3 min read

EBA On Customer Authentication Under PSD2: Inherence

EBA On Customer Authentication Under PSD2: Inherence

A fundamental objective of the Revised Payment Services Directive (PSD2) has been to reduce the risk of fraud to the maximum extent possible and ensuring security for electronic payment transactions.

PSD2, along with the Regulatory Technical Standards (RTS), defines Strong Customer Authentication as an “authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data”.

The broader financial services industry and their partners have been working towards implementing these guidelines, but as with most new directives or guidelines, there have been some teething issues. Industry participants have to balance the cost of implementation, the performance impact in terms of delays and accuracy and the overall user experience of any such solutions. While at the same time they also have to be compliant with the basic requirements for Strong Customer Authentication (SCA).

This fine balancing act has meant that not everyone has perfect clarity if the specific solution that they have on the drawing-board and which meets their unique constraints, also fulfils all the SCA constraints. The European Banking Authority therefore published its own Opinion on SCA elements in June 2019. The document provides a rather insightful look at what may constitute a compliant element in each of the three possible categories of inherence, possession and knowledge.


Inherence is “something the user is”. Looking at some of the rather uncommon elements in the accompanying list, it is not surprising that there was some ambiguity in the minds of solution providers as to their exact compliance with SCA requirements. It might also be seen as a sign that companies are thinking outside the box and this may eventually create a better and safer user experience for customers across the European Union. The EBA acknowledge inherence as the most innovative and fastest moving category amongst the various elements of SCA. 

Element Compliant with SCA
Fingerprint Scanning Yes
Voice Recognition Yes
Vein Recognition Yes
Hand and Face Geometry Yes
Retina and Iris Scanning Yes
Keystroke Dynamics Yes
Heart rate of any other body movement pattern identifying the person Yes
The angle at which the device is held Yes
Information transmitted using a communication protocol, such as EMV* 3-D Secure No (for approaches currently observed in the market)
Memorised Swiping Path No


Source: European Banking Authority

The EBA has stated its view on inherence as follows: “inherence, which includes biological and behavioral biometrics, relates to physical properties of body parts, physiological characteristics and behavioral processes created by the body, and any combination of these”.

Additionally, it is also clarified that the quality of implementation of any inherent approach will also be a factor in gauging its compliance with SCA constraints.

Biological and behavioral elements can provide varying degrees of certainty and the accuracy may very well depend on the exact approach taken as well. The focus on approach is relevant because there is always some subjectivity as to what really satisfies the condition of having a “very low probability of an unauthorized party being authenticated as the payer”. Because that is the condition that needs to be satisfied. 

In Part 2 of this series, we will analyse EBA’s opinions on the other remaining categories of Strong Customer Authentication.


Download white paper

References and Further Reading