BSI on the topic of "strong customer authentication"

Based on the Payment Service Directive 2 (PSD2), the "Regulatory Technical Standard" (RTS) on strong customer authentication, which came into force on 14 March 2018, makes security requirements for access devices and access software binding throughout Europe. These enable access to online accounts and the initiation of payments and support the "strong customer authentication" required by PSD2. Although the RTS formulates numerous security requirements, it leaves the minimum assurance level that access devices and access software must achieve open, i.e. how strongly they must resist an attacker. For users of online banking in all its forms, the security of personal account data and protection against attacks is of great importance.

The BSI therefore proposes that, in line with the eIDAS Regulation, the assurance level should be "substantial" for corresponding access devices and access software. If strong customer authentication is based on the use of dedicated devices, such as TAN generators, it is possible to achieve the assurance level "substantial". However, the RTS also allows the use of non-dedicated multi-purpose devices such as smartphones or tablets as access devices under certain conditions. If multi-purpose devices have a hardware-protected and separated area, e.g. a "secure element", this can be used for processing and storing the personalised security features required for authentication and makes it possible to achieve the "substantial" assurance level.

How the requirements from the RTS are to be interpreted and implemented in detail is left open, so that multi-purpose devices without hardware protection can also achieve an appropriate assurance level. To clarify the open points and further specify the requirements contained in the RTS, a more detailed description of the separate execution environment as well as a formulation of the independence of the two authentication elements are required in particular.

Further specifying the requirement for independence of elements could, for example, consist of naming obvious violations of independence. This explanation could provide both manufacturers of corresponding devices and procedures as well as organisations with a decision-making aid to better evaluate future innovations in this area. In agreement with the RTS, the BSI is of the opinion that authentication solutions based on multi-purpose devices without hardware support require stringent risk management. Such technical solutions can be used for the transitional period until hardware technical solutions become available.

Irrespective of this, existing regulations can be mapped to these solutions and thus help the organisations to implement the regulatory requirements. From the point of view of the BSI, it must be specified how the risks are monitored and how decisions are made regarding the use of the authentication solution in the access device as a reaction to changed or incurred risks.