Biometric authentication is the most common way to ensure security in electronic systems and authorise transactions. There are two types of biometric authentication methods: biometrics built-in in mobile devices and those that are provided by third-party vendors. Biometrics built-in mobile phones is the integration of biometric technologies such as facial recognition or fingerprint scanning directly into the movile device.
Biometrics embedded in mobile devices have become increasingly popular as a form of authentication in the digital age. Nevertheless, security concerns surround this fact, leading to questions about its validity as a strong authentication method. We will explore why biometrics built-in in mobile devices should not be considered a valid element of strong authentication and expound on the European Banking Authority’s (EBA) pronouncement.
Which are biometric authentication methods embedded into mobile devices?
Most latest-generation devices, such as mobile phones, tablets, and laptops, are equipped with embedded biometric authentication. The most well-known methods are facial recognition and fingerprint.
Facial recognition uses front-facing cameras, commonly known as the selfie camera, to scan the user’s face and compare it with the data stored in the device. If they match, the device unblocks. Fingerprint works similarly, scanning the user’s fingerprint and comparing it with the data stored in the device.
These mechanisms have been used until now as Strong Customer Authentication (SCA), bearing in mind European regulation for electronic payment services (PSD2).
Strong customer authentication for online payments (PSD2)
PSD2 regulation was a paradigm change in the bank industry that led to the development of an online payment system through mobile devices.
Financial institutions implemented SCA measures to meet the regulation and allow users to formalise online payments through a secure and convenient process.
The obligation to use at least two authentication factors from the three existing was among the measures.
What are the three authentication factors?
The three authentication factors refer to:
- Knowledge factor: something only the user knows, such as PIN or password.
- Possession factor: something the user owns like a token or credit card.
- Inherence factor: something inherent to the user and that encompasses their biometrics.
When does strong customer authentication apply to?
Based on article 71 of the Directive, payment service providers must apply strong authentication in the following cases and when the payer:
- Accesses their digital account.
- Starts an electronic payment transaction.
- Performs any action in any remote channel where a fraud risk exists.
Furthermore, PSD2 requires financial entities, apart from the implementation of strict customer authentication, authentication proof to cases in which the user denies having carried out the operation.
The proof forces payment services to reinforce their authentication methods. Biometrics seems to be the ideal solution to ensure secure user authentication and reduce payment fraud.
Nevertheless, what is the appropriate biometrics to use? Ones built-in in mobile devices or from third-party vendors?
EBA position regarding biometrics embedded in mobile devices usage
Not long ago, the EBA published new guidelines for implementing digital onboarding solutions in financial institutions to assist these types of institutions in having reliable and secure remote customer onboarding processes.
The European Banking Authority has pronounced again, but this time to clarify the application of customer authentication requirements to digital wallets comprehensively and lay new foundations on mobile biometrics.
In this sense, The organism delivered a statement on January 31, responding to six Q&As related to PSD2 Directive (EU) 2015/2366 and Regulation (EU) 2018/389 on strong customer authentication that complements the directive.
Q&A 6145 is the key
Q&A 6145 refers to the application of the SCA and mobile biometrics.
The question posed by the EBA was: Does the authentication to unlock the mobile device count as one of the elements of strong customer authentication when a payment service user is tokenising a card on an e-wallet solution such as Apple Pay?
The Authority answered that payment service providers (PSPs) should take measures to minimise the risk that unauthorised individuals could find out the inherent authentication factors. Therefore, PSPs must ensure a low probability of unauthorised users authenticating as they were the payer.
The EBA added that “unlocking of a mobile phone with biometrics can not be considered a valid SCA element for the purpose of adding a payment card to a digital wallet if the screen locking mechanism of the mobile device is not under the control of the issuer or if the payer has not been associated previously through an SCA with the credential used for unlocking the phone”.
It confirms that the local biometrics of mobile devices can not be used as a precise and secure authentication method for the cases mentioned above.
Mobbeel biometric authentication advantages when compared with biometrics built-in in mobile devices
Biometric authentication third-party vendors provide higher levels of security and customisation than devices’ local biometrics can not match.
Within this enhanced level of security, a verification process exists before the authentication and authorisation of any transaction that allows the user’s identity to be verified. Verification is not required in the authentication process that uses biometrics built-in mobile devices. In such a way, a device can register biometrics templates from different users. Any of them can perform operations in the device since the biometrics embedded in the mobile device are not associated with the customer’s identity. Therefore, control of the process is not guaranteed.
Our solutions ensure transparent and secure digital transactions to link biometrics with an individual identity and assure that only the person previously registered in your platform through the biometrics template can carry out online operations.
With our technology, the user can authenticate or authorise from any device since the biometric pattern is not locally registered in the device but in a centralised user database.
Furthermore, our voice and facial biometric technology offer:
- High accuracy and reliability in authentication because our technology relies on advances in artificial intelligence and machine learning.
- Improved ability to protect against fraud, by having presentation attack detection systems and stricter security measures against the fraudulent use of biometrics.
- More interoperability and ease of integration with other authentication systems, reducing implementation costs and complexity.
Contact us if you want accurate and secure biometric authentication methods that meet EBA guidelines.
I am a curious mind with knowledge of laws, marketing, and business. A words alchemist, deeply in love with neuromarketing and copywriting, who helps Mobbeel to keep growing.