How PSD3 will impact multi-factor authentication in banking apps

The way your customers authenticate payments is about to change. PSD3, which is expected to be finalised in 2025 and likely come into force early 2026 with implementation expected in 2027, will reshape how European banks approach multi-factor authentication in their banking apps.

Unlike PSD2, which primarily focused on preventing fraud, PSD3 takes a more comprehensive approach. It addresses user accessibility, expands rules around liability and gives banks more flexibility in how they authenticate customers.

But this flexibility brings new challenges. For example, your bank will need to support customers who can’t use smartphones, take on greater liability for fraud losses and implement authentication methods that work for everyone.

In this article, we’ll look at how these changes will affect your bank, what new opportunities they create and how to prepare.

PSD3 introduces several important changes to how your bank will need to handle customer authentication. The biggest change will be allowing two authentication factors from the same category.

• PSD2 requires two authentication types from different categories
• PSD3 will allow two authentication types from the same category

These are the categories of MFA:

• Knowledge: Something only the user knows (password, PIN, security question)
• Possession: Something only the user has (smart device, card reader, hardware token)
• Inherence: Something the user is (biometrics: fingerprint, face recognition, voice recognition)

With PSD2, you could combine a password (knowledge) with a fingerprint scan (inherence). But with PSD3, you could use two knowledge factors like a password and a PIN, or two biometric methods like fingerprint and face recognition.

The new rules also expand what counts as fraud. With PSD3, banks will be liable for social engineering attacks and authorised push payment (APP) fraud where they should have identified suspicious activity. Given that APP fraud losses in the DACH region reached €12.44 billion in 2023, the shift in liability could have a major impact on your bottom line.

When PSD3 is introduced, the login process within your banking app will need to be more flexible, accessible and inclusive. Instead of just relying on smartphone-based authentication methods, your app will have to detect the user’s specific device capabilities and offer suitable, accessible alternatives.

This may create some new technical challenges. For example, your backend systems will need to manage all these different login methods while keeping everything secure. And you’ll have to work with new digital identity frameworks like eIDAS2, which will further standardise and potentially streamline authentication across the EU.

Once PSD3 is finalised, you’ll have 18 months to implement the changes. With the regulation expected to be finalised in 2025, the expected deadline to comply with the new directive will likely fall in late 2027. The exact timings will depend on each country’s legislative process ( some may move faster or slower), so it’s important to keep an eye on local transposition deadlines.

Starting your bank’s preparation now will help you avoid the last-minute scrambles that plagued many banks during PSD2 implementation.

Across Europe, around 26% of Strong Customer Authentication (SCA) attempts fail. Mobile apps perform even worse - just 37% of authentication challenges succeed, compared to 78% for browser-based transactions.

Because PSD3 has expanded the ways customers can authenticate themselves, this should lead to a better customer experience. Out-of-Band (OOB) authentication (where authentication is carried out through a separate channel or device) removes the risks associated with passwords while providing the robust two-factor security that regulations require. And there's a clear business benefit: banks that use these methods report reduced support calls and higher customer satisfaction scores.

The biggest tech hurdle most banks will face is making sure the authentication process works for every customer. With PSD2, it was possible to primarily focus on smartphone-based solutions for most users. But with PSD3’s new accessibility rules, you can’t simply rely on customers having a smartphone - in Austria just 46% of people over 65 own a smartphone.

The good news is that several modern authentication methods offer ways to tackle this. For example, voice recognition can be a great help for customers with visual impairments, and simplified interfaces can support people who aren’t very confident using digital technology. The solution is to provide a range of authentication options that all meet PSD3’s security standards so that the user can choose the methods that work best for their abilities and circumstances.

When it comes to integrating new authentication methods with your current systems, you’ll need to plan carefully. Many banks run on older technology and need to update their systems gradually. Third-party solutions like G+D Netcetera’s Digital Identity solution are built to accommodate existing infrastructure constraints while still providing modern security features. So if your bank has legacy systems, you can still meet PSD3 requirements without having to overhaul your entire tech setup.

Want to learn how G+D Netcetera can help your bank implement PSD3-compliant authentication solutions? Get in touch with our experts.