European Banking Authority (EBA) Rejects On-Device Biometrics as a Suitable Method for Strong Customer Authentication


The European Banking Authority (EBA) requires Strong Customer Authentication (SCA) for electronic payments to improve security.

However, On-Device Biometrics is no longer considered sufficient for SCA, as ruled by the EBA on 31st January 2023.  

This article will examine the decision’s rationale and impact on banks, businesses, and consumers. 

What is Strong Customer Authentication (SCA) within the Payment Services Directive 2 (PSD2)? 

Strong Customer Authentication (SCA) is an authentication process that requires two or more independent authentication factors for a customer to securely access their online accounts or complete an online payment transaction. It is a security requirement set by the European Banking Authority (EBA) for customer authentication in the European Economic Area (EEA). SCA requires customers to provide two or more of the following authentication factors as depicted within figure 1 below: E.g., something the customer knows (e.g., a password or PIN), something the customer possesses/owns (e.g., a mobile phone or security token), and something the customer is (e.g., biometric data such as a face, fingerprint, or voice recognition).

EBA SCA On Device Fig1


Why is Strong Customer Authentication important? 

SCA is important because it aims to reduce fraud and unauthorised access to customer accounts. By implementing SCA, banks and PSPs can provide customers with a higher level of security and protect them from financial losses due to fraudulent activities. Additionally, complying with SCA is a legal requirement, and failure to do so may result in penalties and loss of customer trust

How does SCA affect your businesses? 

Strong Customer Authentication (SCA) implications for banks and businesses are significant. Here are some key points: 

  • Compliance: banks and businesses in the EEA and the UK must follow SCA regulations to avoid penalties. 
  • Fraud reduction: SCA is expected to reduce fraud and improve electronic payment security, building customer trust and loyalty. 
  • Innovation opportunities: new authentication tech and processes may lead to innovation and differentiation among businesses, offering a seamless customer experience. 
  • Customer experience: SCA may impact the checkout process but offers a more secure experience, improving customer trust. 
  • Communicate with customers: businesses must inform customers about SCA requirements and how to complete transactions. 

What does the EBA say about biometric authentication on devices? 

On January 31, 2023, the EBA responded to the following questions submitted by a Financial Institution regarding mobile device biometrics.

Q&A 5622Q&A 6145 and Q&A 6464 under the revised Payment Service Directive (PSD2) clarify how payment card information should be added to a digital wallet on a mobile device under the revised PSD2. 

The first clarification (Q&A 5622) says that using a digital payment card to make payments requires extra SCA security measures unless there are specific reasons why it’s unnecessary.  

The second clarification (Q&A 6145) says that using biometrics (like a fingerprint) or a PIN/password as a biometric authentication method to unlock a phone cannot be considered a good way of verifying identity to add a payment card to a digital wallet if the issuer of the payment card does not control the screen locking mechanism of the phone.  

The last clarification (Q&A 6464) says that creating a new digital token, and connecting it to a device or user, also needs extra SCA security measures. 

Essentially, the EBA says mobile authentication methods are only secure if the issuer can control them or ensure the user is legitimate

How does on-device biometrics differ from Udentify cloud-based biometric authentication? 

On-device biometrics like FaceID and TouchID use biometric technology to grant users access to their devices using their fingerprint or facial recognition. Once users purchase their device, they only need to register their biometric factors to activate this authentication method. Multiple biometric factors can be registered on the same device, allowing multiple users to unlock it using their biometrics.  

However, the EBA recommends that a biometric solution be controlled by the card issuer and associated with the customer’s official identity to be used as an element of Strong Customer Authentication.  

Udentify’s biometric authentication technology validates a person’s official identity before registering their biometrics, ensuring that the person presenting the identity document is genuine and present in the process, further validating this with liveness detection.  

Once Udentify completes the identity verification process, they can use various biometric authentication methods, such as facial and voice recognition. These can include accessing private customer areas or mobile apps.  

Udentify ensures that only the authorised user gains access. This way, banks and financial services institutions comply with the EBA’s requirements. 

One of the main advantages of Udentify’s cloud biometrics is that it provides more flexibility and scalability, offers centralised management and scalability, and is iBeta certified for proof of liveness. 

Complying with the updated PSD2 requirements with Udentify

Udentify’s technology combines biometric authentication with liveness detection, ensuring that the presented person using the digital wallet or payment method is the correct and live user. Udentify’s solution meets the PSD2 requirements for SCA while providing a frictionless and user-friendly experience.

With Udentify, businesses can add an extra layer of security to their payment systems, helping them comply with PSD2 regulations and reduce the risk of fraudulent transactions. Udentify’s technology can be seamlessly integrated into existing payment systems. It can be customised to fit the needs of each business, making it a versatile and scalable solution for complying with PSD2.

Further to the PSD2 SCA authentication requirements, Udentify delivers a seamless authentication method across devices while completely removing identity fraud within authentication. 

Contact us for a live demo for more information on what Udentify can do for your business and customers.

Content Protection by
See the big picture with the full story of fraud via flexible fraud investigation storyboards.