New Authy API Features for PSD2-compliant authentication

New Authy API Features for PSD2-compliant authentication

From 14th September 2019, millions of European consumers will experience a change in the way they complete online payments. A new European banking law, PSD2, will mandate a stronger form of two-factor authentication (2FA) for all online and over-the-phone payments. This extra layer of friction will impact conversion and sales for online businesses. 

Twilio has been hard at work to help businesses navigate this massive change and minimize impact. We’ve updated both the Authy API and our free Authy app to help you meet all the requirements of Strong Customer Authentication (SCA) and be PSD2-compliant.

What’s new?

PSD2 introduces authentication requirements that go above and beyond typical 2FA:

1. Each authentication code must be specific to the transaction amount and recipient, and
2. Both the payment amount and recipient must be made clear to the payer when authenticating.

The Authy API has several methods for completing authentications. Push authentication meets all SCA requirements, and is also the most secure authentication factor. The API also includes parameters that make it possible for PSD2-compliant authentication via SMS and voice. But time-based one-time passcodes (TOTP) delivered via the Authy app, are based on the TOTP standard, which doesn’t accomodate for the need to tie a TOTP generated code to a specific transaction, or the need to display transaction details at the time of authentication.

Transactional TOTP

To address this gap, we have added a new authentication method in the Authy API, Transactional TOTP, that enhances TOTP to meet PSD2 requirements. In addition to the time of day and a shared secret, Transactional TOTP also uses transaction attributes to calculate an authentication code. Thus the code is unique to the transaction. It also displays payment information on the payer’s second factor device in the Authy app when authenticating.

Because it's based on TOTP, it continues to allow for offline authentication. So when you are trying to purchase something on your laptop connected to WiFi on a plane, you can authenticate it without having to connect your phone to the WiFi just for this one action.

How it works:

1. When the payer is initiating a payment, they are shown a QR code.

2. The payer then scans the code using the Authy app on their device.

3. The Authy app translates the QR code into transaction details and a security code.

4. The user enters the security code into the payment application, which verifies the code via the Authy API and authenticates the transaction.

In addition to meeting the authentication requirements laid out by PSD2, Transactional TOTP also adds an extra layer of security against man-in-the-middle attacks, because the code will be invalidated if any of the transaction details are altered.

Stronger Authentications and PSD2 Compliance with Authy

With PSD2 set to revolutionize the payments industry, it’s going to affect everything from the way we pay online, to what information we see when making a payment.

Twilio's updated Authy API allows merchants and payment services providers to comply with new regulations by adding scalable, multi-channel two-factor authentication to their payment flows, all while striking the right balance between UX and security. Get started with Transactional TOTP by checking out our awesome docs page. We can’t wait to see what you build.

Resources:

Docs: https://www.twilio.com/docs/authy/psd2-compliant-authentication-authy

PSD2 Authentication guide:  https://www.twilio.com/blog/psd2-python-flask-authy-push

More information about PSD2: https://www.twilio.com/learn/account-security/what-is-psd2-and-why-does-it-matter