EBA releases Opinion on SCA elements
While there is nothing very new in this opinion it makes some needed clarifications and provides the official opinions of the EBA, which makes it interesting reading. We’ve already discussed the elements necessary for strong customer authentication in a series of blog posts. In the opinion the following issues are clarified:
Inherence is generally described as «something the user is»: The opinion piece opens for using behavioral biometrics as inherence, but «In addition, it is (the quality of) the implementation of any inherence-based approach that will determine whether or not it constitutes a compliant inherence element.» Implementing high-quality behavioral biometrics is clearly a challenge, as in practice you’re limited to reading the movement of the phone (holding or during keystrokes), and possibly the microphone (for noise) and the light sensor. In the RTS, article 8, it is required that the implementation should provide a ‘very low probability of an unauthorized party being authenticated as the payer’. One clarification is that a swiping pattern, e.g. for unlock, is not an example of inherence, but can be for knowledge. So, for now, inherence is limited fingerprint, iris and possibly face recognition.
Possession is something only the user possesses: This is not solely a physical object, but it can also be something like having an app installed, ‘through algorithm specifications, key length and information entropy’ (Recital 6 of the RTS). In the opinion piece, it is clarified that a cryptographic key might be evidence of possession, as long as there is some form of device binding. This is the approach we’ve gone for with Okay. The opinion piece also mentions the possibility of scanning a QR code on a card as an example of possession in paragraph 27, but in the next paragraph, they require that it is not printed, and should change regularly. What is interesting is that an OTP by SMS can provide possession according to the opinion, but this only helps to prove ownership of the SIM card and does not provide compliance to SCA by itself.
Knowledge, or something only the user knows: This is the traditional password, PIN or swiping path. More interestingly, card details and security codes printed on the card, such as CSV2, is not a knowledge element. This can be a challenge for app onboarding to banks and fintechs that use this information on payment cards that have already been issued.
EBA Opinion Analysis
The biggest issue with the opinion piece might be that it to some degree opens up for SMS OTP as a possession factor. As mentioned in a question in the Single Rulebook there is a very important provision: ‘subject to measures designed to prevent replication of the elements’, from article 7 of the RTS. If a device is infected by malware it is very easy for the malware to read and duplicate any incoming regular SMS messages. Malware can duplicate the SMS before it reaches the app, which would make an SMS as OTP worthless. In our view, the only situation where a traditional OTP SMS might have some value would be during enrollment of a user, not for doing authentication or transaction verification. Solutions checking SIM ownership on the telecom side, such as Boku, would be an alternative to a regular SMS, as a server-side check would be harder to duplicate if implemented correctly."