PSD2 transition time is ends soon. This is how Finland will authenticate.
The EU’s new payment service regulations will force Finnish banks to change their electronic authentication and payment practices by the end of September. Now, less than four months before the deadline, it appears that the change will see the introduction of a bunch of mobile applications and PIN codes alongside the traditional paper login code […]
The EU’s new payment service regulations will force Finnish banks to change their electronic authentication and payment practices by the end of September. Now, less than four months before the deadline, it appears that the change will see the introduction of a bunch of mobile applications and PIN codes alongside the traditional paper login code lists.
Most users will have to install a dedicated authentication app by September. As a result, the ease of authentication will vary considerably between banks.
Many media, such as HS and Taloussanomat have featured prominent articles on the new PSD2 payment services directive in recent weeks, with the angle that online payments are at risk of becoming more complicated and authentication will undergo a complete overhaul. But there are many uncertainties and outright misunderstandings about the changes referred to in the stories. A degree of inaccuracy is to be expected, since the amendments to the national legislation of EU Member States are much subject to interpretation, and Finland’s Financial Supervisory Authority has not commented on them too accurately or too often.
To dispel any uncertainty, Qvik’s experts on electronic payments studied the impact of one aspect of the changes brought by PSD2: strong authentication. We reviewed the solutions offered by Finnish banks to their customers now, in early June 2019, along with the other options available out there.
Banks are switching lists for apps
Of Finland’s ten largest banks, seven are replacing their login codes with dedicated authentication apps. Accounting for the market shares of the banks, this will affect 91 percent of bank users.
The applications have varying use logics, but they are all based on personal PIN codes. This means that users will have to remember at least one more password.
Some apps also offer biometric authentication with fingerprint or facial recognition, if supported by the mobile device and OS. At present, facial recognition is only available to Apple users in Nordea’s app. For Apple devices, some of the apps only support the latest operating system versions and iPhones, not the iPad.
The acceptance of biometric identifiers by the apps varies. Some banks only accept them for authentication with the bank’s own services while others, such as S-Pankki, accept them for all services requiring strong authentication.
Apps almost ready
The banks have started their authentication app development in fairly good time. Nordea is the standout here, as the bank’s Codes app has been available since 2015.
The apps will feature two types of solutions: dedicated authentication applications and solutions integrated with online banking apps. To be on the safe side, Danske Bank has implemented both.
All of the authentication apps are already available for download from Google Play Store and the App Store. Aktia is the only bank that has yet to publish an integrated solution to replace login code lists, but we have been informed that they are working on it and it will include biometric authentication.
Try them for yourself – the authentication/online banking apps of all Finnish banks:
| Bank | Android id app | iOS id app |
| OP Ryhmä | download | download |
| Nordea | download | download |
| DanskeBank | download | download |
| Säästöpankki ryhmä | download | download |
| Aktia | download | download |
| Handelsbanken | download | download |
| S-Ryhmä | download | download |
| POP Pankkiryhmä | download | download |
| Ålandsbanken | download | download |
| Oma Säästöpankki | download | download |
Hackers will not be happy about one detail of the coming change: online banking and PIN code applications don’t generally work on smart phones whose operating systems have been modified (e.g. rooted phones). For Aauthentication needs they require an untampered smart phone.
One thing is for certain: integrated authentication and banking apps should in future be the easiest way to handle one’s daily financials as laptops will not be enough in any case.
Glaring shortcomings and unhappy users
Preparing for the PSD2 age has not been without its share of teething pains. You only need to look at the app ratings. The applications’ median score is 2 (rounded down), and only the ratings of well-established solutions begin with a 4.
For an app design company such as Qvik, it’s obvious that critically minded consumers demand features that they have gotten used to in operating systems and apps:
- Biometric authentication
- Smart notifications
- QR and bar code reading
- Smooth two-factor authentication setup
- High level of usability
Biometric authentication enables logging in with fingerprint or facial recognition. Functional pPush notifications reminders wake the authentication app when it’s needed. QR codes could make logging into the online bank easier.
The reviews show that, if an app is lacking in these departments, the customers are not shy to leave negative feedback. Consumers have also asked, with good cause, why most banks have opted for a separate authentication app instead of integrating it with their online banking app.
But we’ll have to wait and see how the apps will work in the fall. On the positive side, 70 percent of the apps have been updated within the last two months. This shows that the banks are working continuously to develop their solutions, and that authentication will work come October, perhaps even better than now.
PIN code devices
A physical PIN code device could be the answer for those who can’t or don’t want to use an authentication app. Such device is currently only offered by Nordea, however, and other banks are yet to publish their own solutions.
Some competitors are sure to follow Nordea’s lead, but Nordea has a head start for now. As early as 2018, it had two versions of its authentication device out: a regular PIN code device and a talking one for people with visual impairments.
The image taken from the user manual does not bode well in terms of human-centered design: the device has many functions under the same button.
Mobiilivarmenne and Kansalaisvarmenne
In addition to the PIN code devices, the authentication service register of the Ministry of Transport and Communications includes authentication services offered by the telecommunications operators DNA, Elisa and Telia. All of the above offer an authentication solution linked to your phone’s SIM card, called the Mobiilivarmenne (Mobile Certificate). The operators have joined forces behind a single service, which is why consumers can only see Mobiilivarmenne as the method of authentication – not the operator from which the mobile certificate has been ordered.
Mobiilivarmenne has been available since 2011, but has been slow to catch on. In March 2019, Mobiilivarmenne was used for less than 8% of logins to the Suomi.fi service. There are many reasons for the low popularity of the mobile certificate. Firstly, consumers usually have to pay a few dozen euros per year for the service (EUR 24 with DNA and Elisa), unless you’re with Telia, which is offering the service gratis for now. The service is complimentary with corporate subscriptions.
Secondly, banks and many other services requiring authentication have yet to include Mobiilivarmenne in their authentication offering, which diminishes the utility of the service. The third reason lies in the certificate being tied to the SIM card. People change SIMs infrequently so it limits the growth of the solution. Finally, the technical implementation of the certificate has varied in quality and there have been gripes with usability.
The last authentication alternative is the Kansalaisvarmenne (Citizen Certificate) offered by the Population Register Centre. This solution is tied to the modern ID card issued by the Police, and its use requires a reader connected to your computer and reader software. The software is not offered for mobile devices. Taken together, these factors explain why the citizen certificate has not caught on with anyone but government employees.
The future of login code cards
A great deal of conflicting information has been given on the use of login code cards. In general, it would appear that most banks will retain login code cards for internal use as a backup mechanism.
Login cards are not needed for logging into services outside the bank, and their possible applications will be bank-specific.
We can do better!
Next fall will herald the start of interesting times for e-commerce and authentication: the law will change, and no one is quite sure how it will be interpreted. If banks take a cautious approach, requiring strong authentication in all cases specified in the law, consumers will be using the new authentication methods a lot.
It is too early to speculate on what will require authentication and what won’t: for example, the use of digital wallets and payment methods can influence authentication requirements and increase their attractiveness. Apple Pay and Google Pay have yet to break in Finland (and support for them has been non-existent). The fall will tell what authentication morass consumers will be thrust in, when banks reveal their policies on online shopping. As a consumer, the best way to prepare is to start using the authentication app today.
Qvik works for easy payment and authentication and wants to contribute to building a digital world that works. If your company is unsure about your future payment solutions or the precise implementation of authentication, let’s talk about how we could work together to make everything as easy as possible!
