3

An online bank I am using (Qonto) contacted my recently by email to tell me that I will not be able to use my account from 5th July unless I install their app in my phone. They say it is mandatory for PSD2 compliance.

While I understand PSD2 may enforce security mechanisms, it surprises me that under the EU, an open standard is not promoted/enforced for banks (like One-Time-Password/OTP mechanisms).

Enforcing to use their app could be discriminatory since it assumes you can install it in your device (you may not have a compatible phone). Also, being a proprietary app, it could be used to track information about you that you do not want to share with your bank.

Can a European bank do this? Wouldn't PSD2 protect users from this somehow?

Peque
  • 133
  • 4

1 Answers1

2

The PSD2 article 4(30) defines multifactor authentication :

‘strong customer authentication’ means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;

The EBA published an opinion about the means of 2FA that are compliant with the Strong Customer Authentication of the PDS2

it surprises me that under the EU, an open standard is not promoted/enforced for banks (like One-Time-Password/OTP mechanisms).

OTP/TOTP is not a compliant way to conduct SCA because of :

The EBA is also of the view that an OTP that contributes to providing evidence of possession would not constitute a knowledge element for approaches currently observed in the market. Indeed, knowledge, by contrast with possession, is an element that should exist prior to the initiation of the payment or the online access.

TOTP would be compliant if it used a non-transferrable token that is only useable on that device alone (which a normal SOTP isn't) :

As stated in the EBA Opinion on the implementation of the RTS (paragraph 35), a device could be used as evidence of possession, provided that there is a ‘reliable means to confirm possession through the generation or receipt of a dynamic validation element on the device’. Evidence could, in this context, be provided through the generation of a one-time password (OTP), whether generated by a piece of software or by hardware, such as a token, text message (SMS) or push notification. In the case of an SMS, and as highlighted in Q&A 4039, the possession element ‘would not be the SMS itself, but rather, typically, the SIM-card associated with the respective mobile number’.

Can a European bank do this?

App-based auth is compliant because :

The EBA is of the view that approaches relying on mobile apps, web browsers or the exchange of (public and private) keys may also be evidence of possession, provided that they include a device-binding process that ensures a unique connection between the PSU’s app, browser or key and the device. This may, for instance, be through hardware crypto-security, web browser and mobile-device registration or keys stored in the secure element of a device

Also, being a proprietary app, it could be used to track information about you that you do not want to share with your bank.

You need to read the Privacy Policy of the app/service and exert your country/EU consent modification/retraction right

Can a European bank do this?

Why wouldn't they be allowed? There are many services that you can only access on a proprietary app.

Wouldn't PSD2 protect users from this somehow?

PSD2 gives security requirements, not anything else

Nicolas Formichella
  • 1,575
  • 1
  • 5
  • 17
  • Thanks Nicolas! I will wait a bit before accepting in case someone else wants to share their thoughts. ^^

    About the "There are many services that you can only access on a proprietary app" I thought maybe a bank was considered as a basic service and perhaps accessibility rules were enforced (to make sure, for example, non-smartphone-owner citizens can have a bank account and use its services without smartphone/digitization knowledge).

     – Peque Jun 27 '23 at 16:42
  • @Peque Is this the only bank in the county in question? That seems relevant. – Comic Sans Seraphim Jun 27 '23 at 20:27
  • @ComicSansStrikephim It is an online bank. Previously accessible with a browser and a mobile phone but without requiring an app. Definitely not the only bank in the county. ^^ – Peque Jun 27 '23 at 21:19
  • @Peque So you could access the basic service of banking by using another bank? – Comic Sans Seraphim Jun 27 '23 at 21:49
  • @ComicSansStrikephim Yeah, definitely. – Peque Jun 27 '23 at 22:23
  • @Peque In all EU Countries I can think of, Banks are business and are allowed to conduct busniess however they see fit. What might be a legal right is holding a bank account. which may have some provisions. Quanto being a business-catering bank only, those would never apply – Nicolas Formichella Jun 28 '23 at 04:24
  • Thanks @NicolasFormichella! ^^ – Peque Jun 28 '23 at 08:54