The European Banking Authority (EBA) has just set a precedent for using device biometrics as an element of strong authentication. The following article will review this resolution, its implications for the financial sector, and the correct application of the Payment Services Directive (PSD2).
What is PSD2, and why is it so important?
The Payment Services Directive, also known as PSD2, is an EU directive that regulates payment services and their providers within the framework of the European Union. Its main objective is to increase competition, innovation, and security in the payment services sector while protecting the rights and interests of consumers.
PSD2 obliges payment service providers to follow new rules, such as Strong Customer Authentication (SCA) for electronic payments, and opens the market to new players, such as fintech, by allowing them to access bank account information with the customer’s consent. The directive has been implemented in all EU member states.
Strong Customer Authentication implies that customers must provide two or more forms of authentication from different categories to complete an online transaction, these categories being:
- Knowledge factors: something the user “knows,” such as a password, an answer to a secret question, or a PIN code.
- Possession factors: something the user “has,” such as a credit card, a SIM card, or an OTP message.
- Inherence factors: something the customer “is,” such as the face, voice, iris, or fingerprint biometrics.
SCA aims to reduce the risk of fraud and ensure that customers are who they say they are before making a payment. Simply put, SCA is an additional layer of security to protect customer payment information and prevent unauthorized transactions.
What is the role of the European Banking Authority?
The European Banking Authority (EBA) is an independent EU agency responsible for improving the regulation of the banking sector across the European Union. Its main tasks include developing and adopting technical standards and guidelines and conducting assessments to ensure effective and consistent prudential regulation and supervision across the European banking sector.
In this regard, recital 17 of EBA Regulation (EU) nº 1093/2010 states that “The purpose and tasks of the Authority – to assist the competent national supervisory authorities in the consistent interpretation and application of Union rules and to contribute to the financial stability necessary for financial integration – are closely linked to the objectives of the Union acquis in relation to the internal market for financial services.”
The EBA acts within the scope of different legislative texts applicable to the banking sector. One of these legislative texts is the Payment Services Directive (PSD2) mentioned above. Every day, the EBA publishes press releases, consultations, answers to questions submitted by various stakeholders, etc.
What is the EBA's position on device biometrics (Q&A 6145)?
On January 31, 2023, the EBA responded to a question submitted by a credit institution regarding the use of mobile device biometrics.
The question was as follows, “Does authentication to unlock the mobile device count as one of the elements of strong customer authentication when a payment services user is tokenizing a card in an e-wallet solution such as Apple Pay?” (….) Would the SCA requirement be met if one element of SCA (possession) is present during token issuance and the other element (knowledge (PIN entry) or inherence (fingerprint or facial recognition) had been applied when the payment services user unlocked his or her mobile device?”
And the answer given by the EBA in this regard represents a turning point in the use of on-device biometrics as an element of solid authentication, formulated as follows: “Unlocking a cell phone with biometric data (e.g., a fingerprint), or with a PIN/password, should not be considered a valid SCA element to add a payment card to a digital wallet if the mobile device’s screen lock mechanism is not under the control of the issuer or if the payer has not been previously associated through an SCA with the credential used to unlock the phone.”
In other words, it means that the use of mobile authentication mechanisms (fingerprint, password pattern, facial biometrics…) cannot be considered secure if the entity in charge of ensuring the verification of the user’s identity does not control those authentication mechanisms or cannot ensure that the legitimate user is using those authentication mechanisms.
What are the differences between on-device biometrics (FaceID, TouchID, etc.) and Veridas cloud-biometrics?
The authentication processes of companies such as Apple (FaceID, TouchID, etc.) are based on biometric technology, upon which users can access using their fingerprint or facial recognition.
To activate this biometric authentication method, it is only necessary to register the different biometric factors once the device has been purchased, without establishing any link between the official identity of the registering user and the biometric factor.
In addition, more than one biometric factor can be registered on each device, which means that different people can use their biometrics to unlock the same terminal. This, and the fact that companies that use these methods do not have any visibility over the processes executed on the device, means that any person with their biometrics registered on the device could operate with it.
That is why the EBA insists that a biometric solution that is not controlled by the card issuer or that has not been previously associated with the customer’s official identity cannot be used as an element of Strong Customer Authentication. It is impossible for a financial institution or any other company to be sure that the person who owns the account is the one who is using the service if it relies on biometric systems that do not meet these requirements.
In contrast, Veridas biometric authentication technology always starts with an initial identity verification process, where the person’s official identity is validated. Veridas has state-of-the-art solutions that certify that the identity document presented is real and has not been tampered with or forged, that the person presenting it is the same person who appears on the document, and that they are genuinely present in the process. All this is done with technology certified by the most prestigious international organizations, such as the National Institute of Standards and Technology (NIST), or by iBeta about proof of life.
Once this identity is verified, our customers can deploy many authentication use cases based on facial and voice biometrics engines, from access to private customer areas or mobile applications to physical access to corporate environments or sports venues.
In all these processes, our customers have complete control of them, both in their initial configuration and subsequent implementation, so they can verify that the person accessing or operating, thanks to biometric authentication, is the account owner. In this way, they strictly comply with the requirements of the EBA in its previously mentioned response.
Increase security and reduce identity fraud with Veridas technology
Veridas always ensures its biometric solutions’ transparency, compliance, and reliability. We rely on proprietary and fully automated technology to remotely verify identities and authenticate them in both the physical and digital space.
Our solutions are critical to prevent fraud, reducing operational costs, improving customer experience (thereby increasing customer acquisition rates), and ensuring maximum compliance with all applicable regulations.
Do not hesitate to contact us if you want to learn more about the biometric technology revolutionizing the payment industry.