When it comes to body parts the European Banking Authority (EBA) is agnostic: heart, veins, retina – even your fingers wandering idiosyncratically over a keyboard.
The regulator, needless to say, was not talking about harvesting organs when it got open minded about human anatomy in an opinion published this summer, but biological and behavioural biometrics: specifically, the types it will accept as “inherence”.
What is “inherent” to someone making a payment (and few would deny that veins and a heart are pretty inherent indeed) is about to get very important. Here’s why.
European Banking Authority: OK With Your Heart Rate
Under the looming “Strong Customer Authentication” requirements of Europe’s Second Payment Services Directive (PSD2), payments and ecommerce providers need to introduce two-factor authentication (2FA) for payments of over €30 (£27).
Future transactions above this SCA threshold have to satisfy two of the three elements the EBA deems satisfactory authentication methods: something you are, e.g. biometrics; something you know, e.g. a password or PIN; and/or something you have.
While the strict new rules were set to come into force on September 14, UK providers have won an 18-month extension from the Financial Conduct Authority (FCA).
Read this: Payments Sector Wins Open Banking Reprieve with 18 Month SCA Extension
One of the things they need to think about as they belatedly prepare their systems for SCA is what the “2” in “2FA” is going to be.
It could be your palm geometry…
In a payments biometrics opinion in June, the EBA took a broad view of what constitutes adequate biometric inherence.
“The EBA is of the view that inherence, which includes biological and behavioural biometrics, relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these”
“Inherence”, it noted, “is the category of elements that is the most innovative and fastest moving, with new approaches continuously entering the market.”
It approved: retina and iris scanning, fingerprint scanning, vein recognition, face and hand geometry (identifying the shape of the user’s face/hand), voice recognition, keystroke dynamics (identifying a user by the way they type and swipe), the angle at which a user typically holds their device, and their heart rate.
Are these really viable options? We asked Michael Lynch, Chief Strategy and Product Officer, Deep Labs. He said: “There are two important dynamics for the use of the inherence technologies. First is the acceptance by the consumer to use such technologies, and the second is the efficacy of the technology.
“Consumers have been conditioned by the largest smartphone manufacturers or mainstream applications to utilise built-in biometrics such as fingerprints, facial recognition, iris scanning, and voice recognition.
“The majority of consumers would be far from comfortable at this point with some of the newer and less mainstream biometrics such as vein recognition given they have no prior exposure to the technology. And then there is the question of efficacy. Vein pattern recognition is an expensive technology to make work effectively, vein patterns change as people age, and vein scanning can be affected by factors such as ambient lighting.”
(A Seoul convenience store recently became the world’s first to have customers pay with a hand scan, with the shop deploying a palm vein authentication self-checkout facility which scans the veins of a user’s hand to identify pre-registered shoppers).
Those adopting any of these technologies also need to ensure the inherence factor and the session itself are secure. Other layers of SCA compliance involve, as Lynch put it:
- Separate and Secure Execution Environments – The initiating party or Payment Service Provider must have a separate payment and security solution.
- Dynamic Linking – There must be a way to trace the payment transaction end-to-end from the PSP, to the Payment Service User (PSU) to the Account Holding Institution.
- Possession – As part of multifactor security, possession is defined as “Something You Have”, such as registered mobile device.
- Malware Detection – The ability to detect whether malicious software has been introduced onto a device for the purpose of illicitly capturing information.
- General Authentication – This refers to making sure customers are who they say they are for the purposes of initiating a payment or accessing account information.
- Software Authenticity – This applies to both the third-party provider and the bank who holds the customer accounts. They both must use suitable security techniques, including software, to identify and authenticate the customer.
“Behavioral biometrics will also be a beneficial factor in inherence” the payments security expert added. “The use of the device, whether it is the use of a mouse or a keyboard, or the swiping patterns, geolocation and finger pressure on a mobile device can be mapped to the behavior of a particular consumer.
“However, given the potential challenges of identifying a particular individual consumer and the amount of session time and history stored about a particular consumer to identify them individually, these may be better used as complementary risk factors rather than a biometric identifier for inherence.”