EyeVerify Talks PSD2, Putting New Power in Biometrics

June 14, 2017         By: Steven Anderson

It’s been clear for some time that biometrics represent one of the great protective measures of account security. Taking things we already keep on hand at all times anyway—our fingertips, eyes, and similar matter—and using these as the basis for nigh-impenetrable security (aside from a few grotesque or almost science-fiction-style workarounds) is a valuable idea, and one that’s already seen a lot of new ground.

Word from EyeVerify’s Ryan Schroeder, a solutions engineer, notes that the company is actively working along lines reflected in the Revised Payment Services Directive, or PSD2, and further notes just what payment services providers will need to do to meet the strong customer authentication (SCA) requirements established therein.

With PSD2 set to take hold in January—though its impact will be limited to the European Union and the Economic European area—a set of several new authentication requirements will be put in place, as revealed in part from the European Banking Authority (EBA) in the form of a slate of new Regulatory Technical Standards (RTS).

According to these standards, RTS now requires two of three elements in order to comply with new standards: knowledge, like a password or a personal identification number (PIN); inherence, like a biometric-related system; possession, like a mobile phone or similar token.

EyeVerify, for its part, depends on inherence and possession; using an eye print ensures the necessary stability and accuracy, and a new “liveness technology” ensures that a  photo or video isn’t enough to activate the system. Since the eyeprint is stored locally, that makes it fall under possession as well.

It’s not a bad idea, but it comes with potential flaws. Biometrics were supposed to be more than just an ultra-secure authentication tool; biometrics were supposed to be convenient as well. Using biometrics as just one factor in a kind of jumped-up two factor authentication scheme smacks of solving the wrong problem. If an eye scan just opens up a password prompt, that makes the system harder to work with, not easier. Secure, yes, but secure at what cost?

Biometrics have a great potential to improve security, but we must always consider security in terms of its usefulness. A room no one can enter is the most secure of all, but why even have it if no one can use it?