However, nothing is 100% effective. Biometrics is just one layer but combined with multiple layers of authentication it has the potential to seriously up the game. Anytime you make it more difficult for an online fraudster to bypass a certain authentication you make it difficult for them to achieve success. They take the path of least resistance and will move on to easier targets.
Passwords are vulnerable to compromise, even when they are sufficiently complicated, and really should be changed often. The fact of the matter is most people do not have strong enough passwords and don’t bother to change them often enough. Even so, no matter how obscure a password is it is still vulnerable and will still be inferior to a biometric marker such as an iris or heartbeat or fingerprint.
Biometric authentication cannot truly be faked (Yet). It requires the actual presence and consent of the user. As we said nothing is 100% effective by itself. Sure you could get kidnapped, forced to open your phone with your face, give up your password and give access to your bank account information and credit card stored in your eWallet. But frankly, we are talking here about the majority of consumers making their everyday purchases either online or in store, and the prevalence of cybercrime and online fraud. The situation where the hacker is attempting to intercept a transaction and steal personal payment information or they already have stolen the payment data and are attempting to make a purchase and get past the authentication that might be being requested. They cannot get past not having your face or your phone in their possession.
The more we employ various types of biometrics to support our security measures the more seamless security is.
We don’t have to DO anything, remember anything, we just have to BE.
Biometric companies now have the ability to use multiple forms such as voice, facial and fingerprint recognition to name a few, to verify a phone’s owner, they can even pick up on GPS location signals.
This allows a company to cater the amount of security measures utilized based on how risky the transaction is. For example, a GPS location can indicate that you are indeed in your residence while shopping online or at a common coffee shop you visit, but if you were across the country spending a large amount of money it might employ additional types of authentication to verify that it truly is you standing there purchasing a mini Eiffel Tower for $300. It sounds complicated but these types of authentication can happen seamlessly and in seconds without too much friction to the purchasing process.
But consumers still need to be willing to give permission for access to the data because without the sharing of this data (GPS) it wouldn’t be as effective.
For now, one of the most obvious places for increased application of biometric authentication is with eComm or online retail sales. Simply because it is by nature a person and card not present transaction, and because it is where the majority of credit card and payments fraud occurs. Forward thinking companies and developed countries are employing new ways to make payments more secure, however, eCommerce web sites have only recently begun to implement the use of biometric technology in an attempt to improve security and identity verification.
It’s time for retail business and anyone in the business of payments to look towards advancements in this type of technology to see how they can benefit and put it to use in their fraud reduction strategies. Forecasts predict that there will be 2.6 billion people using biometric payments by 2023, and 579 million biometric payment cards in use globally.
The 2 factor authentication we employ here in the U.S. is one step behind the Strong Customer Authentication (SCA) directive that is nearing complete implementation in Europe. While 2 factor authentication can still be hacked fairly easily, SCA brings the security of biometrics to eCommerce payments. For instance, a 2 step authentication may involve the consumer entering their password but then also having to enter a token or code sent to them. While the customer may see this as an inconvenience it is a way for the second authentication, the code, to prove they are who they say they are. It fills the “something only the customer has” requirement. They have the code because only they are actually in possession of the device that received the code. But this is not utilizing biometrics to secure the payment. A code can still be stolen.
When we employ the addition of a biometric in addition to one of the other methods we are filling the request for ”something the customer is”, their fingerprint, eyeball etc. and we are making it much more difficult for the bad guys.
For the purpose of eCommerce or online shopping, most of us these days are doing this from our mobile devices-phones and tablets- that we use to access the websites we prefer to shop at. These eStores can implement platforms that are equipped to ask for a biometric, in lieu of a password say, in order to access an account or authorize a payment. So, for instance, a consumer has not only used his fingerprint to unlock the phone they are shopping with but is then again asked to apply their fingerprint to access the account or continue with payment. These types of modules are available for shopping carts and can easily be implemented. There are even modules for setting up face recognition where the user would grant access to the camera on their laptop to allow for facial recognition software.
We are not having a microchip inserted into each one of us so that big brother can keep an eye on us, we are the chip.
But it’s not just in online sales that we are using the convenience of biometrics to facilitate a secure payment. Widespread adoption of biometric technology is already evident in the payments industry as well as many other applications.
In a way, mobile wallets have already put to use biometric technology for payments. The use of the biometric that unlocked the mobile device in the first place so the user could just ”tap to pay” adds to the level of security and biometrics being used in brick and mortar.
It is expected that by 2024 more than 122.8 million mobile devices will have adopted facial recognition technology, and at the forefront of this trend will be mobile payments and authentication.
Biometric credit cards are on the horizon bringing an additional level of security to all payments. Built-in fingerprint readers on biometric EMV credit cards require that a user lay his/her finger on the reader on the card to verify their identity before use. This would effectively render a lost or stolen physical card unusable.
MasterCard rolled out Selfie Pay which basically allows one to complete a payment with their finger print or facial recognition. Business schools in Sweden are using finger vein technology in their cafeterias to facilitate the purchase of lunches.
Aetna is scratching password use altogether for fingerprints and behavioral biometrics such as keystrokes, how one moves the mouse or voice recognition in order for customers to gain access to their accounts.
Wells Fargo has also been using a combination of voice and facial recognition technology to allow it’s customers to access their accounts since 2015, while some banks have even talked about employing a Vein ID technology for authentication.
We are using devices everyday that employ this technology almost without realizing it. Alexa, Siri, voice recognition technology in action to identify who is speaking to them. (I say that like they are a “them”).
Along with widespread adoption, there will need to be greater implementation of standards of regulation and best practices around the sensitive data in order to ensure that it is kept safe. The success of the use of biometrics relies heavily on adoption which relies heavily on confidence.
While biometric technology has been in practice in many areas of business and security since its inception, its use in secure payments is only recently being realized.
Again, biometrics is not the be all end all for security. Nothing alone is 100% effective, but when coupled with other forms of strong authentication it increases security 1000 fold. And it’s a good thing because once Strong Customer Authentication (SCA) is fully put into practice later this year across the EU we could see an uptick in our own cyber fraud numbers. Consumers may not be one hundred percent ready to give up their face, but it’s the way of the future whether people like or not.