Inherence is generally described as “something the user is”. The opinion piece opens up for using behavioural biometrics as inherence, but “In addition, it is (the quality of) the implementation of any inherence-based approach that will determine whether or not it constitutes a compliant inherence element”.

Implementing high-quality behavioural biometrics is clearly a challenge, as in practice you’re limited to reading the movement of the phone (holding or during keystrokes), the microphone (for noise) and the light sensor. In the RTS article 8, it is required that the implementation should provide a “very low probability of an unauthorised party being authenticated as the payer”.

One clarification is that a swiping pattern, for example to unlock the phone, is not an example of inherence, but can be for knowledge. So, for now, inherence is limited fingerprint, iris and possibly face recognition.

Possession is something only the user possesses. This is not solely a physical object, but it can also be something like having an app installed “through algorithm specifications, key length and information entropy” (Recital 6 of the RTS).

In the opinion piece, it is clarified that a cryptographic key might be evidence of possession, as long as there is some form of device binding. This is the approach we’ve gone with for Okay.

The opinion piece also mentions the possibility of scanning a QR code on a card as an example of possession in paragraph 27, but in the next paragraph, they require that it is not printed and should change regularly. What is interesting is that an OTP by SMS can provide possession according to the opinion, but this only helps to prove ownership of the SIM card and does not provide compliance to SCA by itself.

Knowledge, or something only the user knows. This is the traditional password, PIN or swiping path. More interestingly, card details and security codes printed on the card, such as CSV2, is not a knowledge element. This can be a challenge for app onboarding to banks and fintechs that use this information on payment cards that have already been issued.

The biggest issue with the opinion piece might be that it, to some degree, opens up for SMS OTP as a possession factor. As mentioned in a question in the Single Rulebook, there is a very important provision in article 7 of the RTS that is “subject to measures designed to prevent replication of the elements”.

If a device is infected by malware, it is very easy for the malware to read and duplicate any incoming regular SMS messages. Malware can duplicate the SMS before it reaches the app, which would make an SMS as OTP worthless. In our view, the only situation where a traditional OTP SMS might have some value would be during enrolment of a user, not for doing authentication or transaction verification.

Solutions checking SIM ownership on the telecom side, such as Boku, would be an alternative to a regular SMS, as a server-side check would be harder to duplicate if implemented correctly.