Biometric authentication development is gaining speed with the upcoming launch of MasterCard’s Selfie Pay. This facial recognition software is one of the many technologies designed to replace the traditional PIN code, by utilizing human’s natural characteristics.
Biometric methods are promoted with their ease of use and the accompanied security. But is this trend in authentication truly as rosy as solution providers’ promises would lead us to believe?
Biometric Authentication Will Become More Commonplace, but not Without its Pitfalls
Biometric recognition is hardly a novel innovation. That said, it took until the introduction of mobile payments for the technology to gain traction in retail payments.
However, the identification method is not without fault. There are various circumstances, where e.g. fingerprint scanning might prove difficult (such as very cold or humid weather). In the end, the customer still needs to punch in the familiar PIN code in order to finish his payment, invalidating the various security benefits the technology might carry.
In addition, there are many myths are attributed to biometric identifiers. Urban legends such as: “There are no two fingerprints that are alike”, give the technology falsified image of security. The problem is emphasized by the fact that cheap fingerprint scanners are quite easy to deceive.
A Secondary Security Layer as an Answer to the Risks in Biometric Methods
Additional risk to the authentication is posed by the fact that unlike regular password, biometric identifiers such as fingerprints can’t be changed after an identity theft. As such, the only option left is to completely forbid a specific identification method. Though, this also excludes the finger’s owner.
Another problem that has received inadequate attention is the secondary information contained in biometric identifiers. For example, iris scanning reveals information about a persons health, which needs to be contained.
To secure biometric information, there should always be a secondary layer in the authentication process. Biological identifiers should never be given to the authenticator as is. Instead, biometric information should be entered into a separate device (such as a customer’s phone), which can accept the data and forward a code derived from the identifier.
Like this, it is enough to compare the snippet of code to the authenticator’s database to identify the customer, leaving biometric information secure. In this case, even if the customer’s phone and fingerprint were stolen, the identifier can be restored to a new phone without fear, just by adjusting the snippet of code required by the authentication system.
Could Selfie Become an Alternative to the Good Old PIN Code?
Mobile Payments are also paving way for the technologies taking advantage of facial recognition.
Fingerprint and selfie are in principle quite similar identification methods, with both comparing points derived from an image, either from facial features or finger’s creases.
Though, selfie-authentication also carries some problems, mostly related to camera functionality or lighting. Usability and the much-lauded simplicity suffer, when a customer has to seek the perfect angle and ambience for the shot, in a crowded supermarket or a dim restaurant.
There are other biometric options, but one is bound to run into a situation where the chosen identification method ends up being a suboptimal choice. From time to time, biometric authentication might end up making payments more difficult, instead of simplifying them.
One might ask, why is the development continued then? Why are large credit card companies intensively building biometric technology, if the authentication ends up failing from time to time?
A Good Compromise Between Security and Usability
Despite its occasional hiccups, biometric authentication provides a fine compromise between data security and usability. Payment development is a constant struggle between these two factors. ‘Easy’ and ‘safe’ rarely go hand in hand, which makes finding good compromises very important.
Facial recognition proposes a good practical example of the relationship between security and usability:
When identifying person’s facial features, the user determines tolerances that define how strict the application is when authenticating. With more lenient tolerances, the identification becomes possible even in difficult conditions, but breaking into the device becomes easier. With stricter requirements, problems stem from the difficulties in authentication and slower payments.
This distills the dilemma of payment security: Easy is rarely safe, and safe is seldom easy.
The use of Alternative Identification Methods Will Increase
Apart from fingerprint scanning, biometric identification methods are being launched in a leisurely pace. That said, it will be interesting to see how MasterCard’s Selfie Pay is received in the consumer segment. The Daon’s technology powering the application will give a good outlook into the potential of facial recognition in authenticating payments.
We expect that alternative identification methods are likely to increase in the coming years. But even though, they might improve the ease of payments, the achieved security benefits will remain limited, as long as the PIN code remains as a backup system.
The privacy of biometric identification is going to improve with the upcoming European regulation on personal data protection when its implementation deadline is met by 25.5.2018. This regulation imposes strict rules on the handling of biometric information, making biometric authentication a more attractive choice, at least from a security standpoint.
About the Authors:
Seitatech's CEO. Extensive experience in developing payment solutions to banking and retail sector provides Sakari a keen eye for the upcoming trends in digital payments.