top | item 32915828

(no title)

Actually, PSD2 SCA (Strong Customer Authentication) talks about requiring 2 different elements (out of knowledge, possession, inference) for authentication, while also requiring that information on which one was wrong when authentication failed, to not be disclosed. This directive needs to be implemented by all payment processors in EU (I am not an expert on this).

We have implemented such a system at a company I worked at, where we also took into account the credential stuffing aspect as you talk about it. It is quite challenging to ensure no information leaks (in content and in other request parameters, including response times) when users transition from the partially (un)authenticated state (username + password) towards 2FA. I have to say that security aspect is noticeable in a significant drop in credential stuffing attacks volume, but usability wise I see why this is not a popular approach :). I personally hate it, especially when 2FA that is used is TOTP.

discuss

No comments yet.