Medication and a glass of water

How to comply with PSD2 authentication without a headache

The European Union’s Payment Services Directive 2 (PSD2) regulation finally came into full force in most countries this year, putting the burden on companies to meet authentication requirements for payments. Regulations like these often come with additional security hoops consumers have to jump through. But it doesn’t have to be that way.

With the right strategy, companies can provide frictionless online experiences while remaining compliant with constantly changing regulations, including PSD2. Using passive behavioral biometrics, you can seamlessly verify that the right person is behind the device, meeting requirements without the need for additional authentication steps. Find that hard to believe? Well, read on.

How not to do PSD2: knowledge questions

While PSD2 has technically been on the books since September 2019, one rule didn’t actually go into effect until December 31, 2020: the requirement that payment service providers (PSPs) use Strong Customer Authentication (SCA). Using SCA means a payment must satisfy two of three authentication factors:

  1. Knowledge: Something the consumer knows (e.g., PIN or password)
  2. Possession: Something the consumer has (e.g., device or credit card)
  3. Inherence: Something the consumer inherently is (e.g., fingerprint or facial recognition)

To remain PSD2-compliant, many companies are using one-time passcodes (OTPs) to verify logins and payments. With OTPs, users receive a code on their device to ensure it’s in their possession — fulfilling the possession requirement for SCA. But that leaves one verification step unfulfilled. Most companies opt to have users fulfill the knowledge requirement by typing in a password. But this adds an extra step — and unnecessary friction — to the user experience.

The looming question: What will the second authentication factor be?

This is where passive behavioral biometrics comes into play by verifying user identity without the need for additional step-ups. Imagine you are logging in to your mobile banking app. When you enter the OTP code sent to your device, instead of having to manually verify your credentials a second time, there’s technology that can detect whether it’s you just by the way you typed that code. Cool, right?

How using passive biometrics with an OTP makes two cakes with one tin*

Unfortunately, tedious authentication measures are sometimes necessary. But NuData’s passive biometrics technology simplifies the user login experience by reducing the need for further verification.

Passive biometrics build user profiles based on inherent behaviors — e.g., how users hold their device, their typing cadence, and even how they move their mouse. The recognition it provides is passive, meaning it requires no end-user action.

Passive Behavioral Biometrics for Login

Not only is this technology passive, but it fulfills the inherence authentication requirement. Inherent behavior is instinctual and unconscious, so it’s extremely difficult for attackers to imitate — imagine forging a signature you’ve never seen before. Instead of having to manually type in another PIN or do a biometric scan, the device detects whether the right person is behind the device.

You might be wondering how verifying a user with behavioral biometrics is possible with a six-character OTP, especially given that your keystroke and other factors are likely different than when you’re entering your own credentials. This is because you type differently a password you have memorized than a random code. And that is a great point. Let us explain:

Login Biometrics versus OTP Biometrics

In reality, a user handling their device and typing in the OTP still provides enough information for our biometrics technology to do its job. Looking at factors like how long the user holds down each key is enough to confidently verify identity. Using hundreds of pieces of sensor data for each mobile event, NuData’s advanced OTP model verifies users’ identities without the inconvenience of manual authentication methods.

Escaping the echo chamber: How to make cybersecurity accessible for all

Compliance without the headache

Keeping up with ever-changing security and data privacy rules can be a major headache for companies. But with the right technology, your protections can evolve alongside the regulatory environment. By implementing passive behavioral biometrics, NuData enables companies to comply with PSD2 without adding excessive friction — yielding better user experiences and happier customers.

*We don’t kill two birds with one stone anymore — we love those birdies too much