FB pixel

EMVCo sets MFA security guidelines with encouragement and cautions for biometrics use

EMVCo sets MFA security guidelines with encouragement and cautions for biometrics use
 

Biometrics can help make multi-factor authentication used in payments resistant to attacks, but can also do the opposite if the wrong technology or architecture is chosen, according to a new paper from EMVCo. A framework to support the development of multi-factor authentication methods that can stop fraud attacks against payment systems has been published by the international payment standards body.

The “Multi-Factor Authentication Solutions for Payments Security Requirements” defined by EMVCo specifies biometrics as an appropriate authentication factor in a variety of situations, and discusses the use of the technology in binding individuals to devices, credentials, and other authentication factors.  The use of biometrics to establish the control of a device storing a private key is reviewed, along with ways that private key cryptography can be compromised without defeating the biometric verification element of the system.

The document defines the roles of “authenticator,” “verifier” and credential “binding.” It sets a scope for evaluation of payment MFA systems, provides security and threat models, and establishes requirements for the various aspects of a security system, including reporting and attestation, cryptography and system evaluation. EMVCo intends for the requirements to help developers of MFA solutions for payments, laboratories and the issuers, merchants, acquirers and payment providers who make up the rest of the payments ecosystem.

“As remote payments continue to gain traction, such as e-commerce transactions, it is paramount for consumers to be able to securely prove their identity and authenticate their transactions,” explains Joy Huang, chair of the EMVCo Executive Committee. “EMVCo recognises that MFA plays a crucial role in not only achieving this, but also giving the industry flexibility in how it wants to authenticate consumers using different credential combinations in different payment scenarios.”

Stipulations from EMVCo include 17 guidelines for authentication processing, all stated in broad terms to allow the flexibility Huang refers to.

The framework’s guidance on avoiding weak authentication factors states: “Biometric modalities or implementations with high false-positive rates, susceptible to presentation attacks or any type of attack that can lead to wrong user verification” as an example of what not to use.

The use of biometric systems for other functions, such as device unlocking, can also decrease the security of an MFA solution making use of it, by providing an opportunity for attackers to identify vulnerabilities.

The guidance is intended to build on existing security frameworks and standards, including those from NIST, the FIDO Alliance, PSD2, and the EMVCo’s own Security Evaluation Infrastructure.

A recent EMVCo blog post also identified remaining challenges to biometric payment card adoption at scale, as production prices drop.

Article Topics

 |   |   |   |   | 

Latest Biometrics News

 

Privado ID merges with Disco to unify digital identity across Web2, Web3

Privado ID, formerly known as Polygon ID, has announced a merger with Disco, a company specializing in multichain verifiable data…

 

G20 ministers pledge AI transparency and digital inclusion with DPI at the core

At the G20 Digital Economy Ministers’ meeting held in Maceió, Brazil, on September 13, 2024, global leaders reaffirmed their commitment…

 

Spanish startup B-FY brings offline biometrics to US cloud authentication market

Spain-based biometrics startup B-FY has launched in the U.S. market, introducing its cloud-based identity verification and authentication software. B-FY’s technology…

 

Biometric payment cards from FPC and Infineon ready for mass production

Fingerprint Cards and Infineon Technologies have officially unveiled the complete package of biometric payment card technologies that Infineon previewed in…

 

UNHCR, WFP data sharing collaboration yielding results for refugee management in Tanzania

Food distribution for refugees in Tanzania is getting easier with the use of a data sharing tool recently introduced by…

 

DIF adopts new work items to improve DIDs’ applicability and security

The Decentralized Identity Foundation (DIF) has announced two new initiatives – DID Traits and Trust DID Web – to enhance…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events