Question: Can SQRL be used by banks in the EU that are regulated by the PSD2, which requires Strong Customer Authentication (SCA) -- a 2FA requirement that also requires "dynamic linking"
Problem: I've noticed that some banks in the EU may support TOTP or WebAuthn as a 2FA solution for auth on login, but I haven't found a single bank that also uses TOTP for authorization of transactions. According to the PSD2 regulations, transaction authorization requires a 2FA solution where the OTP is "dynamically linked" to two pieces of data:
1. The transaction amount (eg "$123")
2. The transaction payee (eg "Joe's Furniture Store")
This is a problem for TOTP because there is no way to generate an OTP somehow seeded with the above two pieces of data. Therefore, TOTP does not meet the PSD2 SCA requirements, and it cannot be used by EU banks for authorizing transactions.
This is a very big problem because, since the regulators prevent banks from using more-secure, industry-standard auth 2FA solutions like TOTP, almost all of the banks satisfy the PSD2 SCA requirements for transaction authorization using a short message and OTP sent over less-secure SMS.
This is a very, very big problem because enormous fraud is caused by auth using OTPs sent over SMS.
I hope that the EU regulators will eventually prohibit any solution that requires sending OTPs at all -- even if encrypted. IMHO it's just better to eliminate that vector entirely and use [a] cryptography to generate the OTP independntly on both ends. Or, better, use [\b] public-key cryptography to sign a message.
[a] A proprietary solution to adapt TOTP to be PSD2 compliant was developed by Twilio using a private Authy API back-end. The solution (called "Transactional TOTP") allows the user to scan a transaction-specific QR code and uses this information in addition to the TOTP shared key for the account to generate an OTP that's "dynamically linked" to the transaction details. Unfortunately, I'm not aware of any implementations of "Transactional TOTP" that are open and available without a thrid party.
[\b] When I was learning about this regulatory/security problem, it made me remember SQRL's "ask" facility, which doesn't require the transmission of an OTP at all, and it allows the authentication challenge to include arbitrary information (which could include transaction amount & payee)
However, IANAL. I imagine most of us here in these forums are not lawyers. I'm curious if anyone here has actually worked with regulators in the EU and knows if SQRL has ever been implemented/discussed or, ideally, if it has been officially approved as an acceptable implementation of the PSD2 SCA's "dynamically linked" requirements for transaction authorization.
Problem: I've noticed that some banks in the EU may support TOTP or WebAuthn as a 2FA solution for auth on login, but I haven't found a single bank that also uses TOTP for authorization of transactions. According to the PSD2 regulations, transaction authorization requires a 2FA solution where the OTP is "dynamically linked" to two pieces of data:
1. The transaction amount (eg "$123")
2. The transaction payee (eg "Joe's Furniture Store")
This is a problem for TOTP because there is no way to generate an OTP somehow seeded with the above two pieces of data. Therefore, TOTP does not meet the PSD2 SCA requirements, and it cannot be used by EU banks for authorizing transactions.
This is a very big problem because, since the regulators prevent banks from using more-secure, industry-standard auth 2FA solutions like TOTP, almost all of the banks satisfy the PSD2 SCA requirements for transaction authorization using a short message and OTP sent over less-secure SMS.
This is a very, very big problem because enormous fraud is caused by auth using OTPs sent over SMS.
I hope that the EU regulators will eventually prohibit any solution that requires sending OTPs at all -- even if encrypted. IMHO it's just better to eliminate that vector entirely and use [a] cryptography to generate the OTP independntly on both ends. Or, better, use [\b] public-key cryptography to sign a message.
[a] A proprietary solution to adapt TOTP to be PSD2 compliant was developed by Twilio using a private Authy API back-end. The solution (called "Transactional TOTP") allows the user to scan a transaction-specific QR code and uses this information in addition to the TOTP shared key for the account to generate an OTP that's "dynamically linked" to the transaction details. Unfortunately, I'm not aware of any implementations of "Transactional TOTP" that are open and available without a thrid party.
[\b] When I was learning about this regulatory/security problem, it made me remember SQRL's "ask" facility, which doesn't require the transmission of an OTP at all, and it allows the authentication challenge to include arbitrary information (which could include transaction amount & payee)
However, IANAL. I imagine most of us here in these forums are not lawyers. I'm curious if anyone here has actually worked with regulators in the EU and knows if SQRL has ever been implemented/discussed or, ideally, if it has been officially approved as an acceptable implementation of the PSD2 SCA's "dynamically linked" requirements for transaction authorization.
Last edited: