Response to public hearing on the Consultation paper on the amendment of the RTS on SCA&CSC under PSD2
Go back
1. Regulation and EBA’s opinions on SCA
Directive (EU) 2015/2366, of 25 November 2015, on payments services in the internal market, establishes in article 4.30 that a strong customer authentication (SCA) “means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.
Regarding the inherence element, the Commission Delegated Regulation (EU) 2018/389, of 27 November 2017, has elaborated the requirements of devices and software linked to this elements (article 8), establishing that “1. Payment service providers shall adopt measures to mitigate the risk that the authentication elements categorised as inherence and read by access devices and software provided to the payer are uncovered by unauthorised parties. At a minimum, the payment service providers shall ensure that those access devices and software have a very low probability of an unauthorised party being authenticated as the payer. 2. The use by the payer of those elements shall be subject to measures ensuring that those devices and the software guarantee resistance against unauthorised use of the elements through access to the devices and the software.”
Thereafter, the EBA has delivered its opinion on the application of the SCA elements, helping entities understand and interpret the legal requirements. In these opinions EBA-Op-2018-04 and EBA-Op-2019-06, the EBA has considered that the two elements should belong to two different categories.
2. Elements categorised as inherence: state-of-the-art
Various financial entities have consulted VERIDAS on the use of two inherence elements for SCA requirements compliance, providing this way a simple authentication method for its users. Possession and knowledge factors only offer a presumption of the identity of a person (because they can easily be transferred and used, with or without consent, by another person), while inherence factors refer directly to the person him/herself and offers certainty (as there is only one me, and it cannot be transferred).
Currently, as mentioned in the previous section, the use of two elements of the same category is clearly not possible.
However, VERIDAS would like to inform the EBA on the improvements of biometric technologies in recent years, and specially on the recent introduction of international evaluations which may be of interest.
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce which has become the main international evaluator of biometric (and other) technologies.
The NIST has recently organized a new evaluation on both face and voice biometric engines working together, where each identity among the database has an audio segment and a selfie. After both comparisons are carried out, an average score is issued (Actual Cost or C Primary formula: this formula is calculated for each partition, and the final result is the average of all C Primary’s across the various partitions).
Results of the evaluation shall remain confidential according to NIST policies. However, we can inform the EBA that the top 5 entities have achieved a C Primary < 0.1. These results imply that the state-of-the-art biometric technologies which combine face and voice recognition can already guarantee performance levels that are high enough to verify the identity of an individual. Moreover, this initiative suggests that the combination of the face and voice biometrics is becoming a use case requested by the vendors and the ecosystem.
Further information of this evaluation can be found here: https://www.nist.gov/itl/iad/mig/nist-2021-speaker-recognition-evaluation-sre21.
Biometric models nowadays also include presentation attack detection mechanisms so that, combined with the precision these technologies have achieved on the comparison between two physical characteristics, there is a very low probability of an unauthorised party being authenticated as the payer.
Therefore, and always looking for improvement and the implementation of mechanisms that offer both security and convenience, it should be considered that using two elements categorised as inherence can be secure enough in order to perform a strong customer authentication.
Q2. Do you have any comments on the proposal to extend the timeline for the renewal of SCA to 180-days?
In this regard, we have noticed that one of the main reasons leading to this modification is the inconvenience that performing this authentication process repeatedly can cause to the user. Therefore, in any case and regardless of the time period in which the user has to repeat the process, authentication mechanisms that are secure and, at the same time, convenient and agile, must be offered to the users.1. Regulation and EBA’s opinions on SCA
Directive (EU) 2015/2366, of 25 November 2015, on payments services in the internal market, establishes in article 4.30 that a strong customer authentication (SCA) “means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.
Regarding the inherence element, the Commission Delegated Regulation (EU) 2018/389, of 27 November 2017, has elaborated the requirements of devices and software linked to this elements (article 8), establishing that “1. Payment service providers shall adopt measures to mitigate the risk that the authentication elements categorised as inherence and read by access devices and software provided to the payer are uncovered by unauthorised parties. At a minimum, the payment service providers shall ensure that those access devices and software have a very low probability of an unauthorised party being authenticated as the payer. 2. The use by the payer of those elements shall be subject to measures ensuring that those devices and the software guarantee resistance against unauthorised use of the elements through access to the devices and the software.”
Thereafter, the EBA has delivered its opinion on the application of the SCA elements, helping entities understand and interpret the legal requirements. In these opinions EBA-Op-2018-04 and EBA-Op-2019-06, the EBA has considered that the two elements should belong to two different categories.
2. Elements categorised as inherence: state-of-the-art
Various financial entities have consulted VERIDAS on the use of two inherence elements for SCA requirements compliance, providing this way a simple authentication method for its users. Possession and knowledge factors only offer a presumption of the identity of a person (because they can easily be transferred and used, with or without consent, by another person), while inherence factors refer directly to the person him/herself and offers certainty (as there is only one me, and it cannot be transferred).
Currently, as mentioned in the previous section, the use of two elements of the same category is clearly not possible.
However, VERIDAS would like to inform the EBA on the improvements of biometric technologies in recent years, and specially on the recent introduction of international evaluations which may be of interest.
The National Institute of Standards and Technology (NIST) is part of the U.S. Department of Commerce which has become the main international evaluator of biometric (and other) technologies.
The NIST has recently organized a new evaluation on both face and voice biometric engines working together, where each identity among the database has an audio segment and a selfie. After both comparisons are carried out, an average score is issued (Actual Cost or C Primary formula: this formula is calculated for each partition, and the final result is the average of all C Primary’s across the various partitions).
Results of the evaluation shall remain confidential according to NIST policies. However, we can inform the EBA that the top 5 entities have achieved a C Primary < 0.1. These results imply that the state-of-the-art biometric technologies which combine face and voice recognition can already guarantee performance levels that are high enough to verify the identity of an individual. Moreover, this initiative suggests that the combination of the face and voice biometrics is becoming a use case requested by the vendors and the ecosystem.
Further information of this evaluation can be found here: https://www.nist.gov/itl/iad/mig/nist-2021-speaker-recognition-evaluation-sre21.
Biometric models nowadays also include presentation attack detection mechanisms so that, combined with the precision these technologies have achieved on the comparison between two physical characteristics, there is a very low probability of an unauthorised party being authenticated as the payer.
Therefore, and always looking for improvement and the implementation of mechanisms that offer both security and convenience, it should be considered that using two elements categorised as inherence can be secure enough in order to perform a strong customer authentication.