to the banks’ clients and demanded that the institutions stop supporting Ukraine.

Authentication mechanisms based on mobile devices are generally more sensitive to systemic threats than hardware authentication devices, because they have additional dependencies on the cellular network and operating systems (e.g. Android, iOS) of mobile devices. For example, jamming mobile phone communications in a crowded place (e.g. a busy city centre) could disrupt banking and other services temporarily for a large number of people. Jamming can be performed by sending a radio signal at the same frequency as the mobile phone network, which blocks the communication between phones and the base station. As another example, threat actors could collaborate with or force manufacturers of mobile devices and operating systems to introduce vulnerabilities, which can then later be exploited to disrupt access to mobile banking applications.

Benefits of hardware authentication and what to look for in a solution:

The threats from fraudsters against mobile banking apps as well as the systemic threats from nation states against mobile devices highlight the importance of integrating hardware authentication as part of online banking security. Hardware authentication devices are independent of mobile devices and mobile networks and are therefore not vulnerable to the attacks that mobile banking apps are exposed to.

To future-proof online banking security, banks should look for authentication solutions with the following features:

  1. 1. Phishing resistance. This ensures that authentication codes, which are generated by authentication devices, are useless to fraudsters. As such authentication codes stolen via phishing, malware or other attacks cannot be used by fraudsters to impersonate the genuine user or initiate a fraudulent financial transaction.  Phishing resistance can typically be realized by leveraging authentication protocols of the FIDO Alliance.
  2. 2. What You See Is What You Sign (WYSIWYS). The ‘what you see is what you sign’ feature ensures that users of authentication solutions can review the details of login requests or financial transactions on the trusted display of a hardware authentication device. The user can trust the information displayed by the device is correct and has not been modified by malware or other threat agents.
  3. 3. Quantum resistance. The advent of quantum computers is expected to have a significant impact on the current cryptographic algorithms and related key sizes that underpin the authentication technology used in online banking applications. In the longer run, hardware authentication devices should use cryptographic algorithms that resist attacks from classical computers as well as quantum computers, while maintaining performance and usability. Authentication standards, such as the standards of the FIDO Alliance, will have to be adjusted to use post-quantum cryptography.
  4. 4. Zero-footprint.  Authentication devices should function without the need for users to install or configure software applications on their computing devices.

Future-proof strong customer authentication by incorporating hardware authentication devices into your security and compliance strategy

Security threats and regulatory developments in the financial sector are under constant development. A mobile-only approach to strong customer authentication is difficult to maintain, taking into account not only the upcoming regulatory requirements in the European Payment Services Regulation (PSR), but also the dynamic threat landscape related to mobile devices and mobile banking apps. Hardware authentication devices therefore represent an important security component of online banking applications now and in the future.

OneSpan offers a range of secure, easy-to-use hardware authenticators to secure accounts and transactions. Talk to one of our experts to strengthen your strong customer authentication strategy today.

Hardware devices for strong customer authentication

Hardware devices for strong customer authentication

OneSpan offers a range of easy-to-use Digipass hardware authenticators to secure accounts and transactions.

Get started

Frederik leads OneSpan's Security Competence Center, where he is responsible for the security aspects of OneSpan's products and infrastructure. He has an in-depth knowledge of authentication, identity management, regulatory and security technologies for cloud and mobile applications.