Conversations are ongoing between the European Commission (EC) and the European Banking Authority (EBA) around the Regulatory Technical Standard (RTS) for Strong Customer Authentication (SCA) under the Payment Services Directive 2 (PSD2), specifically with regards to “screen scraping”.
Screen scraping is the practice where third-party Payment Initiation Service Providers (PISPs) and Account Information Service Providers (AISPs) access bank accounts on a client’s behalf using their username and password. The practice was prohibited in the EBA’s final draft RTS, however, following a strong push back from banks, the EC is now urging the EBA to allow companies to use screen scraping as a “fallback option”.
The FIDO Alliance recently wrote to the EC setting out the key problems with endorsing screen scraping. It argued that any approach where consumers are asked to share their login details with another entity is fundamentally at odds with language in the PSD2 and that it ultimately places consumers at increased risk.
The most secure and efficient way for consumers to authorise third parties to access bank accounts today is through the use of Application Programming Interfaces (APIs), authorised by means of unphishable strong customer authentication i.e. credentials based on public key cryptography as opposed to passwords, which are inherently vulnerable.
Because it involves the sharing of and use of customer passwords, the FIDO Alliance sees three main problems with endorsing screen scraping:
- It doesn’t meet the security requirements called for in PSD2.
- It puts consumers at increased risk.
- Any approach where a third-party can “log in as if they were a consumer” puts all parties at risk.
Brett McDowell, executive director of the FIDO Alliance*, has since made the following comments in a blog post on this topic.
“We do not see any way in which the screen scraping approach requested by the EC can be implemented to the level of enhanced security called for in PSD2. There are far more secure ways for consumers to delegate access to their bank accounts, involving APIs protected by strong customer authentication credentials.
Based around proven global standards such as OAuth 2.0 and OpenID Connect (OIDC), these API-based solutions have the added benefit of providing not just better security but also better privacy – as they allow consumers to grant access to their bank accounts on a granular level, choosing to share some details but not others. When paired with FIDO standards for strong authentication, API-based solutions gain the benefits of device-based multi-factor authentication that is both safer and easy for consumers to use than typing codes into a form.”
To the extent that the EC believes a “fallback option” such as screen scraping needs to be supported while banks come up to speed with PSD2, “we suggest that this may be better addressed through a policy exemption to the RTS, rather than in the RTS itself”.
The RTS, by its nature, is an important technical standard that will guide the market for years to come. As such, the RTS should focus on setting a high mark for SCA and common and secure communication under PSD2 – not articulate methods for stakeholders to avoid their responsibilities under this historic advancement in consumer protection policy. Inclusion of the “fallback option” in the RTS itself would dilute its message, undermine the intent of PSD2 and its requirements for SCA, and place consumers at increased risk.
The Fast IDentity Online Alliance – FIDO Alliance is a consortium of more than 250 organisations from around the world collaborating to improve the state of online authentication by developing open technical standards and advocating industry best practices
Source: FIDO Alliance