Why hardware devices should be a key ingredient of banks’ strong customer authentication strategy

Strong customer authentication is an essential component of security and compliance for financial institutions, especially within online banking. While many banks use hardware authentication devices for customer authentication, some have adopted mobile-only authentication. As more people use mobile authentication apps, the question of whether banks should adopt mobile or hardware authentication often arises.

In this article, we explain why hardware authentication devices should remain an important security component of online banking applications and provide recommendations on the best ones. After all, these devices protect organizations against evolving cybersecurity threats and strengthen compliance with new regulatory initiatives.

Mobile-only approach to customer authentication will not be enough for EU compliance

In June 2023, the European Commission published its draft proposals for the Directive on Payment Services and Electronic Money Services ("PSD3") and the Payment Services Regulation ("PSR"), which will become the successors of the revised Payment Services Directive ("PSD2") and the revised E-Money Directive ("EMD2"). Article 88 of the PSR proposal stipulates that financial institutions must not use a single Strong Customer Authentication (SCA) mechanism, such as a mechanism based on smartphones, but instead support various authentication mechanisms. These requirements imply that financial institutions cannot adopt a mobile-only approach. Financial institutions will need to support other authentication mechanisms such as hardware authentication devices, in addition to SCA mechanisms based on smartphones.

Article 88 of the PSR requires financial institutions to ensure that all users can perform SCA, including people with disabilities, older persons, and those with low digital skills. It also includes those who do not have access to digital channels or payment methods.

This means financial institutions must support various forms of strong customer authentication mechanisms to cater to the specific situations and needs of all their users. For example, people with limited eyesight often prefer using a hardware authentication device with audio capability.

How fraudsters target mobile banking apps

Due to the relatively open nature of mobile operating systems (e.g. Android, iOS), mobile banking apps will remain a popular target for fraudsters for the foreseeable future. Fraudsters can employ a wide range of techniques to steal credentials or initiate fraudulent financial transactions, such as:

• Banking trojans - Banking trojans are specialized malicious programs created with the intention of stealing login credentials and financial data from mobile banking apps. These trojans may gain access to mobile banking apps through various means, such as app downloads. Once inside, they operate stealthily in the background, compromising the security of the app.
• Fake banking apps - These are malicious applications that imitate legitimate mobile banking apps to trick unsuspecting users into divulging their login credentials and sensitive financial information. Such fake banking apps are usually distributed through unofficial app stores ("sideloading") or phishing websites.
• Clickjacking - Clickjacking involves overlaying deceptive links on top of legitimate elements, like buttons, in the app's user interface. This enables the attacker to click within the app on behalf of the actual user.
• Keylogging malware - This malware captures keystrokes and steals sensitive data, including login credentials.

The organization UK Finance publishes information about mobile banking fraud losses in its Annual Fraud Report. The most recent report shows that mobile banking fraud increased by 62% in 2024 compared to 2023, resulting in losses of £45.5M.

Systemic threats from nation-state actors against mobile banking apps

Systemic risk barometers, such as the risk barometers of the US Depository Trust & Clearing Company (DTCC) and the Bank of England, indicate that cyber risks have emerged as a main concern for economic stability, especially in the financial services industry. This is the consequence of successful cyber-attacks, which can lead to severe disruptions and major losses for targeted firms.

A specific type of cyber risk for the financial services industry consists of preventing citizens and corporations in a certain nation from accessing their online bank accounts. This risk would reduce trust in the nation's banking system and could prevent people and corporations from using their money, possibly slowing down the nation's economy. For example, during the August 2023 DDoS attack by Russian hacktivists against Czech banks and the Czech stock exchange, hackers cut online banking access to the banks' clients and demanded the institutions stop supporting Ukraine.

Authentication mechanisms based on mobile devices are generally more sensitive to systemic threats than hardware authentication devices because they have additional dependencies on the cellular network and operating systems (e.g. Android, iOS) of mobile devices. For example, jamming mobile phone communications in a crowded place (e.g. a busy city centre) could disrupt banking and other services temporarily for a large number of people.

Jamming can be performed by sending a radio signal at the same frequency as the mobile phone network, which blocks the communication between phones and the base station. As another example, threat actors could collaborate with or force manufacturers of mobile devices and operating systems to introduce vulnerabilities, which can then later be exploited to disrupt access to mobile banking applications.

Benefits of hardware authentication

The threats from fraudsters against mobile banking apps, as well as the systemic threats from nation-states against mobile devices, highlight the importance of integrating hardware authentication as part of online banking security. Hardware authentication devices are independent of mobile devices and mobile networks and are therefore not vulnerable to the attacks that mobile banking apps are exposed to.

To future-proof online banking security, banks should look for authentication solutions with the following features:

1. Phishing resistance. This ensures that authentication codes, which are generated by authentication devices, are useless to fraudsters. Any authentication codes stolen via phishing, malware, or other attacks cannot be used by fraudsters to impersonate a genuine user or initiate a fraudulent financial transaction. Phishing resistance can typically be realized by leveraging authentication protocols created by the FIDO Alliance.
2. What You See Is What You Sign (WYSIWYS). The 'what you see is what you sign' feature ensures that people using authentication solutions can review the details of login requests or financial transactions on the trusted display of a hardware authentication device. The user can trust the information displayed by the device is correct and has not been modified by malware or other threat agents.
3. Quantum resistance. The advent of quantum computers will have a significant impact on the current cryptographic algorithms and related key sizes that underpin the authentication technology used in online banking applications. In the long run, hardware authentication devices should use cryptographic algorithms that resist attacks from classical computers as well as quantum computers, while maintaining performance and usability. Authentication standards, such as the standards of the FIDO Alliance, will need to be adjusted to use post-quantum cryptography.
4. Zero-footprint. Authentication devices should function without the need for users to install or configure software applications on their devices.

Future-proof strong customer authentication by incorporating hardware authentication devices into your security and compliance strategy

Security threats and regulatory developments in the financial sector are always changing. As a result, taking a mobile-only approach to customer authentication requirements is difficult to maintain, taking into account not only the upcoming regulatory requirements in the European Payment Services Regulation (PSR) but also the dynamic threat landscape related to mobile devices and mobile banking apps.

Hardware authentication devices are an important aspect of bank authentication now and in the future. They offer a solution to the challenges and limits of mobile-only authentication and the vulnerabilities that face mobile banking apps.

Interested in seeing how OneSpan can help strengthen your strong customer authentication strategy? Take a look at OneSpan's PSD3 and strong customer authentication bootcamp session.

Public link

Please use the above public link if you want to share this noodl on another website.