OTP with Behavioural Biometrics

Inherence Factor

Behavioural patterns unique to the cardholder satisfy the inherence factor of SCA.

Low Friction

No additional cardholder action is required. Biometric data is collected silently in the background during the SMS OTP challenge.

Layered Security

Behavioural Biometrics must be paired with a primary method - SMS OTP, Static Password, or Email OTP - to meet SCA requirements.

⚠️
Behavioural Biometrics is only supported for browser-based transactions. It is not available for app-based transactions because JavaScript is not executed in app challenge flows and Apata does not render the challenge interface in those cases.

📘
Behavioural Biometrics requires a primary challenge method to be completed first. If the cardholder cannot complete the primary challenge, the biometrics process is not initiated. See the Behavioural Biometrics challenge method and SMS OTP challenge method for configuration details.

How It Works

Behavioural Biometrics runs as a secondary challenge after the cardholder completes the primary SMS OTP challenge. The biometric JavaScript is loaded alongside the OTP Challenge Interface and begins collecting behavioural data as the cardholder interacts with the page.

Profile Match

If the cardholder's behaviour matches their established profile, authentication succeeds with no additional step required.

Profile Mismatch or Absent

If the biometric check fails - due to a weak profile, disabled JavaScript, or insufficient confidence - Apata falls back to a secondary challenge method such as KBA.

Success Flow

The cardholder completes the OTP challenge. Behavioural Biometrics verifies the cardholder against their existing profile silently. A single challenge screen is presented and the transaction is authenticated.

Sequence Diagram

sequenceDiagram
    autonumber
    participant ch as Cardholder
    participant 3ds as 3DS Server
    participant ds as Directory Server
    participant acs as Apata ACS
    participant issuer as Issuer
    ch->>3ds: Initiate transaction
    3ds->>ds: AReq
    ds->>acs: AReq
    acs->>issuer: Card Link request
    issuer->>acs: Card details
    acs->>acs: Evaluate Risk Profile - challenge required
    acs->>ds: ARes (transStatus C)
    ds->>3ds: ARes (transStatus C)
    3ds->>acs: CReq
    acs->>acs: Generate 6-digit OTP
    acs->>ch: Deliver OTP via SMS or Email
    acs->>ch: Render Challenge Interface with Behavioural Biometrics
    ch->>acs: Behavioural data collected in background
    ch->>acs: Submit OTP
    acs->>acs: Verify OTP
    acs->>acs: Verify Behavioural Biometrics - profile matches
    acs->>ds: RReq
    ds->>3ds: RReq
    3ds->>ds: RRes
    ds->>acs: RRes
    acs->>ch: Redirect to merchant
    opt Finalised Event
        acs->>issuer: Finalised Event notification
    end

Fallback Flow (Biometrics Fails)

If the Behavioural Biometrics check fails - for example because the cardholder has JavaScript disabled, the profile has insufficient data, or confidence is too low - Apata falls back to a secondary KBA challenge. Once the cardholder completes the KBA challenge, the transaction is authenticated.

📘
Any Knowledge-Based Authentication method can be used as the fallback - KBA, Static Password, or another configured method.

Sequence Diagram

sequenceDiagram
    autonumber
    participant ch as Cardholder
    participant 3ds as 3DS Server
    participant ds as Directory Server
    participant acs as Apata ACS
    participant issuer as Issuer
    ch->>3ds: Initiate transaction
    3ds->>ds: AReq
    ds->>acs: AReq
    acs->>issuer: Card Link request
    issuer->>acs: Card details
    acs->>acs: Evaluate Risk Profile - challenge required
    acs->>ds: ARes (transStatus C)
    ds->>3ds: ARes (transStatus C)
    3ds->>acs: CReq
    acs->>acs: Generate 6-digit OTP
    acs->>ch: Deliver OTP via SMS
    acs->>ch: Render Challenge Interface with Behavioural Biometrics
    ch->>acs: Behavioural data collected in background
    ch->>acs: Submit OTP
    acs->>acs: Verify OTP
    acs->>acs: Verify Behavioural Biometrics - insufficient confidence, fallback required
    acs->>ch: Render KBA Challenge Interface
    ch->>acs: Submit KBA answer
    acs->>acs: Verify KBA answer - success
    acs->>ds: RReq
    ds->>3ds: RReq
    3ds->>ds: RRes
    ds->>acs: RRes
    acs->>ch: Redirect to merchant
    opt Finalised Event
        acs->>issuer: Finalised Event notification
    end

📘
The Finalised Event webhook is optional and delivers the full transaction outcome to the issuer once authentication is complete. See the Finalised Event guide for details.

Behavioural Biometrics is only supported for browser-based transactions. It is not available for app-based transactions because JavaScript is not executed in app challenge flows and Apata does not render the challenge interface in those cases.

Behavioural Biometrics requires a primary challenge method to be completed first. If the cardholder cannot complete the primary challenge, the biometrics process is not initiated. See the Behavioural Biometrics challenge method and SMS OTP challenge method for configuration details.

How It Works

Success Flow

Sequence Diagram

Fallback Flow (Biometrics Fails)

Any Knowledge-Based Authentication method can be used as the fallback - KBA, Static Password, or another configured method.

Sequence Diagram

The Finalised Event webhook is optional and delivers the full transaction outcome to the issuer once authentication is complete. See the Finalised Event guide for details.