- Question ID
-
2018_4238
- Legal act
- Directive 2015/2366/EU (PSD2)
- Topic
- Strong customer authentication and common and secure communication (incl. access)
- Article
-
98
- Paragraph
-
1
- Subparagraph
-
(a)
- COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations
- Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
- Article/Paragraph
-
8
- Name of institution / submitter
-
Swedish Bankers’ Association
- Country of incorporation / residence
-
Sweden
- Type of submitter
-
Industry association
- Subject matter
-
Signature performed on the screen of a digital device as a factor in a two-factor SCA
- Question
-
Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?
- Background on the question
-
EBA responded to a question about signature as authentication factor in connection to its “Final Report Draft RTS” of 23rd February 2017, Comment (273) -4), by saying
“The EBA is of the view that it complies with the requirements under the RTS, including the presence of a dynamic element.”
The way the question is formulated it is unclear if the answer relates to a signature on a paper slip or a signature on a digital device, or both. It is also unclear to us what EBA means with “presence of a dynamic element” in this context.
We think EBA should elaborate on the requirements for capture and comparison of signature. The question of digital capture of a signature must be addressed separately from the issue of capture of signature on a paper slip.
- Submission date
- Final publishing date
-
- Final answer
-
Article 4 of the Commission Delegated Regulation (EU) 2018/389 states that “the authentication shall be based on two or more elements which are categorised as knowledge,
possession and inherence and shall result in the generation of an authentication code”.Article 4 of PSD2 defines ‘Knowledge’ as ‘something only the user knows’, ‘possession’ as ‘something only the user possesses’ and ‘inherence’ as ‘something the user is’. Signature on a screen does not constitute ‘knowledge’ as this is not something only the user knows or ‘possession’ as this is not something that the user possesses.
Paragraph 34 of the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, states that behavioural biometrics may constitute inherence providing they comply with the requirements under Article 8 of the Delegated Regulation. Consequently, a signature on a screen of a digital device alone could be considered as behavioural biometrics provided that the payment service provider could ensure that the access devices and recognition software are sufficiently comprehensive to ensure that there is a ‘very low probability of an unauthorised party being authenticated as the payer’ as required under Article 8 of the Delegated Regulation.
- Status
-
Final Q&A
- Answer prepared by
-
Answer prepared by the EBA.
Disclaimer
The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.