Here in Sweden, some major banks already refused to let you do card transactions without SCA/3DS, before PSD2 was even passed. As a result, PSD2 finally being implemented is a welcome relief for me, because those annoying services that would always cause a card decline are now being forced to show a 3DS prompt instead. That prompt is also pretty convenient here because of the wide deployment of Mobile BankID.

(The experience before was: pray this merchant supports 3DS, discover that it doesn't, fish out your phone and open mobile banking, authenticate with mobile banking, find and use the toggle that temporarily allows non-3DS transactions. Now I just bring up the authentication app when prompted.)

While I mostly agree with you the fact that BankID does not support (desktop or non-android) linux at all or other secure auth methods like U2F for any platform is sad. If you want to be a modern citizen in sweden today you need to use at least one device with a non-free OS just to access basic services.

There is AB Svenska Pass's eID which any registered resident of Sweden can get (https://skatteverket.se/id-kort) and which supports Linux.

Unfortunately, only Swedish Tax Agency services (including minmyndighetspost.se) seem to support it, which means it's not a realistic alternative.

I think all essential services should be forced to support multiple providers.

Meanwhile, Sweden’s response to PayPal, Klarna, “integrate” with your internet bank by logging in to it and pretending to be you. The authentication prompt you get clearly says “you are logging in to $yourBank” when you do it too.

This is also the result of regulations. Opening up the banks "APIs" to outsiders.

I don’t know payments infrastructure super well, but reading your comment it makes me wonder if what you are talking about is related to the card woes that I had when I lived there in 2018. Not having a Swedish bank account and paying for larger sums with my American credit card would often trigger declines and I would have to contact my card issuer to authorize the payment to go through frequently. I specifically remember having a lot of trouble whenever I would pay a company that used the Swedish company called “DIBS” to authorize my payment.

You were most likely experiencing a problem on the opposite end: the merchant (or their payment processor) rejecting you, rather than your card issuer.

> which is used as the second factor (you get a push notification, you have to unlock and accept the transaction).

This breaks more often than you'd think. I'm still locked out of Facebook on one device because I can't seem to receive the unlock notification and I'm terrified to reinstall Facebook on my phone and then be actually locked out. I'm not a fan of Facebook, but it's the only way to contact some of my friends/family these days via video.

I've also had similar issues with actual banks where the notification appeared and I accidentally tapped "decline" or even dismissed the notification by accident. I've also never received them (mostly with ~Transfer~Wise). Edit to add: I've also been too lazy to walk to the phone charger to press "accept" and just given up.

I think it's a pretty well known phenomenon in ecommerce that the more "clicks" you add to checkout, the less % of people that will make it to the end. I don't see this decreasing cart abandonment at all.

Google, Duo, and Authy all seem to do fine even in low-data (1 bar non-lte 4g) scenarios, so that's probably a bank & facebook issue. They probably rely on the push notification to carry and push state to the user's device with no backup mechanism for when this fails.

Of those three, I've never had an issue -- and I pretty regularly wander around with 1 bar non-lte quality service.

These apps are worse. Each of them has its own horrible interface and horrible surveillance functionality. For Android they usually check if you have an officially sanctioned and non-rooted google phone. If I wanted to be patronized by the phone manufacturer, I would buy apple... I indeed do want to have full control over my phone. It is a freedom we are gradually losing. RMS was right all along... But if course they do not care about actual security, that means if your phone has current security patch level. So for old phones with no official patches you can't even install Lineage and you're worse off.

So the effects of PSD2 I've noticed:

1. My bank now _requires_ SMS 2fa, for many actions like logging in, viewing transaction history > 1 month, or making purchases online.

2. My bank has killed their mobile web page in favour of their app. The desktop web page still works, but if you try visit it with a mobile UA you still get told to use the app.

3. Not 100% sure this is PSD2 related, but my bank have made their password policies less... dumb. It used to be max 8 chars, case insensitive, anything longer was silently truncated. In addition, the signup form used to allow alphanumeric characters, but the change password form only allowed alphabetical.

4. Presumably because of 1, they now no longer randomly decline transactions to smaller vendors. They used to then send you a text asking you to phone the fraud department to clear it. The first couple of times, I thought the text _was_ the fraud.

Now it's entirely possible my bank have just misinterpreted what's required of them, their prior actions show they aren't the most technically competent, but that's not what they were chosen for.

>> more and more people are installing their bank's mobile app, which is used as the second factor (you get a push notification, you have to unlock and accept the transaction

Great - so much for those times where I've been traveling internationally, been able to make a purchase using a web page hosted on a shared computer or one owned by a companion, but don't have mobile phone access to get a push notification.

Thanks, regulators!

i get your point, but i can't remember in recent years that there would be any difficulty to get wifi access even if i didn't have roaming, so this feels like a mere inconvenience instead of an impossibility

In a particularly ironic situation, I was trying to log in to my bank's website on a computer from a distant international location so I could pay the credit card bill and, since it was a new browser, the bank required 2FA via my phone in order to log in. Of course, I could not receive the SMS, so could not log in, and could not make the payment.

ah, yes, but as has been said elsewhere in this discussion, many banks now use apps instead of sms. an app would have worked over wifi.

Ah, yes, but I did not have access to Wi-Fi either. My phone could not connect to the internet. The (borrowed) desktop computer was online.

> some VP at a fraud prevention company recommends merchants to avoid using 3DS and use a fraud detection platform, got it.

Yeah, if PSD2 had an impact as dramatic as the article says then there would be a massive amount of noise from all EU/UK retailers. Instead we get an article from somebody with something to sell.

SMS are not much on their way out. I just got an OTP via SMS for an online credit card payment. Then I had to insert my secret PIN too. Friction friction friction.

Some banks authorize operations with their apps: it's either fingerprints, PINs or codes by SMS. Usually a combination of two of them. One bank also requires a kind of captcha. Of course I'm hating all of this. I wish they pay me for the extra work.

We were better off when things were worse /s

100%. 3DS is for card payments and using Netherlands and Germany as examples here is just plain bad - in these countries bank-based payment methods are more popular: iDEAL in NL (which has used 2FA for years), Sofort and Giropay in DE.

See: - https://www.adyen.com/knowledge-hub/guides/global-payment-me... - https://stripe.com/en-us/payments/payment-methods-guide#paym...

At least the German services also need 2FA these days, though (since they access bank accounts, which require 2FA for all outgoing payments as well).

If Mastercard or Visa did an app that would work across all of their cards, that would be ok. But how can a separate app from each bank be considered better than SMS? It's just an annoying lock-in. And the quality of apps from many banks is sub-par.

The main issue to SMS tokens going away are all those people, specially elderly ones, that now are forced to buy a phone they cannot understand how to deal with.

Just like the clever idea some cities have had to initially only offer covid vaccination appointments over their website.

> a mobile app should not be that hard to deal with

My grandma can't even use a smart phone to call people with. She only answers if you call because she is literally terrified of technology.

If she can't handle a smartphone, can she handle internet purchases? If not, the whole discussion is moot because the topic at hand is online payments and their MFA.

Touché

Plenty of dumb phones available at the shopping malls over here.

Besides the UX of the Internet is not the same as the phone and these are the kind of users that end up with the browser full of extensions trying to make pesky dialogues go away.

100% agree, this is self-interested drivel with nonsense data and no actual evidence. Intention is to sell their product.

And what are people who don't own a smartphone doing? Do they just throw their cards to the trash, since they have become useless?

You can still use the card physically, with chip and PIN, as usual. This only applies to online purchases.