Last week Visa and Mastercard announced the upcoming release of version 2.0 of the 3DSecure protocol, in which static passwords will be replaced in favour of token-based and biometric authentication. This follows closely MasterCard’s statement last month that it has successfully trialled a new app which uses voice and facial recognition for payment authentication. So it seems biometric authentication is the hot topic in payment security at the moment and has been spurred on by Apple’s decision to use their ‘Touch ID’ fingerprint sensor system for Apple Pay authentication. In the past, biometric identification has always fallen down on poor accuracy rates and user experience. This raises the question whether either Apple or MasterCard will be able to overcome past obstacles and meet expectations in terms of user experience and reliability?
Biometric Identification – The Rising Star of Payment Security
Biometric identification technology has been around some time now and a number of options exist. These include fingerprint scanning as well as heartbeat, voice, vein and facial recognition technology. Most of us own or are familiar with an ePassport containing biometric information for the purpose of traveller identity authentication but, until recently, biometric identification technology has rarely been applied elsewhere.
Lately hype has been growing around biometrics as the next big thing in smartphone security and in particular, payment authentication. This trend has been driven by players such as Apple and Samsung incorporating fingerprint sensors into their latest smartphone models, notably iPhone 5/6 and Samsung S5. Apple Pay is the first NFC payment system to exploit fingerprint identification for payment authentication. MasterCard has gone a step further, announcing that it has completed an internal pilot scheme of facial and voice recognition as a means of payment authentication in its app.
Why Is Biometric Payment Authentication Different?
Unlike contactless cards and other forms of NFC payment, biometric payment authentication claims to provide a similar level of security as to Chip and PIN that also offers an improved consumer experience. Whereas existing NFC payment solutions have largely failed to take-off thanks to a lack of contactless payment infrastructure and a clunky user experience, theoretically biometric authentication could offer consumers a better experience, without compromising on payment security.
What is consumer opinion around the use of biometrics security measures?
Research has shown that the majority of consumers are strongly in favour of the introduction of biometric ID as a substitute for passwords or PINs. One survey by Intelligent Environments found that 79% of Brits are in favour of biometric security measures. The survey found a clear preference for fingerprint scanning over other forms of biometric ID – it achieved a 53% approval rate compared with 30% and 27% for facial and voice recognition respectively.
Barclays has already introduced voice recognition authentication technology in its private banking division and has plans to introduce vein scanning for its corporate accounts in 2015. It may expand the service to other areas of its business if the corporate scheme proves successful.
Nevertheless, research suggests people still have strong reservations about institutions having access to sensitive biometric data. A study by Javelin Research revealed that less than half of consumers said they would trust a business or institution with this kind of information. In reality, it is unlikely that Apple or MasterCard will have access to the biometric data used for authentication as will probably be saved locally on the secure element within the smart device. Only a ‘token’ containing the encrypted card payment details (rather than the fingerprint data) will be transmitted to authenticate the payment (for an overview of tokenisation see our recent post on Apple Pay. Extensive user education will be necessary to reassure people about this, as well as the safety of their biometric data if their phone is lost or stolen.
Will biometrics authentication mean more secure transactions?
As biometric authentication would be used at the point of sale to validate the payment, much in the same way PINs are used today, it does not protect directly against all consumer concerns such as ID theft. There is, however, a subtler argument that the features that go with advanced payment wallets – such as the storage of delivery address details and tokenization of payment details, reduces the need for consumers to register their details with e-commerce sites. This could reduce the threat data breaches where criminals are targeting organisations to steal personal profile details, such as the Target breach in the US.
Overall however, security is not the key driver behind the roll-out of biometric authentication. Instead it is really about finding a new standard method of authentication for electronic transactions that are above the contactless limit. With card payments, this is currently done by means of a PIN or 3D secure online. With a growing number of transactions being made online, on mobiles in particular, a new authentication standard is required. Biometric potentially ticks all the boxes by providing a better user experience, and ideally, greater security for online transactions.
MasterCard vs Apple Pay – Can They Buck the Biometrics Trend?
So which of MasterPass and Apple Pay has the best chance of delivering a customer experience of sufficient quality for users to embrace?
In the case of MasterPass, it does not sound promising. According to the MasterCard press release each transaction takes under 10 seconds to verify using its new biometrics system. This may sound like an instant but will feel like an eternity to shoppers who are used to typing their PIN in a couple of seconds and are making possibly dozens of transactions each day. The press release from MasterCard claims that product trials have been successful, achieving a 98% identification accuracy rate. In practice, the 2% failure rate may prove too high for consumers and possibly for effective fraud prevention.
Apple Pay gets much closer to creating a seamless transaction, especially compared with existing NFC mobile wallets and payment apps. In the past, commentators have complained about the inconvenience of having to wait for the app on their phone to power up and locate the store to make a purchase. This problem should be overcome with Apple Pay, which simply requires the user to hold their finger on the sensor and wait for a vibration to signal payment acceptance.
Personal Data Security – where Apple has the edge?
Another reason Apple may have the edge over the MasterCard scheme is the preference of users for certain types of biometric authentication. Historically, interactive voice response (IVR) systems have been infamous for poor usability, with multiple attempts at authentication often being required leading to intense customer frustration. Unless the voice recognition technology used for the MasterCard system is a significant improvement on existing systems, their new app is unlikely to win any customer experience awards.
Users may also feel intuitively much more comfortable using fingerprints for identification on their phones rather than making the display of taking a selfie or talking to their phones. The combination of a seamless user experience, an increased sense of security and the kudos attached to the Apple brand may create sufficient positive PR for users of Touch ID to reach a critical mass. This is important because, although the push for biometric authentication is very much industry-led, successful implementation will need widespread consumer buy-in.