Wednesday, 23 December 2015

Biometrics: the Future of Mobile Payments?

Billions of people are now using smartphones, even in the most remote areas of the planet. Global adoption of these new mobile technologies opens up the discussion for more advanced methods of identification, authentication, and verification, especially when it comes to protecting against fraud, identity theft and financial crime. One of these promising new technologies, available to end users as a result of the acceptance of mobile devices such as mobile phones, tablets, and laptops, is biometrics.
Biometrics look promising when it comes to simplifying the processing, authentication, and confirmation of transactions in general, but more importantly when it comes to payments. Technological advances, along with pattern recognition and multi-factor biometrics, are expected to tackle cybercrime by making it very expensive and time-consuming for cybercriminals to attempt to target these systems. 


Cybercriminals are opportunists and will always go after the low-hanging fruit. Another consideration is that security experts are already working hard to enable use of these technologies not only in an efficient, but also in a secure manner too.  Indeed, biometric authentication may well be the method by which Payment Service Providers and other impacted financial entities fulfil the requirement for strong customer authentication, which is included in the European Banking Authority‘s Guidelines for the security of internet payments and in the recently approved EU Payment Services Directive (PSD2).  Strong customer authentication requires two-factor authentication; a biometric could provide the second authentication factor, in addition to the typical knowledge factor: the customer’s password.

The future?
However, answering the question of whether biometrics are the future of payments, is a bit more complicated than one may suspect. The quick answer is yes, biometrics are proliferating at the moment, and major technological advances have been achieved in the past few years in that sector.  Currently biometrics are a form of authentication, a significant step away from the era of memorising passwords. There are a number of biometric technologies available such as hand scans, face recognition, etc. but the most commonly used is fingerprints. For example using your fingerprint with ApplePay in order to perform and approve a transaction. However, in real life these technologies are not perfect and do fail under certain circumstances, for example a burnt finger cannot be scanned; multi-factor biometric authentication can tackle those flaws, for example, triggering the request for a ‘selfie’ (face recognition) if the fingerprint scan fails.  To that extent, the use of biometric identification technologies is expected to further reduce fraud and hopefully financial cybercrime.

Before putting forward a more in-depth response to the question regarding biometrics being the answer to, and the future of payments, we actually need to take a step back and discuss if this is the right question to ask. More specifically, biometrics may only be the future of payments if an identification process based on a biometric authentication factor inherent in, and therefore indisputably tied to the individual, will reduce fraud.

No silver bullet!
Only a couple of months ago, a US government hack allowed 5.6 million fingerprints of federal employees to be stolen.  Fingerprint’s are an inherent authenticating factor and can’t be changed, unlike a password or a token; reliance on a single biometric as an authenticating factor could be more of a risk than a factor that can be changed or replaced if it is compromised.  There is no silver bullet in security, and these biometric authentication systems will need to be protected against threats and cyber-attacks, as they will clearly start becoming the next targets. That said, biometric authentication is clearly the way forward as it proves to be a boost to the current level of security, providing a greater level of assurance in the claimed identity of the individual, compared to the process of selecting, remembering and protecting different passwords and PINs. Use of biometrics may enable the payment process to become more efficient and enhance the customer experience while allowing legitimate payments and transactions to become trivial to verify.

In the era of Internet of Things (IoT) trusting your wearable device to order a new pair of shoes when it detects your soles are losing friction without the need to authorise the transaction each time will be a reality at some point, and I really hope during my lifetime!

-- This is a blog post I created for Sysnet and I am reposting it here for historical purposes. This was originally posted here.

1 comment: