Strong Customer Authentication - **Now delayed** changes to online verification
Options
Comments
-
The September deadline is somewhat up in the air at the moment, at least for e-commerce card payments.
There are three elements to authentication under SCA and the banks must use two of them. The three elements are a) something you are, b) something you possess and c) something you know.
Up until recently, it was assumed that an OTP would count as something you know, but the EBA recently threw a spanner in the works by stating that this was not the case.
In response to this the FCA had the following to say:
“…the FCA recognises the challenges in meeting this deadline and has been working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible after this”.
If you google “EBA SCA opinion” you’ll find more details, though be warned, it’s not the most exciting read.0 -
I think Metro bank are using a OTP to a mobile phone based on this webpage:
https://www.metrobankonline.co.uk/ways-to-bank/i-want-some-information-about/fraud-and-security/
Yes for setting up payees; not (yet) for logging into online banking.0 -
Not sure how extensive you want the list to be, but tandem credit cards are already using an OTP to mobile when making purchases online.
But given it’s app only, everybody who has it will by definition have a mobile so won’t be a barrier.0 -
The September deadline is somewhat up in the air at the moment, at least for e-commerce card payments.
The banks appear to be being particularly incompetent in implementing these measures - sending passcodes to fixed line phones doesn't appear to be especially difficult.0 -
Does this also apply to eg Monzo, Starling or is it desktop banking they are targeting?Two factor authentication involves:My understanding is that an app is considered to be the middle of these and therefore, if combined with passwords/PINs, etc, satisfies the requirement, hence the use of apps as a second factor for non-app banks.
So, app-only banks, assuming they also require the use of something the user knows (or is, such as fingerprint/facial recognition), shouldn't need any additional securing.
Happy to be corrected though, I'm not claiming to be an expert!
Monzo already use OTP.
Although they seem to be pretty good at recognising spending patterns and will auto authorise transactions from retailers you've already used an OTP for a few times.Accept your past without regret, handle your present with confidence and face your future without fear0 -
Happy to add info in if supported by a link?
Probably doesn’t make the cut for authoritative info on here from the FAQs looking like a community blog https://intercom.help/tandembank/en/articles/1978234-online-purchases
But the first 3 transactions I’ve done online (I’ve only just got the card) have all sent a passcode to my mobile.0 -
Can't find the virgin letter eskbanker, but will come back if I get any more information.Mortgage started 2020, aiming to clear it in 2026.0
-
Capital One (capitalone.co.uk) credit cards will send OTP to EITHER mobile or landline, which is fine. Why can't others do it?0
-
For your info the HSBC info is here: https://www.hsbc.co.uk/help/security-centre/simple-safe-secure/0
Categories
- All Categories
- 343.5K Banking & Borrowing
- 250.2K Reduce Debt & Boost Income
- 449.9K Spending & Discounts
- 235.6K Work, Benefits & Business
- 608.6K Mortgages, Homes & Bills
- 173.2K Life & Family
- 248.2K Travel & Transport
- 1.5M Hobbies & Leisure
- 15.9K Discuss & Feedback
- 15.1K Coronavirus Support Boards