Biometrics for Strong Customer Authentication
What is Strong Customer Authentication?
Strong Customer Authentication (SCA) is a regulatory requirement of the second Payment Services Directive (PSD2), as set forth by the European Union. SCA applies to customer-initiated online payments within Europe and impacts most card payments and bank transfers.
Electronic payments that fall under the scope of SCA must perform a two or more factor authentication process based on a combination of the following with no method compromising the other:
New Guidelines for Multi-Factor Authentication
According to NIST’s Special Publication (SP) 800-63, Digital Identity Guidelines (January 2020), “knowledge-based authentication (KBA), sometimes referred to as “security questions,” is no longer recognized as an acceptable authenticator. Additionally, the guideline does not allow the use of email as a channel for single or multi-factor authentication processes.
Achieving SCA Compliance with Biometrics
Biometrics offers the highest levels of security without adding unnecessary steps or effort to the customer journey. SCA paths that use OTPs sent via SMS or email don’t just add time to the checkout flow, but are also vulnerable to attacks using techniques such as SIM swapping.
When using voice biometrics for authentication, the user can say anything or say a specific phrase that they used during enrollment. That phrase can be the same for all of your users or something they choose, but it’s not “secret” and they don’t need to remember it as it can be provided at the time of login. It’s not what they say, but who is saying it that matters. Voice enables authentication not only across mobile, web, and conversational interfaces, but also in the contact center which is a frequent point of attack for fraudsters using social engineering tactics. Voice anti-spoofing, or liveness detection, prevents spoofing attacks using synthetic, altered or recorded voice.
Face recognition for authentication is as simple as a selfie of the user being captured by their laptop, mobile device, or other camera-enabled access point. Applying passive facial liveness prevents fraudsters from using photos, videos, and masks to trick the system — without adding any additional steps or effort to the process.
Ways to Use Biometrics for Improved Security and Exceptional User Experience
#1 Add Voice Biometrics as a Second Factor
Existing password-based authentication
+
Voice Biometrics with Anti-Spoofing
#2 Add Face Recognition as a Second Factor
Existing password-based authentication
+
Face Biometrics with Passive Liveness Detection
#3 Biometric Login, Passwordless
User’s device as a first factor
+
Voice Biometrics and/or Face Recognition as a second factor
+
Passive Liveness Detection for biometric integrity
Biometric Authentication - Don’t Do SCA Without It
Organizations shouldn’t need to sacrifice the customer experience in order to secure user access. For retailers and banks in particular, increasing security can result in friction that leads to higher cart abandonment, fewer transactions, and revenue loss.
Biometrics eases the path to PSD2 SCA compliance while delivering several additional advantages to the business.
Advantages of Biometrics for SCA
- Add security without adding effort
- Significantly improve the user experience with faster, frictionless login
- Enable users to authenticate on digital channels more naturally
- Eliminate password hygiene issues that put users and businesses at risk
- Reduce headaches and costs associated with password resets
- Enable users to enroll once and authenticate across all your channels — mobile, web, contact center, messaging, IoT and physical access channels
Accuracy of Biometrics for SCA
Face matching technology has matured significantly and is now accepted as an alternative for securing even high risk transactions.
Although error rates for voice biometrics alone are higher than face, combining voice and face results is an astounding level of accuracy and as well as a reduction in false rejections of valid people. In practice combining voice and face is easy to do in a mobile app.
Using voice and face biometrics together offers security with levels approaching 1 in 10,000,000 with false rejection rates close to 2%.
ID R&D provides market-leading voice biometrics, voice anti-spoofing, and ISO 30107-3 compliant passive facial liveness. If your business is facing SCA compliance and would like to discuss options for biometric authentication, we’d love to talk.
