When it comes to body parts the European Banking Authority (EBA) is agnostic: heart, veins, retina – even your fingers wandering idiosyncratically over a keyboard.
The regulator, needless to say, was not talking about harvesting organs when it got open minded about human anatomy in an opinion published this summer, but biological and behavioural biometrics: specifically, the types it will accept as “inherence”.
What is “inherent” to someone making a payment (and few would deny that veins and a heart are pretty inherent indeed) is about to get very important. Here’s why.
European Banking Authority: OK With Your Heart Rate
Under the looming “Strong Customer Authentication” requirements of Europe’s Second Payment Services Directive (PSD2), payments and ecommerce providers need to introduce two-factor authentication (2FA) for payments of over €30 (£27).
Future transactions above this SCA threshold have to satisfy two of the three elements the EBA deems satisfactory authentication methods: something you are, e.g. biometrics; something you know, e.g. a password or PIN; and/or something you have.
While the strict new rules were set to come into force on September 14, UK providers have won an 18-month extension from the Financial Conduct Authority (FCA).
One of the things they need to think about as they belatedly prepare their systems for SCA is what the “2” in “2FA” is going to be.
It could be your palm geometry…
In a payments biometrics opinion in June, the EBA took a broad view of what constitutes adequate biometric inherence.
“The EBA is of the view that inherence, which includes biological and behavioural biometrics, relates to physical properties of body parts, physiological characteristics and behavioural processes created by the body, and any combination of these”
“Inherence”, it noted, “is the category of elements that is the most innovative and fastest moving, with new approaches continuously entering the market.”
It approved: retina and iris scanning, fingerprint scanning, vein recognition, face and hand geometry (identifying the shape of the user’s face/hand), voice recognition, keystroke dynamics (identifying a user by the way they type and swipe), the angle at which a user typically holds their device, and their heart rate.
Are these really viable options? We asked Michael Lynch, Chief Strategy and Product Officer, Deep Labs. He said: “There are two important dynamics for the use of the inherence technologies. First is the acceptance by the consumer to use such technologies, and the second is the efficacy of the technology.