In light of SCA under PSD2, we compare smsTAN and pushTAN technologies
On 14 September 2019, banks and payment service providers are due to introduce 2-factor authentication (2FA) in light of the implementation of Strong Customer Authentication (SCA) under PSD2. The Austrian banking regulator FMA has recently made use of its power to temporarily exclude merchants from the SCA application in order to facilitate a smooth introduction of the new technology. Nevertheless, the financial industry is working at full speed to finalise the implementation.
As part of SCA, banks and payment service providers can use certain technologies to meet the SCA-requirements. While biometric elements (fingerprint and facial-ID) are becoming increasingly important, one-time-passwords (OTP) via TAN-technology remain the most practical element of authentication. The two most important TAN-technologies are smsTAN and pushTAN.
Currently, market trends in the financial sector are showing a clear preference of banks towards pushTAN. Also, current media coverage on SCA appears to misleadingly suggest that only pushTAN will continue to be a viable option in the future. This is often argued with more security and more convenience. However, do these arguments hold up to a direct comparison?
PwC Legal Austria (registered as oehner & partner rechtsanwaelte gmbh) and PwC Advisory Services GmbH have jointly examined both technologies in more detail and compared them directly on the basis of certain criteria.
In the end, we come to the following conclusion: “We believe that both smsTAN and pushTAN are equally viable means to meet SCA-requirements. We further believe that an objective view of both technologies may result in a less obvious preference for pushTAN than common market opinion would suggest“.
Finally, also outside of the financial sector, client or user authentication gets increasingly important. Hence, our report has a dedicated chapter on potential use cases for TAN technologies outside the financial sector.
You can download the full report from the following link.