Market Insights

How Passwordless Authentication Reaches SCA/Strong Customer Authentication Compliance

By eliminating passwords with passwordless authentication, companies can check all compliance boxes, such as for Strong Customer Authentication (PSD2 SCA) and Multi-Factor Authentication (MFA) requirements. At the same time, they increase security and user experience.

Passwordless_Compliance

Passwords Create Costs For Both Users And Companies

Password leaks are becoming more common as stolen and reused passwords offer the perfect way to steal a user account. We tend to choose short and easy to remember (but also easy to guess) passwords and, since we use passwords on a myriad of websites and online accounts, we are more likely to heavily reuse them across websites. We simply cannot remember many, complex passwords. Typical attacks are brute force, credential stuffing, phishing, or man-in-the-middle attacks. Chances are that in the last weeks you have heard in different media streams of at least one case where customer data, including username and password, were leaked.

Both small and large companies in various industries are under threat. Recently, for example, chip making giant Nvidia confirmed a data breach impacting 71 thousand people. According to IBM, the average cost per account information of a data breach is about €146, increasing by 10.3% from 2020. The increase is partly due to the rapid shift to remote work caused by the COVID pandemic. With services moving to an online world to accommodate societal needs, companies struggled to efficiently and effectively broaden digital infrastructures, creating gaps in security protocols. As a result, attackers gained opportunities to target larger pools of users while demanding higher ransoms for holding more sensitive information, making data breaches more lucrative.

Different companies follow different approaches when dealing with these attacks. Most are aimed at reducing the risk of password leaks, but why deal with a problem that you can eliminate in the first place?

What Is Passwordless Authentication?

Passwordless authentication is simple: authenticatication without entering a password. Instead, the user provides some other form of evidence such as a username. Then, a code or push notification is sent to the user’s phone. Alternatively QR-code or FIDO2 tokens can be used. Upon confirmation, the user is authenticated and gains access to the application or service. More details on passwordless authentication can be found below or in this article.

Passwordless Authentication Increases Security And Eliminates Risky Password Management

Passwordless authentication reduces attack vectors and eliminates risky password management. There are no passwords to memorize anymore. Statistics and research have proven how careless people are with managing their passwords. They use easy to remember (and also easy to guess) passwords, reuse the same password (less passwords to remember), and share passwords with family members or friends. By removing passwords, you overcome habits which put your users at risk. You cannot “steal” a password that does not exist. A password that does not exist cannot be leaked either.

How Passwordless Authentication Is MFA and Strong Customer Authentication Compliant

Passwordless authentication is powerful because it can be coupled with multi-factor authentication (MFA) and become Strong Customer Authentication (SCA) compliant. The authentication process can be set up to require the user to provide two or more verification factors to gain access to the application. The three factors are described as something you are (inherence factor), something you have (possession factor), and something you know (knowledge factor). To be MFA/SCA compliant, at least two of these factors must be met.

manualEntry fingerprint mobile
SOMETHING THE USER KNOWS like a username (knowledge) SOMETHING THE USER IS like fingerprint or face recognition (inherence) SOMETHING THE USER HAS like a mobile phone (possession)

Passwordless authentication solves the problems related to passwords, but is it MFA and SCA compliant? The different passwordless authentication methods have various levels of security that either make them compliant or not. By removing passwords users will already benefit from a superior authentication experience. By choosing authentication methods with the highest security levels, companies will also benefit from checking all compliance boxes.

Security Levels Of Passwordless Authentication Methods

The level of security of passwordless authentication depends on which method is used. Not all passwordless authentication methods are SCA compliant, but by choosing the ones that are, and coupling them with a second (or multi) factor authentication, companies ensure both superior user experience and highest levels of security. Below, we explain the passwordless authentication methods:

  • FIDO2-based authentication makes use of FIDO2 tokens, which can be USBs, NFC tags or simply platform tokens which are incorporated into the smartphone or the laptop. Based on the token the experience varies, but generally it requires the user to press a button, to provide a PIN or to do a biometric verification. The goal of FIDO2 is to standardize passwordless authentication. FIDO2-based is MFA/SCA compliant by design and holds the highest security level.
  • QR-Code-based passwordless authentication works by showing a QR-code to be scanned by the user. Upon scanning the QR-code, authentication related information (e.g., date, time, location, IP, browser) is shown to the user and based on this information the client can approve. QR-code passwordless authentication works both with mobile apps or a dedicated hardware token. QR-Code-based is MFA/SCA compliant and holds a high level of security.
  • Push-based passwordless authentication works by sending a push notification to the user’s phone. Push-based is MFA/SCA compliant and holds a high level of security.
  • Email-based passwordless authentication works by sending a code or link to an email to complete the authentication. Email-based alone is not MFA/SCA compliant and holds a lower level of security.
  • SMS-based passwordless authentication works by sending a code or link to the user as an SMS. SMS-based alone is not MFA/SCA compliant and holds a lower level of security.
PASSWORDLESS AUTHENTICATION AUTHENTICATOR IS IT MFA COMPLIANT?
FIDO2-based HW Token
QR-Code-based Phone App, HW Token
Push-based Phone App
Email-based Browser, Email
SMS-based Phone

Passwordless authentication methods with FIDO2, QR-code or push notifications are MFA and SCA compliant. These methods include possession, since the user needs to use a smartphone with a registered App, or a Hardware Token (HW Token). Regarding the second factor, the methods can be enhanced with a biometrics check when approving the authentication (inherence) or a PIN before opening the App where the authentication is approved (knowledge). The choice of factors can be adjusted based on the desired user experience but they always meet SCA compliance.

Other passwordless solutions, such as email-based and SMS-based passwordless authentication, are not MFA or SCA compliant. They only prove the possession factor, and therefore cannot achieve the two out of three factor SCA requirement.

How Futurae Helps Customers Meet Regulatory Compliance

At Futurae we strongly believe in solving the three major pain points of our customers: security, user experience, and regulatory compliance. With passwordless authentication Futurae can help companies to build trust and security for their users. FIDO2 is one of the most secure methods for passwordless, and is growing to become an industry standard in the midterm. You can read more about FIDO2 in our blog articles.

To ensure Strong Customer Authentication compliance, first choose a passwordless authentication method that meets MFA requirements. Then, couple it with at least a second factor such as PIN or Push. Talk to our experts to learn how easily passwordless authentication can be integrated into your existing setup.


Learn more about Futurae’s FIDO2 solutions, or other passwordless methods. If you have questions or feedback, please let us know.