The EU Knows How To Make Two-Factor Authentication Mandatory

The European Parliament has done it again. Through the establishment of the Strong Customer Authentication (SCA),they have demanded companies prioritized the welfare of consumers. Hot on the heels of the recently implemented GDPR—which resulted in heightened security for all customer data—the SCA appears to be working collaboratively to protect people from having their login accounts stolen. The measure legally requires companies operating within its borders to implement two-factor authentication in all of their online services, including when customers conduct other online interactions with their companies.

This news has been confirmed by Mastercard, who claims two-factor authentication for cardholders will soon increase to 25% for overall transactions. The new protocol will force card companies to take advantage of the user’s phone biometric or pin to authenticate, which will further secure the transaction. Mastercard’s President of Global Enterprise Risk and Security, Ajay Bhalla, emphasized, “The use of passwords to authenticate someone is woefully outdated, with consumers forgetting them and retailers facing abandoned shopping baskets. In payments technology, this is something we’re closing in on as we move from cash to card, password to a thumbprint, and beyond to innovative technologies such as artificial intelligence. It’s far easier to authenticate with a thumbprint or a selfie, and it’s safer too.”

As of this writing, only one to two percent of online transactions are legitimized through two-factor authentication. This small number is the reason why many users remain vulnerable to phishing and other types of cyber fraud, like social engineering, and often lose control of their bank account credentials in the midst of online transactions. As a result, Mastercard and its partner banks are now focusing on the implementation phases which focuses on the “need to know who is who” when a transaction takes place. This type of user authentication can be established on a mobile device through various means like biometric fingerprints, iris scans, or facial recognition.

With the new approach, companies operating in EU-member states are expected to enforce this global policy with a payment, even if the legal requirement only applied to EU territories. This move is reminiscent of the new GDPR, which has set a precedent for companies to use some sort of single Terms of Service for all their customers, regardless of location.

With two-factor authentication, knowledge of just the user’s password, pin, and card itself are not enough to finalize the transaction. If the credit card is stolen or the password has been leaked to a third-party, the transaction cannot be completed using the identity of their victims. Assuming users have properly set up their pin and/or biometric-based lock screen, hackers will not have access to the second-factor they need to succeed. Unless the mobile phone itself is stolen, the plot will fail.