The EU European Banking Authority issued clarifications about what constitutes Strong Customer Authentication (SCA) back in late June. The definition states that two or more of the following categories are required: inherence, knowledge, and possession. These are often interpreted as something you are, something you know, and something you have, respectively. We have compiled and edited the following table from the official EBA opinion:
Inherence elements | Compliant with SCA? |
Fingerprint scanning | Yes |
Voice recognition | Yes |
Vein recognition | Yes |
Hand and face geometry | Yes |
Retina and iris scanning | Yes |
Behavioral biometrics, including keystroke dynamics, heart rate or other body movement patterns that uniquely identify PSUs (Payment Service Users), and mobile device gyroscopic data | Yes |
Information transmitted using EMV 3-D Secure 2.0 | No |
Knowledge elements | |
Password, Passphrase, or PIN | Yes |
Knowledge-based authentication (KBA) | Yes |
Memorized swiping path | Yes |
Email address or username | No |
Card details (including CVV codes on the back) | No |
Possession elements | |
Possession of a device evidenced by an OTP generated by, or received on, a device (hardware/software token generator, SMS OTP) | Yes |
Possession of a device evidenced by a signature generated by a device (hardware or software token) | Yes |
Card or device evidenced through a QR code (or photo TAN) scanned from an external device | Yes |
App or browser with possession evidenced by device binding — such as through a security chip embedded into a device or private key linking an app to a device, or the registration of the web browser linking a browser to a device | Yes |
Card evidenced by a card reader | Yes |
Card with possession evidenced by a dynamic card security code | Yes |
App installed on the device | No |
Card with possession evidenced by card details (printed on the card) | No |
Card with possession evidenced by a printed element (such as an OTP list, e.g. “Grid Cards”) | No |
The list and details about implementations are subject to change. Check the EBA site for updates. KuppingerCole will also follow and provide updates and interpretations.
The EBA appears to be rather generous in what can be used for SCA, especially considering the broad range of biometric types on the list. However, a recent survey by GoCardless indicates that not all consumers trust and want to use biometrics, and these attitudes vary by country across the EU.
Although KBA is still commonly used, it should be deprecated due to the ease with which fraudsters can obtain KBA answers. The acceptance of smart cards or other hardware tokens is unlikely to make much of an impact, since most consumers aren’t going to carry special devices for authenticating and authorizing payments. Inclusion of behavioral biometrics is probably the most significant and useful clarification on the list, since it allows for frictionless and continuous authentication.
In paragraph 13, the EBA opinion opened the door for possible delays in SCA implementation: “The EBA therefore accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, CAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA…”
Finextra reported this week that the UK Financial Conduct Authority has announced an extension to March 2021 for all parties to prepare for SCA. The Central Bank of Ireland is following a similar course of delays. Given that various surveys place awareness of and readiness for PSD2 SCA on the part of merchants between 40-70%, it is not surprising to see such extensions. In fact, it is likely that the Competent Authorities in more member states will likely follow suit.
While these moves are disappointing in some ways, they are also realistic. Complying with SCA provisions is not a simple matter: many banks and merchants still have much work to do, including modernizing their authentication and CIAM infrastructures to support it.
For more information, see our list of publications about PSD2. This is also a featured topic at our upcoming Digital Finance World conference, which will be held in Frankfurt, Germany in September.