SMS OTP Does Not Meet PSD2 Dynamic Linking Requirements, According to EBA
Banks and payment service providers sometimes rely on SMS to authenticate a person who wishes to login to an online payment account or confirm a payment. They send an SMS message with a one-time password (OTP) to the user’s mobile phone, and the user enters this OTP into the payment application of the bank or payment service provider. In the case of a payment, the SMS typically also contains payment information, such as the amount and beneficiary of the payment.
In addition to the OTP, bank and payment service providers sometimes require the user to enter a static password into the payment application, so that the user is authenticated using a two-factor authentication system. The SMS OTP represents a possession factor (“something only the user has”), while the static password represents a knowledge factor (“something only the user knows”).
Since the introduction of the revised Payment Services Directive (PSD2) and the Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA) and Common and Secure Communication (CSC) there has been a lot of discussion about the compliance of authentication systems based on SMS with the SCA requirements. In particular, the question arose whether SMS OTP can meet the dynamic linking requirements of PSD2, which stipulate how to authenticate payments. These requirements essentially state that:
- The authentication code must be calculated over certain payment information (at least the amount and beneficiary of the payment); and
- The confidentiality, integrity and authenticity of the payment information must be protected throughout the authentication process.
Let’s see further whether SMS OTP complies with the requirements for account login on the one hand, and dynamic linking on the other.
Case 1: SMS OTP for Account Login
The first question that we explore further is whether SMS OTP complies with the SCA requirements for login to payment accounts. This question was actually already addressed by the European Banking Authority (EBA) in an Opinion published on 21 June 2019, and also via the EBA’s Single Rulebook Q&A tool.
The Opinion clarifies that SMS can be considered to be a valid possession element. More specifically, the SIM-card in the mobile device that receives the SMS is a valid possession element. This implies that one-time passwords (OTPs) delivered via SMS can be used to construct a strong authentication mechanism when combined with a second factor (e.g. a password or PIN). In other words, SMS OTP complies with the SCA requirements of PSD2, as we advocated in the past.
This however does not mean it’s a good idea to use SMS OTP for account login, as SMS is subject to a plethora of security vulnerabilities. More specifically, SMS messages can be intercepted/altered by exploiting vulnerabilities of the underlying SS7 protocol, and by malware residing on mobile devices. In addition, SIM swap attacks allow criminals to take over a victim’s mobile phone number so the criminal receives the SMS messages intended for the victim. Attacks against the authentication mechanisms of online banking systems exploiting these vulnerabilities are well known and have been around for many years.
Case 2: SMS OTP for Dynamic Linking
However, the Opinion does not discuss SMS OTP in the context of dynamic linking, and does not clarify whether SMS OTP meets the requirements for dynamic linking. Since the dynamic linking requirement stipulates that the confidentiality, integrity and authenticity of payment information needs to be protected, and since the content of SMS messages is not protected, one would expect that SMS does not meet the dynamic linking requirements. However so far there was no clear opinion from the EBA about this topic.
In order to clarify the situation, in December 2018 I asked the EBA via their official Single Rulebook Q&A tool whether SMS OTP meets the requirements for dynamic linking. Last week, more than 2 years later, the EBA provided an answer. The last two paragraphs of the answer are the most relevant:
In the case where the SMS is used for the transmission of an OTP but does not contain the authentication code nor any payment information such as the payee or the amount of the transaction, the issuer would not be required under Article 5(2) of the Delegated Regulation to ensure the confidentiality, authenticity and integrity of the information transmitted via the SMS.
In the case where the SMS contains the authentication code and/or payment information, such as the payee or the amount of the transaction, while the issuer may still use an SMS OTP to evidence the possession element as clarified in paragraph 25 of the EBA Opinion on the elements of strong customer authentication under PSD2 (EBA-Op-2019-06) and Q&A 2018_4039, in accordance with Article 5(2) of the Delegated Regulation, the issuer should take all necessary security measures to ensure the confidentiality, authenticity and integrity of the authentication code and/or the payment information transmitted via the SMS.
These paragraphs can probably be interpreted as follows:
- If an SMS does not contain payment information or an authentication code, the SMS does not have to be protected. This is logical, as there is no sensitive data in the SMS. Strangely this paragraph makes a distinction between “OTP” and “authentication code”, which is remarkable as the OTP is normally the authentication code.
- If payment information is present in the SMS, SMS itself does not provide sufficient security, and the information in the SMS needs to be protected. This effectively means that simply sending an SMS with payment information and authentication code does not suffice to meet the dynamic linking requirements. It would be possible to encrypt the content of the SMS, but then the question arises about how the content can be decrypted on the mobile phone – this is far from trivial, and probably needs a mobile app, foregoing the reason for using SMS in the first place.
We can summarize the compliance of SMS OTP with the SCA requirements of PSD2 as follows:
- SMS OTP for login complies with PSD2
- SMS OTP for dynamic linking does not comply with PSD2, unless the content of the SMS is protected (but this is not straightforward)
OneSpan has worked extensively with banks and other financial institutions to help them meet PSD2 requirements for SCA and dynamic linking. We understand that for financial services, it is important to have a security partner with deep PSD2 expertise, paired with a focus on simplifying the customer experience. See how these banks implemented dynamic linking and their authentication user flows in a compliant, convenient way: