The bank card as a second authentication factor

One factor is no longer enough

In a world where crime is increasingly concentrated in digital reality, the password model is no longer enough. Progressively, either voluntarily or by imposition of partners or regulation, the adoption of multiple authentication factors has become widespread. Whether changing equipment, activating a card, authorizing higher value transactions, accessing confidential data or any other action that requires greater security, the adoption of multiple authentication factors is essential.

Two factors… but which ones?

Authentication factors can go from possession (something I have) to knowledge (something I know) and to identity (something I am). Since identity recognition currently brings many challenges at the technological and data privacy level, the most common solutions have gone through factors associated with ownership and knowledge. For this purpose, the following additional authentication factors are usual for using the app on a mobile phone:

  • SMS OTP (One Time Password): this is a security factor considered obsolete by NIST – the North American Institute for Standards and Technology
  • App Token: poor usability solution as it requires the use of two apps simultaneously and low security because both apps are often on the same device, therefore also compromising the user experience when carrying out their banking operations
  • Matrix Card: high-cost solution (maintenance of the cards and everything that implies their management and shipping costs by mail) and poor usability since it requires the use of an additional card

I received an SMS from my bank…

This is a common expression in the reporting of various consumer complaints.

The degree of sophistication of online fraud in stealing credentials and even receiving OTP makes it very difficult to distinguish a fraud scheme from a real banking experience. If previously there were some indications that facilitated the identification of fraudulent schemes, currently the SMS appear integrated in previous conversations with the banks, the web pages are replicas of the official sites, the texts are carefully written in correct Portuguese and the accelerated day-to-day rhythm of consumers often makes them lower their guard while facing authentication requests.

Card is better than SMS

The bank card that any user already has can be a secure authentication solution (PSD2: proof of ownership) using hardware that the customer already has in his possession. The card, branded by the bank the user knows, is in his wallet every day and is often used in contactless payments.

By touching this card to a mobile phone for a few seconds, using NFC (Near Field Communication) technology, you can authenticate. NFC is a technology that allows two devices to communicate when they are close together, typically within a few inches.

In this case, since the bank card is currently equipped with an NFC antenna, when touching the mobile phone, the NFC reader reads the card information and sends it to the bank application for authentication.

This method avoids the use of one-time passwords (OTP) sent by SMS or, for example, the verification of numbers on the matrix card. In addition to being more secure, as it requires possession of a physical card that is active, it is more convenient by eliminating the need to manually enter a code. Additionally, it is easy to use, with an object that is already familiar to the user and with the bank’s trust mark, the authentication process is very fast as the card information is read and transmitted quickly.

This type of authentication can be used to formalize the process of changing mobile equipment, securely authorizing transactions, and preventing unauthorized access to confidential information, among many other use cases.

The future that is present

This is a solution that is already working and which, in practice, translates into an SDK (Software Development Kit) that can be integrated into the bank’s current application. With this feature, the mobile phone recognizes the card and requires it as an authentication factor. Currently available for Android, it is not yet possible to use it on the iPhone, since Apple does not provide access to NFC by other entities for financial transactions purposes. However, it is anticipated that this will soon be an outdated issue, with this type of solution being available for all NFC-equipped equipment.

Find out about the options available from your payment solution partner.