EMVCo sets MFA security guidelines with encouragement and cautions for biometrics use
Biometrics can help make multi-factor authentication used in payments resistant to attacks, but can also do the opposite if the wrong technology or architecture is chosen, according to a new paper from EMVCo. A framework to support the development of multi-factor authentication methods that can stop fraud attacks against payment systems has been published by the international payment standards body.
The “Multi-Factor Authentication Solutions for Payments Security Requirements” defined by EMVCo specifies biometrics as an appropriate authentication factor in a variety of situations, and discusses the use of the technology in binding individuals to devices, credentials, and other authentication factors. The use of biometrics to establish the control of a device storing a private key is reviewed, along with ways that private key cryptography can be compromised without defeating the biometric verification element of the system.
The document defines the roles of “authenticator,” “verifier” and credential “binding.” It sets a scope for evaluation of payment MFA systems, provides security and threat models, and establishes requirements for the various aspects of a security system, including reporting and attestation, cryptography and system evaluation. EMVCo intends for the requirements to help developers of MFA solutions for payments, laboratories and the issuers, merchants, acquirers and payment providers who make up the rest of the payments ecosystem.
“As remote payments continue to gain traction, such as e-commerce transactions, it is paramount for consumers to be able to securely prove their identity and authenticate their transactions,” explains Joy Huang, chair of the EMVCo Executive Committee. “EMVCo recognises that MFA plays a crucial role in not only achieving this, but also giving the industry flexibility in how it wants to authenticate consumers using different credential combinations in different payment scenarios.”
Stipulations from EMVCo include 17 guidelines for authentication processing, all stated in broad terms to allow the flexibility Huang refers to.
The framework’s guidance on avoiding weak authentication factors states: “Biometric modalities or implementations with high false-positive rates, susceptible to presentation attacks or any type of attack that can lead to wrong user verification” as an example of what not to use.
The use of biometric systems for other functions, such as device unlocking, can also decrease the security of an MFA solution making use of it, by providing an opportunity for attackers to identify vulnerabilities.
The guidance is intended to build on existing security frameworks and standards, including those from NIST, the FIDO Alliance, PSD2, and the EMVCo’s own Security Evaluation Infrastructure.
A recent EMVCo blog post also identified remaining challenges to biometric payment card adoption at scale, as production prices drop.