Biometrics and Authentication – Layering in; Passwords out


Ron Mazursky

Founder and Board Member of NYPAY


Change is Upon Us

How many passwords do you have? I’ve counted mine, but it’s way too many. A couple of them I use frequently, and then in some situations I have had to create new passwords – and even change some of them every six months. Passwords have been the ultimate identifier for bank accounts, files to be protected on computers and the internet, and to open applications accessed through mobile devices. I like to quantify things, so I looked for any studies online and depending upon the study and the actual metric, the typical U.S. consumer counts over 17 passwords at a minimum, and usually 3 standard passwords that he typical uses.

Bottom-line – PASSWORDS ARE NOT SO SECURE and awful to remember or manage!

Clearly, the time has come for alternatives to the standard password, but until recently the attempts have generally met with certain barriers. At a minimum, a replacement for passwords needs to be secure, dependable (low error rate), and consumer-friendly (low consumer-use friction). Biometrics, or measures relating to personal behaviors or biological attributes of the individual, have become more readily available with today’s smartphones. They provide an easy and more dependable identifier for the individual.

The iPhone, and Apple Pay in particular, introduced us to the next generation of payment security with the use of iTouch, a fingerprint ID that provides part of the security protocol in mobile payments. Apple Pay has made it permissible to use a biometric function to authenticate the owner of the iPhone and the underlying payment accounts. We have seen the use of fingerprint security on the most recent Android phones as well.

What do we mean by biometrics – and why use it?

Biometric authentication can be seen in several forms being tested and in use today. Fingerprint ID is being used as a standard authentication tool. Consumers are using and trust iTouch, and it has worked well with Apple Pay. An offshoot of fingerprint ID is palm print ID, where a scanner can read the veins in one’s palms – and the error rate is low.

Facial recognition, using a “selfie” as an authentication tool, is increasingly being used with mobile phones by such companies as Jumio and Mitech. Alipay is using “smile-to-pay” as an authentication tool for mobile payments with a planned worldwide rollout in 2017. MasterCard and First Tech Federal Credit Union are using “selfies” to improve ecommerce security.

Voice ID is being used by more and more financial institutions, and consumers have come to accept it as a natural extension of speaking normally on their cell phones. USAA is using this successfully in their call centers and report it has been working well for them. USAA is a leader in this space, being the first major financial institution to use voice and facial recognition in a full-scale rollout.

Eye scanning (iris, retina and blood vessels scanning) has been tested and used, but there is less likelihood that consumers will accept scanningof their eyes on a broad scale basis. That being said, NCR’s Digital Insight business is working with EyeVerifyto integrate EyePrint ID into mobile banking apps. This technology examines blood vessels in the user’s eye based on a “selfie.”

Heartbeats and other body metrics are now being used as a unique identifier and heartbeat is being tested with MasterCard, TD Bank and NYMI in Canada. These biometrics don’t need to be memorized, don’t need to be adjusted every six months, and are integrated with other security measures to enable ease of authentication of the user.

Why use biometrics for authentication? Smartphone proliferation (almost 70% of consumers own a smartphone in the U.S.), combined with device attributes including fingerprint, camera, and voice capability, have made them a dependable and convenient mechanism to authenticate the device user. The fact that these functions are easily accessed and have low rates of error in authenticating an individual, have made smartphones a frictionless tool in the payments process.

Weaknesses of Biometric Authentication

Let’s be frank. Some people are uncomfortable with using their biometric signature as an authentication tool. Some don’t like to take “selfies,” and some don’t like to be fingerprinted.

Biometrics will not work in every situation. Voice recognition can fail if used in a loud room. Fingerprinting can fail if one’s fingers are dirty. Facial recognition can fail if the “selfie” is taken in a low light situation.

Biometrics can identify that I am the person that registered for the smartphone, but not that I am the person authorized to use the payment card or device. More of the burden to authenticate the individual falls on the financial institution to prevent identity fraud.

Ultimately, a multi-layered approach to authentication is necessary to bolster the weaknesses in biometric authentication. First, the financial institution needs to be able to confirm the identity of the cardholder and that the authorized cardholder has allowed the use of the payment card on the mobile device. All future uses of the mobile device can then be authenticated for that individual using a combination of biometrics, dynamic knowledge-based authentication and device ID.

Key Take-away

Biometrics will be replacing passwords – take that back – is beginning to replace passwords as the authentication tool of choice. But biometrics aren’t enough to stop fraud. A multi-layered approach is the preferred method of authentication – one that uses smartphone device ID, combined with biometrics (not one, but a couple that allows for different consumer needs and situations).

Recent Posts

Leave a Comment

Start typing and press Enter to search

Payment Blog (2)Payment Blog (4)