biometrical-ly authenti-cated PAyMENTS iN 2017
The number of mobile payments made using biometric authentication, i.e. where a customer identifies him/herself based on physical, morphological or behavioural characteristics, was set to increase from 600 million in 2016 to 2 billion during 2017, according to a forecast made last May by UK-based digital commerce and FinTech sector analysis firm Juniper Research. Juniper is now predicting that by 2021 biometric data will be used to authenticate over 18 billion transactions, i.e. a compound annual growth rate (CAGR) of 83.7% versus 2016. If these figures are to be believed, then there is little doubt that biometrics are about to enter mainstream use. In the not-too-distant future, most people will be using inter alia face, voice, retina, heartbeat, fingerprint, palm of the hand and finger vein network recognition technology to prove their identity for the purpose of making a payment. The idea is hardly new. Pilot tests have been running for a number of years in many countries and L’Atelier reported on these technologies back in 2012, at a time when biometrics were starting to be used.
In some areas of the world, payments via electronic wallets and P2P money transfer sometimes use fingerprint or voice recognition identification. Examples here are Facebook Messenger and ApplePay in the United States. This approach to authorising payments is however still in limited use, at bricks and mortar stores for instance, but not for online shopping or cash withdrawals from an ATM. However, the recent initiatives by Mastercard and Visa could really change things, with biometric technology gradually coming into use on smartphones. So why and how is biometrics-based authentication likely to expand to more general use? And what are the obstacles standing in the way of widespread adoption?
Fingerprints: the most efficient biometric identification
“Biometric authentication used to be costly and was used only in the military field, but it’s now becoming far more widespread because of smartphones,” points out Matthieu Soulé, Deputy CEO at L'Atelier BNP Paribas San Francisco, explaining: “A few years ago the technology was not always reliable and often very costly. So companies had to balance user-friendliness, solution security and rollout cost. Today, the miniaturisation of chips and sensors is making the process much easier.”
Source: Gemalto White Paper - Biometrics for Financial Institutions and the new Gemalto Biometric Sensor Payment card.
The Fingopay solution developed by UK-based biometric identification and authentication specialist Sthaler, which has been piloting at a supermarket at Brunel University in London for the last few months, seems to be the easiest to get up and running. Fingopay uses a small scanner to scan the finger vein pattern of a user’s thumb, which has already been linked to his/her bank card. The solution was originally designed to facilitate payments at music festivals, but this type of identification could be used on a much wider scale. Illinois-based startup Keyo is taking a similar approach, using the veins of your palm as a means of proving one’s identity so as to make immediate payments. This method is thought to be more reliable than using fingerprints, as veins do not change their pattern, do not fade and cannot be copied and moreover this approach detects blood flow, thus ensuring that the person concerned is alive. This ought to dissuade criminals tempted to cut off a user’s finger, as criminal organisations such as Japan’s Yakuza gangsters often do.
Despite the fact that there are many logical reasons for using vein recognition, this is currently not the most popular approach. “The most frequently used method is fingerprints, as we see with smartphones,” Soulé points out. In some countries, including Poland, Turkey and Japan, fingerprint technology is already in widespread use for securing payments. “However, different situations call for different biometric technologies. For instance, voice recognition, using a smart speaker, makes good sense in your car or at home”, stresses Soulé. Making payments at a filling station, when picking up a takeaway meal or paying for a parking space, could also be done this way in a seamless manner, so that the customer would not even have to get out from behind the steering wheel.
Meanwhile in China, Alipay has developed facial recognition technology for authenticating payments at fast-food restaurants. Once users have registered with the ‘smile to pay’ service, they no longer even need to carry their smartphones. All they have to do is select the meal they want and then smile at the point of sale terminal in order to pay. In September 2016 Alibaba, via Ant Financial, took over US security company EyeVerify, thus acquiring a cutting-edge technology that recognises the blood vessels in the eye which is already being used by US banks. Says Matthieu Soulé: “This demonstrates a clear intention on the part of the major players in the payment world to spread access to biometric solutions.” And no wonder, when we see just how convenient and easy these methods can be for the consumer. These solutions have also arrived on Apple computers with ‘Touch ID’, the company’s fingerprint reading service.
And it also seems likely that such ease of use – no longer having to go hunting for your bank card in the depths of your wallet in order to pay online – is likely to encourage people to spend more. Mastercard predicts that instances where online shoppers simply abandon their baskets on e-commerce sites could fall by 70% once merchants are able to offer ID verification based on biometric technology. Use of these technologies on a wide scale looks certain to benefit e-commerce, but what about traditional bricks-and-mortar stores?
Biometric payment cards: progress or anachronism?
Deputy CEO of
L'Atelier BNP Paribas
In theory, a biometric card is more secure, but the general trend nowadays is towards mobile payments
Biometric payment cards are now available for payments at bricks-and-mortar stores The key advantage here is that you no longer have to remember your PIN code, as the card has an integrated fingerprint reader designed to streamline and speed up the payment or withdrawal from an ATM. Basically this is a more secure form of contactless payment. For several weeks now, the Bank of Cyprus has been piloting a fingerprint-activated payment card developed by biometric tech specialist Zwipe and leading computer security firm Gemalto. For the first time, claims their press release, the interface has no battery. “In the past, this type of card used to have a mini-battery which ran down very fast, resulting in extra costs for the bank. This meant that this sort of solution could not be rolled out on a massive scale,” Matthieu Soulé points out, explaining: “In theory, a biometric card is more secure, but the general trend nowadays is towards mobile payments.” It looks as if in future we’ll mostly be making payments via smartphone, using a virtual wallet or using electronic messaging for peer-to-peer transactions, provided that the transaction limits are the same as for a bank card.
- 2 min
Will Mastercard and Visa initiatives start a domino effect?
- 1 min
The Visa and Mastercard payment networks have been pushing the biometric approach for some time now, and the trend really began to accelerate last year. In 2016, Visa announced it was working with BioConnect to enable multiple biometric authentication methods on mobile apps. The basic idea is to provide several alternative solutions to the password method. For instance, if a user has just got out of a swimming pool, s/he might go for voice recognition rather than trying to use fingerprint ID with damp hands. A few months ago Visa launched ID Intelligence, a whole ecosystem designed to enable banks and merchants to provide their customers with more convenient and secure means of authenticating payments – voice, face or fingerprint recognition – and accessing banking services. This initiative followed the launch of an app-based identification service based on a selfie, along the lines of Alipay, in collaboration with Brazil-based Banco Neon. This solution was made possible by Visa’s acquisition just over a year ago of CardinalCommerce, a pioneer in the field of digital authentication – yet another clear indication of the card payment giant’s desire to perfect its biometric payment service. Meanwhile Mastercard also recently announced that by April 2019 all its customers would be able to identify themselves using biometrics. Mastercard is betting on the fact that the percentage of e-commerce transactions requiring biometric authentication today – around 25% – will double or even triple when the Regulatory Technical Standard (RTS) associated with Payment Services Directive 2 (PSD2) comes into force. Mastercard currently has its biometrics-based Mastercard Identity Check service up and running in 37 countries and the number of initiatives in this field is growing as the technology becomes even more accurate. But how can we know that these payment identification methods are really secure? In fact most experts recommend that several identification methods should be used alongside each other.
pro-biometrics MOVEMENT surging ahead
Combining different methods: the key to secure payments
When it comes to computer security, there are three factors of authentication: something you know – i.e. your password; something you own; and who you are. Biometrics is this third factor.
Using physical characteristics would seem to be a pretty sure way of identifying oneself. After all, how could a hacker get hold of your fingerprint, the vein pattern of your hand or the pupil of your eye? Nevertheless, leaving aside the possibility of some dreadful crime, it has been proved that a fingerprint can in fact be copied, as demonstrated in detective fiction; and it is not entirely unimaginable that a mask resembling every tiny feature of a person’s face could be produced in order to deceive face recognition machines, as we have seen in spy movies.
So basically these biometric factors are in fact more public – or at least more visible – than the good old password. This is why it is generally a good idea to combine a number of different ID factors, chosen carefully. “When it comes to computer security, there are three factors of authentication: something you know – i.e. your password; something you own; and who you are. Biometrics is this third factor. Combining two factors undoubtedly increases security. There is, for example, less chance that someone might steal your phone or computer plus your fingerprint or other biometric factor,” underlines the L'Atelier BNP Paribas San Francisco Deputy CEO. He further explains that in addition this will help to remedy any technical faults that may arise:
"If a child’s facial features change fast or if an older person’s face becomes difficult to analyse, if the light is not optimal, or a fingerprint has faded due to intense manual work or over time, it is useful to have another means of authentication.”
With these procedures, the main danger lies in the fact that biometric data is permanent and almost impossible to alter. So if, for example, a file of biometric data is hacked and an interloper uses a copy of a registered fingerprint to make purchases, the person who has been defrauded will not be able to simply change his/her fingerprint as you would with a password. Biometric data is intrinsically personal data.
lcan biometrICS guarantee data privacy?
Cultural issues and regulatory obstacles
of US citizens
are ready to adopt biometric payments
“Data privacy is at the heart of the issue,” says Matthieu Soulé. He has however noticed a distinct change in mindset when it comes to sharing biometric information. “It’s a matter of what’s acceptable from a social point of view. Are people ready to authorise a third party to have access to this data? In the past many people might have been wary of doing so, but today everyone does it because it’s convenient.” There are also cultural factors. In France, prior authorisation from the National Commission on Informatics and Liberty (CNIL) is required to set up biometric payment systems, whereas in other countries the use of biometrics is now more common. One example is India, where the Aadhaar digital ID programme introduced by the current government features three of types of biometric data: fingerprints, iris and face recognition. Everyone has their own unique identification number associated with these factors, which enables them to access such facilities as banking and health services.
Meanwhile surveys show that 93% of all Mastercard users would choose biometrics over passwords for authenticating their payments. A clear majority of European and US citizens are now ready to adopt biometric payments. According to a survey commissioned by Visa in September 2017, 86% of respondents in the United States are keen on making payments this way and 70% say they find biometric authentication easier. In Europe, 68% of those polled said they would prefer to use biometrics rather than passwords for authenticating payments, both online and at traditional stores. In short, all the lights now appear to be at green for more widespread use of biometrics in payment systems.