European Banking Authority: Behavioral Biometry as an Inherence Factor for Strong Customer Authentication

25.6.2019 TM News

A few days ago, the European Banking Authority (EBA) rolled-out a up-dated explaining the role of behavioral biometry in Strong Customer Authentication (SCA) and it finally ends all discussions around the matter.   

Inherence Factor: Something That The User Is

The Regulatory Technical Standard (RTS) for PSD2 introduced the concept of Strong Customer Authentication (SCA). SCA has been designed to reduce fraud and make online payments more secure. To be able to accept payments authenticated with SCA, you will need to engage at least two of these three authentication methods:

  • Something the customer knows
  • Something that the customer has
  • Something that the customer is

The last-mentioned method is also named as an inherence is in the scope of this article.

This category of elements is further described as behavioral biometrics, related to physical properties of body parts, physiological characteristics and behavioral processes (and the combination of these) created by the body. Thanks to the recently published paper by EBA, we have a comprehensive description of what types of inputs (elements of SCA) can be used for the authentication of the user with the usage of Inherence factor.

The Paper confirmed that our original idea of collecting granular technical data across end-user devices and monitor users’ behavior during their entire online sessions is a good approach. Our collected data consists of actual user activities (logging in to the application, navigation to a specific page, transaction checkout, etc.) and more importantly, information that characterizes the user as a human being (such as mouse movements, typing on a keyboard, touch events, the angle which the device is held etc).

Such a set of information represents the behavioral biometry (Inherence factor) which can, with a reasonable amount of data and proper processing, uniquely characterize a user and in the same time delivers the best context-value resulting in a decreased number of falsely rejected users and transactions while mitigating risk with a whole new level of precision. Furthermore, the data collection does not impact the user experience in any way, as it is performed unobtrusively in the background.

Need further info or have any questions? Feel free to read our PSD2 Whitepaper or contact the ThreatMark Team to see how you could leverage behavioral biometry in the PSD2 era to silently and efficiently verify users while keeping fraudsters away. 


Lukáš Jakubíček
Lukáš Jakubíček  (author)