Biometrics and Payments – The Future of Authentication
Three years ago, Apple’s then-newest iPhone, the 5S, introduced a feature that had never been seen on a cell phone before – a fingerprint sensor. It was placed on the iPhone as an alternative to the passcode to unlock the device, in an effort to help prevent theft of the highly desired devices, which had reached something of a nadir in late 2013. Apple noted that while a thief could eventually guess a phone’s passcode, it was nearly impossible to replicate a fingerprint to get around the fingerprint sensor (and no, the iPhone fingerprint sensor has not resulted in thieves chopping off people’s fingers to gain access to the device). When Apple Pay was introduced the following year, the fingerprint sensor became an important tool for helping to keep iPhone users’ credit card data secure.
Fingerprint sensors are part of a growing number of human body-based security applications knows as biometrics. Passwords and PIN numbers, which have been the industry standard for years, have become problematic in recent years, due to the increase in digital fraud, data breaches and the growing concerns over data privacy. In addition, with what seems like everything, from devices to websites, requiring passwords or PIN numbers these days, the number of passwords the average person is only going to increase. Dashlane, a password application company, estimates that the “number of accounts we use is growing at a 14% rate, meaning it doubles every 5 years. In 2020, the average number of accounts per Internet user will be 207!” And most of them will need passwords or PINs.
This explosion of accounts is one of the reasons that both software and hardware firms are exploring new methods of verifying a user’s identity, with one such method being biometrics. Encompassing fingerprint scanners, voice verification, retina scans, vein scans and even “selfie” and heartbeat scans, biometrics are increasing in popularity for use along with or completely eliminating passcodes and PINs for unlocking smartphones or accessing information-sensitive apps, like banking and financial apps, on a smartphone. So it is no surprise they are getting a serious look as a way to verify payments, as they keep consumer data secure without inconveniencing consumers by forcing them to remember another password. And with experts estimating that 99 percent of U.S. smartphones will be biometrics-enabled by 2021, or about 247 million smartphones – that’s just five years from now – it becomes even more important, especially considering there were fewer than 10 million in 2013, and just 132 million in 2016
Biometrics work off the theory that using your own physical body to authenticate payments is the ultimate in security, because even if someone looked exactly like you, that person is still not physically you. With the increasing amount of data breaches, hacking and theft, it should come as no surprise that payments industry leaders are turning to new and more innovative authentication technologies that are harder to fake. And indeed, if they work as intended, biometrics can be a tremendous step forward in the move towards safer payments. They certainly represent a huge leap forward in the potential for safer user authentication; however, biometrics have yet to be thoroughly tested on the market, so it remains to be seen if the theory matches the practice.
Despite their convenience and simplicity, biometrics present new, unique security challenges to financial firms, raising concerns about biometric payments security and privacy. These concerns are mainly due to the biometrics being used in place of a password or PIN, rather than a proof-of-identity, followed with a password or PIN to authenticate the information. A recent report by Acuity Market Intelligence showed that mobile biometrics, the type used with mobile phones, will generate $34.6 billion in annual revenue by 2020, thanks to the desire for increased security. And while they are certainly safer and harder to replicate than the standard password and PIN methods we currently rely upon, it is almost certain that hackers will be able to find some weaknesses as the technology becomes more widespread. In fact, nearly 15 years ago, Japanese cryptographer Tsutomu Matsumoto was able to fool fingerprint security scanners using a gummy finger he made directly from the target.
Despite the concerns, biometrics do bring many benefits, they could make it easy to conduct "card not present" transactions and eliminate the need for a physical wallet. The new chip-embedded EMV cards are helping to reduce credit card fraud and are making great strides in payment security by making it much more difficult for hackers, fraudsters and thieves to steal credit card data, but only when cards are present. In card-not-present (CNP) situations, such as with online payments or ecommerce websites, fraud has actually increased since the implementation of the EMV liability shift a year ago. Biometrics can help reduce CNP fraud as they are much harder to fake than passwords as body parts are not easily duplicated. There will likely come a day when we have fingerprint scanners built right in to our computers, for authentication purposes when shopping or banking online, and other situations where identity is needed. And with biometric authentication, you may not even need to have your wallet or your smartphone with you – instead of swiping a card or tapping a phone on a payment terminal, you would simply press your finger to a fingerprint scanner to pay for goods and services, for a truly hands-free payment experience.
Even though the technology has been around for a while, biometrics still has that science-fiction futuristic feel, thanks to movies like Minority Report, iRobot and the James Bond movie Skyfall, which featured a scene with a biometric weapon that wouldn’t fire unless the licensed killer was holding it. While the technology has been around in the real world for a while, its use with payments is in its infancy. And it’s not just fingerprints. In the UK, Barclays has introduced voice recognition for those who use its telephone banking service, and finger vein scanners for its in-person customers. In Poland, nearly 2,000 ATM machines are equipped with finger vein technology, which allows people to scan their finger to withdraw money, rather than use a card or a PIN number. Similarly in Sweden, which is well on its way to becoming a cashless society, there are also ATM’s that only require a vein scan to withdraw money. Additionally, beyond Apple enabling fingerprint authorizations for iTunes and Apple Pay purchases, Mastercard recently announced it is testing facial recognition technology to authorize transactions, and Samsung is looking at fingerprint, voice and iris recognition for Samsung Pay.
Are biometrics the future of payments? It’s very probably is, but we are not quite there yet. There are many things that need to happen before biometrics are the standard authentication method. The payments industry needs to look at and evaluate all forms of biometrics to help determine which ones provide the most security with the least risk, while meeting the ever changing needs of both merchants and consumers. But make no mistake, biometrics are here to stay.