European Banking Authority (EBA) rejects mobile device biometrics as a method for strong customer authentication (SCA)
The European Banking Authority (EBA) requires strong customer authentication (SCA) for electronic payments to improve security. However, on-device biometrics are no longer considered a valid method to be used as a second authentication factor, the EBA ruled on January 31, 2023.
However, not all uses of biometrics to verify identity are equal. In this article, we will look at why the use of the mobile device as a biometric identification system is not considered secure and the alternative methods that are.
What is strong customer authentication (SCA)?
Strong Customer Authentication (SCA) is a security requirement set by the European Banking Authority (EBA) for customer authentication in the European Economic Area (EEA). This requirement consists of complying with an authentication process that requires two or more independent authentication factors in order for a customer to securely access their online accounts or complete an online payment transaction.
SCA requires customers to provide two or more of the following authentication factors:
- Something the customer knows (e.g., a password or PIN),
- Something the customer possesses (e.g., a cell phone or security token); and
- Something the customer is (e.g., biometric data such as the face, fingerprint, or voice recognition).
The SCA is an initiative to reduce fraud and unauthorized access to customer accounts. By implementing the SCA, banks, and Payment Service Providers (PSPs) can offer customers a higher level of security and protect them from financial losses due to fraudulent activities. In addition, SCA compliance is a legal requirement, and non-compliance can lead to penalties and loss of customer confidence.
How does the SCA affect companies in the banking sector?
Banking and financial institutions in the EEA and the United Kingdom must follow the SCA regulation to avoid penalties. The SCA aims to reduce fraud and improve the security of electronic payments, building customer trust and loyalty. This can lead to additional friction in the checkout process, and therefore there is an opportunity for innovation: to offer a simple yet secure customer experience.
What does the EBA say about biometric authentication on devices?
On January 31, 2023, the EBA, in its Q&A section, discusses issues related to the use of biometrics on mobile devices. Clarifying how payment card information should be added to a digital wallet on a PSD2-compliant mobile device.
They clarify that using a digital payment card to make payments requires additional security measures from the SCA, unless there are specific reasons why it is unnecessary. In addition, unlocking a phone using biometric data (such as a fingerprint or face), cannot be considered a good way to verify identity for adding a payment card to a digital wallet if the issuer of the payment card does not control the phone’s screen lock mechanism.
In other words, the EBA states that mobile authentication methods are only secure if the issuer can control them or ensure that the user is legitimate.
How does on-device biometrics differ from Alice Biometrics’ cloud-based biometric authentication?
Using biometrics present in mobile devices, such as fingerprint or facial recognition to unlock the device, is a replacement of the password to access the device, but it does not verify the identity of the device. In other words, the fingerprint you enter as a substitute for the password could very well be that of your brother or a friend, and, therefore, the user’s identity cannot be assured.
The EBA recommends that a biometric solution be controlled by the card issuer and linked to the customer’s official identity, to be used as an element of Strong Customer Authentication (SCA). It would be the card issuing bank, with the use of remote identity verification services such as Alice, that could check the identity of the customer at the time of associating a card to the mobile.
In other words, the use of the biometrics of the mobile device cannot be associated with something that the customer is, since there is no control in the enrollment process to validate that it is indeed the authorized person. However, with Alice’s biometric verification, the identity is verified in a unique and univocal way against an external element (identity document) and it is the issuer who has control over the verification process.
Increases security and reduces identity fraud with Alice technology
Alice’s biometric authentication cloud service validates a person’s official identity before registering their biometric data, ensuring that the person presenting the ID document is authentic and present in the process, further validating it through the proof-of-life mechanism.
Once the verification process is completed, various biometric authentication methods can be used, such as facial recognition to access the customer’s private area, manage transactions, or use the mobile device as a payment method.
Alice ensures that only authorized users have access. In this way, as a bank or financial services institution, you can meet PSD2 SCA requirements. And you can do so while providing a frictionless experience, unlike other verification processes that add intermediate steps or waiting times.