A. Khedron de León - May 18, 2021

Smartphone + Biometrics for PSD2 SCA

FIDO  Payments/E-Commerce  PSD2  Cybersecurity ROI  SCA

This article is part 5 of 7 in the series: An Evaluation of Strong Customer Authentication (SCA) Methods for the Revised Payment Services Directive (PSD2).

The following criteria are used for comparison:

  • Equipment and infrastructure: Costs and benefits
  • Ease of deployment: Portability, proprietary limitations, and distribution considerations 
  • Ease of loss replacement: Steps needed for a user to begin anew
  • Vulnerabilities: Process, hardware, or software weaknesses
  • Convenience/speed: The time it takes and ease of the user experience; reports range from as low as 7s to 15s of a user’s experience to determine whether or not they remain in the purchase, so every second counts

Smartphone + Biometrics for PSD2 SCA

SCENARIO: Logging into a site to make a purchase, you are asked to enter a password. When you finally cave to that behavioral retargeting campaign, you are prompted to tap your fingerprint reader as an authentication check. A simple tap later, and the order is on its way to be processed for shipping, with all the payment taken care of in that instant. Using one’s smartphone (Possession) to authorize one via a biometric (Inherence), when combined with a password or PIN (Knowledge), is considered a passable form of MFA.

ANALYSIS: Making this happen requires an underlying PKI, as the secure element in every phone must be unique and trackable. PKIs, as we noted above, are notoriously expensive to deploy, and typically require continued proprietary licensing fees or per-user fees to keep operating over time. Once an issuing company pays for a PKI to drive their business, not too many options exist for pivoting to a new method without full reinvestment.

Replacement is a massive inconvenience to the user, but the equivalent cost of the smart element is deferred to them, since it’s their phone being replaced. It is still the rough equivalent of re-issuing a new smart card, and the inconvenience is not less, just deferred to the user.

The most common form of biometric is an image, whether that’s a fingerprint, retina scan, or facial scan. Images can be stolen like anything else, once on file. Multimodal biometrics use more than one metric to identify an individual, and are considered much more secure than monomodal models like just a fingerprint or just a voice recording. However, if an image of your fingerprint is stolen and used for nefarious purposes, the thief will have access to your identity for the remainder of your life—and perhaps beyond.

Usage time is as short as one second if everything is already connected. Slower times frequently result from inexact placement relative to the sensors. Convenience drops dramatically with the inclusion of more secure multimodal methods.

  • Equipment and infrastructure: $: Phone/tablet + biometric reader; public cell networks
  • Ease of deployment: Easy: most users have a personal device
  • Ease of loss/replacement: Hard: replacement cost deferred to users
  • Vulnerabilities: Biometric images, when compromised, are compromised forever
  • Convenience/speed: ~1s+ with possible biometrics sensing delays

Continue to FIDO for PSD2 SCA.

StrongKey FIDO Server (SKFS) is the world’s only open source FIDO® Certified FIDO2 Server. StrongKey never charges per-license or per-user fees, allowing you to keep your costs low even as your business grows. We offer CryptoCloud hosting, PKI solutions including conversion from existing PKI to a FIDO ecosystem via PKI2FIDO, and enterprise-wide FIDO2 strong authentication for businesses on six continents.