Barclays: Interface does not support non-PINsentry Online Banking users.

[tobypinder]

Barclays - Interface does not support non-PINsentry Online Banking users.

Barclays reject consumers who do not authenticate using PINsentry or Mobile PINsentry, stating "For your security you can only use this service if you have PINsentry."

However it is clear that through the Web based portal, Barclays support alternative methods of authentication (namely, memorable word and passcode)

From our experience performing screen scraping, a significant percentage of users prefer to opt for these methods of access - our scraping solution allows users to choose their preferred form of authentication and a large number of our existing users opted for this method.

Given that non-PINsentry access is possible in Online portals, we additionally question whether current offerings are aligned to RTS Art. 32(3), in particular the comments regarding preventing use of issued credentials.

We note that this grants users a "read only", limited view of their account. Therefore we recognise that Memorable Info/Passcode based authorization is inappropriate for PISP use cases since payment initiation cannot be performed through existing online channels with these credentials. However, PSUs can access all relevant account information using these credentials and as such we would suggest that these methods should be acceptable for use for AIS authorization.

We recognise that SCA is a regulatory requirement for all interfaces as PSD2 comes into effect. However this should not be applied unevenly to the dedicated interface before being added to other online channels - doing so is conflict with the spirit of CMA order (and in particular the provisions of the Trustee P3/P4 letter) and alignment with the future PSD2 regulatory framework cannot come at the expense of CMA Order alignment/current customer experience.

Impact

Critical. A significant percentage of consumers we've interacted with using legacy scraping solutions use these methods. To interact with AISP services they will be forced to use alternative credentials compared to their usual online banking experience, or will be unable to access the services at all if no PINsentry device/application is available to them.

Remediation

Align the dedicated Open Banking interface credential requirements with the credential requirements of other online channels, namely allowing the non-PINsentry access for AISP authorization.

Submitted as OBSD-4644

[stevegraham]

I disagree with this. The user is entering into an agreement, i.e. you're changing the state of the customer account, and this also has legal implications. This is congruent with BOLB, i.e. mutable ops aren't possible without EMV CAP auth step.

[tom-catchpole]

I may be wrong but think the point here is that the authentication journey the PSU has via the Open Banking channel needs to equivalent to the Online Banking channel. As memorable info is an option for Online Banking it needs to be an option for Open Banking, come Sept-19 and SCA memorable info will not be available on the online banking channel so shouldn't be an option to Open Banking, but the need for equivalence holds now and Sept-19.

[tobypinder]

Barclays response:

Thank you for raising this - We understand the issue here and that it can be frustrating, however we are unable to change the secure approach we have created, we don't believe this prevents consumers progressing through the journey, we appreciate it may not be as slick to customers using legacy log on methods however at this moment we have no current plans to change this. We will however continue to use this feedback when reviewing future developments and as a result we do not believe this is a critical issue

[tobypinder]

Barclays response:

Incident discussed, Barclays position will remain unchanged at present