According to PSD2 the elements of the multi-factor authentication must be independent so the compromise of one element does not compromise the other.
Here is the article from the directive:
*Article 9
Independence of the elements,
- Payment service providers shall ensure that the use of the elements of strong customer authentication referred to in Articles 6, 7 and 8 shall be subject to measures in terms of technology, algorithms and parameters, which ensure that the breach of one of the elements does not compromise the reliability of the other elements.
- Where any of the elements of strong customer authentication or the authentication code is used through a multi-purpose device including mobile phones and tablets, payment service providers shall adopt security measures to mitigate the risk resulting from the multi-purpose device being compromised.
- For the purposes of paragraph 2, the mitigating measures shall include each of the following: (a) the use of separated secure execution environments through the software installed inside the multi-purpose device; (b) mechanisms to ensure that the software or device has not been altered by the payer or by a third party or mechanisms to mitigate the consequences of such alteration where this has taken place.*
The question is what could be considered independent in this case?
Let's imagine the following scenario:
The customer uses his/her phone's browser to access the online banking website. Password and another element (based on possession) is required for authentication.
In case the second factor is a one-time-password sent via SMS to the phone, a single malware is enough to compromise the phone, install a keylogger to steal the password, and steal the SMS as it arrives.
Based on this OTP via SMS is a no go.
Now let's suppose the SMS OTP is replaced by a push notification (the customer should install the Bank's mobile application previously). There are few possibilities for the exact implementation:
an OTP is sent via push
a approval window pops up and the user needs to tap on the approve button (just as Google does it)
a CAPTCHA pops up and the user needs to solve it
OTP generation with soft token
etc.
In case of any of the above mentioned solutions, if the attacker could exploit a vulnerability in the phone's OS and gain root permission, he is able to steal the customers password and validate the transaction with the second authentication factor at least theoretically (by installing some kind of remote access tool).
Hard tokens are a no go as well because of user experience reasons.
Could the separate sandbox which is used by both Android and iOS considered as a secure execution environment which would meet the following part of the directive?
The use of separated secure execution environments through the software installed inside the multi-purpose device
What could be an effective solution which meets the regulation and is also convenient for the customer?