Is 3DS compatible with secure 2FA technologies? (TOTP, WebAuthn)
Is PSD2's Strong Customer Authentication requirement possible to satisfy with secure 2FA solutions, such as TOTP and WebAuthn?
For the purposes of this question, I'm classifying all systems where an OTP has to be transmitted as "insecure".
It seems that the most common way to satisfy the PSD2's SCA requirement is with 3-D Secure. And it seems that the most common way to implement 3DS is by transmitting an OTP code via SMS. SMS is not a confidential form of communication, and vulnerabilities such as SIM Swap Attacks have resulted in enormous amounts of fraud. Similarly, messages sent over email are not confidential (eg downgrade attacks).
Fortunately, there's plenty of cryptographically superior, open-standards that completely avoid these risks by simply not transmitting the OTP. This is magnitudes safer. Examples include:
For the purpose of this question, I'm classifying open-standards (such as those above) where the OTP is not transmitted as "secure".
While I've seen many banks implement 2FA with TOTP and WebAuthn, I haven't seen any that use it for 3DS, which makes me wonder if [a] banks are, as usual, choosing the lower-friction-yet-less-secure option for their customers or [b] these technologies are actually incompatible with the regulatory requirements of the PSD2.
Is it possible to satisfy the regulatory requirements of PSD2's SCA with TOTP or WebAuthn?
