Open Banking: Authentication must evolve to protect data, build confidence

Opinion by Brett McDowell,

Privacy fears regarding the practice of "screen scraping" have surfaced. Poor regulation could grandfather weak access controls, undermining Open Banking. Barclays calls for customers is to share their data through APIs.

Last year, before the arrival of Open Banking, an Accenture survey of more than 2,000 UK consumers found that two-thirds were not prepared to share their personal financial data with third-party providers. As Accenture's managing director, Jeremy Light commented at the time: “Open banking has the potential to transform consumers' relationship with financial products, but it hinges on consumers' willingness to embrace it.” 

Privacy fears regarding the practice of “screen scraping” were surfaced by Barclays managing director Catherine McGrath in response to the news of HSBC's foray into open banking with its aggregate app “Beta”, which draws financial data from different bank accounts into one place for users. “With screen scraping you have to give someone login details and then they can see absolutely everything; you don't have the ability to discriminate to say just six months' worth of transactional data,” Ms McGrath said.  “Our view is the best way for customers is to share their data through APIs, so they are in charge of their data.”

Whether or not privacy concerns ultimately undermine Europe's attempt to migrate to Open Banking largely depends on how the Strong Customer Authentication requirements defined in the PSD2 Regulatory Technical Standard are enforced. This is why we have taken an active role in helping European regulators understand how standards-based modern authentication practices can be used to deprecate today's high risk screen scraping access controls while enabling a timely and secure migration to the Open Banking API model.  

It is critical that Open Banking be implemented via modern APIs and protected by high assurance Strong Customer Authentication, because only an API model is capable of protecting consumer privacy by providing granular access controls that enable the consumer to control how much of their data is shared with which third party service provider, and only modern high assurance cryptographic authentication can protect customers from today's most common attacks, such as phishing for passwords and one-time-passwords (OTP).  

Unfortunately, regulators introduced language at the end of the rulemaking process that may weaken the Strong Customer Authentication requirements by requiring banks in some cases to support “a fallback option” that is tantamount to today's screen scraping practices, effectively mandating weaker “shared secret” authentication techniques like passwords and OTPs.  Such fallback options could lead to a groundswell of privacy concerns capable of undermining the move to Open Banking as it would grandfather weak access controls, and perpetuate today's all-or-nothing data sharing model.

Bolstering security, privacy and usability with device-based authentication 

By utilising public key cryptography techniques in combination with “one touch” biometrics and/or security keys, the proliferation of smart devices can be used to provide stronger authentication without burdening users. If the customer uses their fingerprint, face or PIN code to unlock their device, the banks can use that same process backed by strong cryptographic protocols recently published by the FIDO Alliance and the World Wide Web Consortium (W3C) to allow customers to securely access their accounts online in full compliance with PSD2 strong customer authentication requirements, on both apps and websites.  

This strong access control to the Open Banking API system allows banks to confidently provide a privacy-empowering interface to the customer where they have more control over the data they are sharing with any given third-party service. The user can see from this experience that they are not putting themselves at any greater risk of fraud because they are not ever sharing their access credentials with any third-party.

Ultimately, PSD2 should significantly improve the way third-parties access account data. Added to which, the mandate for strong customer authentication, if properly implemented with high-assurance cryptographic authentication that is phishing-resistant, will also help to reduce consumer concern and improve public trust in the Open Banking model.

Not-for-profit industry consortium, the FIDO Alliance represents the world's largest ecosystem for standards-based, interoperable strong authentication.

By Brett McDowell, executive director of the FIDO Alliance

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events