Biometrics for Strong Customer Authentication

The EU’s PSD2 Strong Customer Authentication requirements are designed to secure online payments, prevent fraud, and encourage innovation. But many retailers and banks struggle to achieve compliance without introducing a level of complexity that negatively impacts the customer experience, and ultimately their revenue. There is a silver lining for companies who embrace the looming deadline as an opportunity to transform the way users authenticate. Biometrics offer a modern, simplified approach to security that eases the path to Strong Customer Authentication compliance and helps ensure an exceptional customer experience.

What is Strong Customer Authentication?

Strong Customer Authentication (SCA) is a regulatory requirement of the second Payment Services Directive (PSD2), as set forth by the European Union. SCA applies to customer-initiated online payments within Europe and impacts most card payments and bank transfers.

Electronic payments that fall under the scope of SCA must perform a two or more factor authentication process based on a combination of the following with no method compromising the other:

null
Something the user knows
Like a password or PIN
null
Something the user has
For example, their mobile phone or a smart card
null
Something the user is
Such as voice or face biometrics

New Guidelines for Multi-Factor Authentication

According to NIST’s Special Publication (SP) 800-63, Digital Identity Guidelines (January 2020), “knowledge-based authentication (KBA), sometimes referred to as “security questions,” is no longer recognized as an acceptable authenticator. Additionally, the guideline does not allow the use of email as a channel for single or multi-factor authentication processes.

Achieving SCA Compliance with Biometrics

Biometrics offers the highest levels of security without adding unnecessary steps or effort to the customer journey. SCA paths that use OTPs sent via SMS or email don’t just add time to the checkout flow, but are also vulnerable to attacks using techniques such as SIM swapping.

When using voice biometrics for authentication, the user can say anything or say a specific phrase that they used during enrollment. That phrase can be the same for all of your users or something they choose, but it’s not “secret” and they don’t need to remember it as it can be provided at the time of login. It’s not what they say, but who is saying it that matters. Voice enables authentication not only across mobile, web, and conversational interfaces, but also in the contact center which is a frequent point of attack for fraudsters using social engineering tactics. Voice anti-spoofing, or liveness detection, prevents spoofing attacks using synthetic, altered or recorded voice.

Face recognition for authentication is as simple as a selfie of the user being captured by their laptop, mobile device, or other camera-enabled access point. Applying passive facial liveness prevents fraudsters from using photos, videos, and masks to trick the system — without adding any additional steps or effort to the process.

Ways to Use Biometrics for Improved Security and Exceptional User Experience

#1 Add Voice Biometrics as a Second Factor

Voice for strong customer authentication

Existing password-based authentication
+
Voice Biometrics with Anti-Spoofing

#2 Add Face Recognition as a Second Factor

Face for strong customer authentication

Existing password-based authentication
+
Face Biometrics with Passive Liveness Detection

#3 Biometric Login, Passwordless

Voice and face for SCA strong customer authenticaiton

User’s device as a first factor
+
Voice Biometrics and/or Face Recognition as a second factor
+
Passive Liveness Detection for biometric integrity

Biometric Authentication - Don’t Do SCA Without It

Organizations shouldn’t need to sacrifice the customer experience in order to secure user access. For retailers and banks in particular, increasing security can result in friction that leads to higher cart abandonment, fewer transactions, and revenue loss.

Biometrics eases the path to PSD2 SCA compliance while delivering several additional advantages to the business.

Advantages of Biometrics for SCA

  • Add security without adding effort
  • Significantly improve the user experience with faster, frictionless login
  • Enable users to authenticate on digital channels more naturally
  • Eliminate password hygiene issues that put users and businesses at risk
  • Reduce headaches and costs associated with password resets
  • Enable users to enroll once and authenticate across all your channels — mobile, web, contact center, messaging, IoT and physical access channels

Accuracy of Biometrics for SCA

Face matching technology has matured significantly and is now accepted as an alternative for securing even high risk transactions.

Although error rates for voice biometrics alone are higher than face, combining voice and face results is an astounding level of accuracy and as well as a reduction in false rejections of valid people. In practice combining voice and face is easy to do in a mobile app.

Using voice and face biometrics together offers security with levels approaching 1 in 10,000,000 with false rejection rates close to 2%.

ID R&D provides market-leading voice biometrics, voice anti-spoofing, and ISO 30107-3 compliant passive facial liveness. If your business is facing SCA compliance and would like to discuss options for biometric authentication, we’d love to talk.

See how our products can help you strengthen security.