Could a signature performed on the screen of a digital device be considered a valid factor in a two-factor strong customer authentication (SCA) under the RTS – and what type of element is it?
EBA responded to a question about signature as authentication factor in connection to its “Final Report Draft RTS” of 23rd February 2017, Comment (273) -4), by saying
“The EBA is of the view that it complies with the requirements under the RTS, including the presence of a dynamic element.”
The way the question is formulated it is unclear if the answer relates to a signature on a paper slip or a signature on a digital device, or both. It is also unclear to us what EBA means with “presence of a dynamic element” in this context.
We think EBA should elaborate on the requirements for capture and comparison of signature. The question of digital capture of a signature must be addressed separately from the issue of capture of signature on a paper slip.
Article 4 of the Commission Delegated Regulation (EU) 2018/389 states that “the authentication shall be based on two or more elements which are categorised as knowledge,
possession and inherence and shall result in the generation of an authentication code”.
Article 4 of PSD2 defines ‘Knowledge’ as ‘something only the user knows’, ‘possession’ as ‘something only the user possesses’ and ‘inherence’ as ‘something the user is’. Signature on a screen does not constitute ‘knowledge’ as this is not something only the user knows or ‘possession’ as this is not something that the user possesses.
Paragraph 34 of the EBA Opinion on the implementation of the regulatory technical standards on strong customer authentication (SCA) and common and secure communication, EBA-Op-2018-04, states that behavioural biometrics may constitute inherence providing they comply with the requirements under Article 8 of the Delegated Regulation. Consequently, a signature on a screen of a digital device alone could be considered as behavioural biometrics provided that the payment service provider could ensure that the access devices and recognition software are sufficiently comprehensive to ensure that there is a ‘very low probability of an unauthorised party being authenticated as the payer’ as required under Article 8 of the Delegated Regulation.