The bank card as a second authentication factor

/in ,

One factor is no longer enough

In a world where crime is increasingly concentrated in the digital realm, the password model is no longer enough. Progressively, whether voluntarily or due to the imposition of partners or regulations, the adoption of multiple authentication factors has become widespread. Whether it's changing equipment, activating a card, authorizing larger transactions, accessing confidential data or any other action that requires greater security, the adoption of multiple authentication factors is essential.

Two factors... but which ones?

Authentication factors can include possession (something I have), knowledge (something I know) and identity (something I am). Since identity recognition currently poses many challenges in terms of technology and data privacy, the most common solutions have involved factors associated with possession and knowledge. To this end, the following additional authentication factors are common when using the mobile app:

  • SMS OTP (One Time Password): this is a security factor considered obsolete by NIST - the American Institute for Standards and Technology.
  • App Token: solution with poor usability as it requires the use of two apps at the same time and poor security because often both apps are on the same device, reducing the user experience when making banking transactions
  • Matrix card: high-cost solution (maintenance of cards and everything involved in their management and postage costs) and poor usability as it requires the use of an additional card

I received an SMS from my bank...

This is a common expression in many consumer complaints.

The degree of sophistication of online fraud in stealing credentials and even receiving OTPs makes it very difficult to distinguish a fraud scheme from a real experience with the bank. While there used to be some clues that made it easier to identify fraudulent schemes, nowadays SMS appear integrated into previous conversations with banks, web pages are replicas of official sites, texts are carefully written in correct Portuguese and consumers' fast-paced daily lives often make them drop their guard when faced with authentication requests.

The card is better than SMS

The bank card that every user already has can be a secure authentication solution (PSD2: proof of possession) with hardware that the customer already has in their possession. The card, with the familiar bank branding, is in the user's wallet every day and is often used for contactless payments.

By touching this card to a cell phone for a few seconds, using NFC (Near Field Communication) technology, you can authenticate yourself. NFC is a technology that allows two devices to communicate when they are close together, usually within a few centimeters. In this case, since the bank card is already equipped with an NFC antenna, when you touch the cell phone, the NFC reader reads the information on the card and sends it to the bank's application for authentication.

This method avoids the use of one-time passwords (OTP) sent by SMS or, for example, the verification of master card numbers. As well as being more secure, since it requires the possession of an active physical card, it is more convenient, eliminating the need to enter a code manually. In addition, it is easy to use, with an object already familiar to the user and the bank's trust mark, the authentication process is very fast as the card information is read and transmitted quickly.

This type of authentication can be used to formalize the process of changing mobile equipment, to securely authorize transactions and prevent unauthorized access to confidential information, among many other use cases.

The future that is present

This is a working solution which, in practice, translates into an SDK (Software Development Kit) that can be integrated into the bank's current application. With this feature, the cell phone recognizes the card and requires it as an authentication factor. Currently available for Android, it is not yet possible to use it on an iPhone, as Apple does not provide access to NFC for other entities for the purposes of financial transactions. However, it is expected that this issue will soon be overcome and this type of solution will be available for all NFC-equipped devices.

Find out about the options available from your payment solutions partner.

Talk to us

About the author

Contisystems
Articles by this author
Webinar: Contisystems & PageroLink to pay: Pay invoices with a single click