Single PIN entry on wearable payment devices is deemed insufficient as an element of strong customer authentication
‘Strong Authentication’ was introduced into the European legal system under Directive 2015/2366 / EU (PSD2) and is intended to increase the security of payment transactions. It ensures the protection of confidentiality of transferred data based on using at least 2 elements falling under the following categories: knowledge (something the user and only the user knows); possession (something only the user has), and user characteristics features. The above-mentioned elements are integral and independent parts of the authentication as breaching one of these elements does not diminish the credibility of those remaining.
Swedish Bankers’ Association assumed that users might mistakenly consider those payment gadgets to fulfill one of two out of three mandatory elements of ‘strong authentication’ by indicating a person’s heartbeat and pulse as a user characteristics.
Payment gadgets do not work that way yet. Their operation scheme functions as follows: the user enters the PIN when putting on the gadget for the first time. The gadget records whether the measurement of pulse and heart rate is continuous since the PIN was entered. That enables us to determine if the device was worn by the same person in a given time – it is the constant measurement rather than individual heart rate or pulse, that allows that verification. In this case, ‘strong authentication’ consists of two elements: possession of the gadget user is wearing and the user’s knowledge (PIN), but not the user’s characteristics.
Therefore, a need arose to ask the EBA whether a PIN entered once is sufficient to be recognized as an element of strong authentication (as a knowledge that only the user has) if the device showed it has been used continuously for several transactions performed on that same day. In case of an affirmative response, there would be no need of entering the PIN with each payment.
The EBA’s response was negative. The Office explained that in this particular example, the gadget’s locking mechanism (in form of heartbeat and pulse reading) does not guarantee that the user will temporarily stay in the same payment session. To achieve that the user needs to be communicated with the payment service provider to keep the session open. That could only be possible through the constant active use of the gadget (by initiating payment or access ti the account) in a way that the session would not expire. Because such solutions are not currently in place, the user is obliged to enter a PIN for each transaction made after the first session expires.
The EBA advised that also, in that case, exceptions are made to the rule of strong authentication provided for in article 11-18 of Regulation 2018/389 on regulatory technical standards for strong authentication (RTS), e.g. for transactions: contactless at points of sale, from trusted customers, periodic, low-value, etc.