Financial institutions in the European Union have long acted as fintech beacons for the rest of the world. Case in point, the chip-and-PIN card technology that the U.S. only started rolling out in 2014 has been in use throughout the EU since the mid-2000s. Now the EU is preparing to take its next leap forward in financial services.
Under the Revised Payment Service Directive (PSD2) coming in 2018, banks will be required to grant access to their customers’ account data to third parties. The directive creates new opportunities for businesses that can use the data to provide innovative services. In fact, it opens two entirely new business landscapes:
- Account Information Service Providers (AISP): Think of this as a single online banking service that aggregates all of your banking and credit-card information into one interface.
- Payment Initiation Service Providers (PISP): Creates APIs that integrate with a customers’ bank accounts, allowing faster payment processing and one-click buying across the web.
No Compliance, No Cigar
Businesses must also comply with stringent authentication standards specified by the European Banking Authority (EBA). These have been hotly debated, mainly because regulators are trying to strike a balance between security and convenience for customers. For instance, earlier this year, the EBA recommended banning screen-scraping – the process of automatically collecting information from websites and systems – a decision that the European Commission has the final say on.
At this time, one requirement that is almost certain to be adopted is that user authentication must be based on two or more elements of the following:
- Knowledge: Passwords or PIN numbers.
- Possession: A physical item only the user possesses (USB/ NFC-enabled token).
- Inherence: Biometrics – a fingerprint, facial image, iris scan, voice sample, etc.
Of these, inherence is the most difficult to fraudulently replicate and is also the most convenient. This is significant for consumers who use mobile devices to perform banking transactions and make purchases. Simply taking a selfie or tapping a finger to enable secure and immediate access to data will be important for PISPs and AISPs that seek offer a mobile presence.
This begs the question: How can AISPs, PISPs and other fintech firms effectively implement sound biometric authentication into their services to comply with PSD2 requirements?
Biometric Authentication’s Alphabet Soup
There’s little doubt that biometric authentication will be front and center as the EU gears up for PSD2. These identity verification processes must be user-friendly and functional across a diverse ecosystem of endpoints. To that end, several standards that facilitate the use of biometrics for authentication have been developed:
FIDO: Fast IDentity Online
In 2012, The FIDO Alliance developed a set of “technology-agnostic” security standards for the safe, local storage and use of authentication keys. Specifically, FIDO is concerned with two primary frameworks:
- U2F (Universal Second Factor): Governs the “possession” aspect of PSD2. The second factor is usually a physical item, like a USB thumb drive or an NFC-enabled token.
- UAF (Universal Authentication Framework): This pertains more to “knowledge” and “inherence.” It securely stores a PIN, or a biometric authentication token on the device.
The inherent security of UAF is of particular note because the private key is stored locally. Therefore, a data breach or leak of an institution’s password servers is no longer a concern. There’s also something to be said for the elegance of biometrics-based UAF. No secondary tokens are needed. There’s one device and one user, and the authentication process happens securely between them. As a result, the user experience is safe and simple – exactly what a businesses that wants to make the most of PSD2 might hope for.
GlobalPlatform is a not-for-profit consortium of 100 businesses that has standardized a TEE (Trusted Execution Environment). As implied by the name, a TEE is a secure, isolated part of a mobile device’s processor in which highly sensitive applications and their data can be stored.
This relates back to biometric authentication, because a TEE is the ideal location in which to store the match engine (i.e., a FIDO authenticator) and the associated processes needed to authenticate the user (comparing a template biometric token to its corresponding image scan).
FIDO Alliance and GlobalPlatform announced a memorandum of understanding in 2016. The collaboration will make it easier for firms – such as those that would seek to take advantage of PSD2 – to simplify the development and use of FIDO authenticators that can leverage TEEs. This will allow for the construction of web applications that are protected through a deeply secured, easy-to-use biometric authentication.
3D Secure 2.0
Finally, 3D Secure 2.0 is the next generation of 3D Secure, which is already in wide use in the market. The new messaging protocol, created by EMVco, is used primarily for payment processing for card-not-present (CNP) transactions. In other words, it enables would-be PISPs to create automatic payments systems that do not use cards.
Authentication is a critical part of 3D Secure 2.0. Rather than using a debit card number to authenticate an online purchase, 3D Secure 2.0 will leverage other means of verification. This includes biometrics. With 3D Secure 2.0, AISPs and PISPs will be able to integrate seamless authentication into speedy online transactions to help prevent fraud.
A Final Piece of the Puzzle: Assessing Biometric Algorithms
The success of the PSD2 directive in achieving its goals will ultimately be determined at least in part by the adoption of standards like FIDO, Global Platform, and 3D Secure 2.0. They define how data is stored, transported and shared among various stakeholders, which has the effect of facilitating the evolution of a competitive ecosystem.
But even in a standards-based mobile authentication environment, algorithms for biometric matching and liveness detection will remain proprietary. And even within biometric modalities such as face or voice, solutions from different suppliers will be diverse, particularly around how they address liveness and spoof detection. A spoof is when a fraudster impersonates their victim in order to defeat biometric security measures, such as by using a photo of the victim to trick a facial recognition algorithm.
Standards like FIDO will indeed facilitate a marketplace for biometric authentication algorithms, but it will rest upon the implementer to assess the performance and suitability of an algorithm for a particular application or use case. This will warrant an apples-to-apples assessment of the biometric algorithms in terms of their matching and liveness detection performance.
The FIDO Alliance aims to help in this regard, with plans in the works to establish certification programs for biometric matching and liveness detection algorithms. Testing service providers are getting involved. In the meantime, companies aiming to deploy biometrics will want to start thinking about how they will evaluate biometric algorithms in a way that allows them to make informed judgements about which methods and products are best for their particular use case and requirements.
There are a lot of moving parts for organizations that want to make the most of PSD2. However, there are even more opportunities for those companies that get it right. Step one is to play by the rules. Step two is to change the game. And step three, is ROI.