Facial recognition scans and even fingerprint sensors have transformed smartphones into remarkable tools for convenient authentication. A simple glance at your phone is now all that’s needed to unlock it, authorise payments, and much more – all without the need for cumbersome PINs or passwords. While this new technology offers incredible functionality and a superior level of security to some legacy authorisation methods, it’s not as secure as it is often assumed to be.
The EBA ruling
Strong Customer Authentication (SCA) is a security measure designed to prevent payment fraud. It requires the use of at least two of the following elements: something you know (such as a password), something you have (such as a phone), and something you are (such as a biometric like a fingerprint).
In new guidance on how SCA should be applied to digital wallets, the European Banking Authority (EBA) clarified that unlocking a phone with biometrics should not be considered a valid SCA element (if that biometric data is not controlled by the financial institution). In other words, device biometrics like using Face ID with Apple Pay do not provide robust protection against fraud.
This is a position that we at Facephi have warned against for some time.
Device biometrics vs. biometric identity verification solutions
Device biometrics, like Apple’s Face ID, are stored exclusively on the user’s device and are used to unlock a password container and send the saved password to the remote server. However, this method does not guarantee that the user’s identity is authenticated, as the remote server only verifies the correct password has been used.
This can lead to serious security flaws, especially if multiple users register their biometrics on the same device and revert to pin codes on failure, allowing unauthorised access to personal accounts.
For example, consider the rather common situation where a user’s iPad is shared among housemates. Each housemate’s biometrics are registered on the device and the same entry passcode is shared. Here, it would be quite easy for one of the housemates to bypass another housemate’s Apple Pay’s facial scan by simply entering the failsafe pin code.
Apple Pay, or any application secured with device biometrics (like your mobile banking app), is therefore only as secure as its weakest method of authentication: a simple pin code.
In contrast, biometric identity verification solutions capture, encrypt, and transmit biometric credentials to a remote server where liveness tests and authentication take place. This confirms that the individual in front of the camera is the same person who enrolled with the account. Until their identity is verified, the user is unable to gain access.
Even if device biometrics, PIN codes, or the entire handset become compromised, the remote identity verification technology will protect the account and provide secure access to the true customer.
Biometric identity verification solutions for peace of mind
At Facephi, we strongly recommend using a robust biometric identity verification solution for payment authentication with passive liveness technology, rather than mobile device biometrics. This authentication method provides enhanced security and protection against fraudulent activities.
By using biometric identity verification solutions, businesses can ensure that their customers’ identities are reliably verified and protected, providing peace of mind to both the business and their customers.
To learn more about how biometric identity authentication works, click here.