Biometric Payments Online

By Tom Goldsmith, CardNotPresent.com

Biometric Payments Online Two-factor authentication has been the holy grail of online payment acceptance and processing from the appearance of the first e-commerce Web sites – and like the mythical grail, a workable system has been nearly impossible to find despite been many false trails.

The two-factor concept is based on the fundamentals of authentication. A customer can verify his or her identity three ways: using something the customer knows (password or pin), something she has (a card or some other physical token), or something he is (a physical characteristic, such as a fingerprint). Combining two of these factors for authentication vastly improves the accuracy and security of the process.

There is a downside, of course. Using two-factor authentication is slower and less convenient for customers and, especially in a card-not-present environment, can discourage customer spending.

For nearly a decade, researchers and technologists have focused attention on biometrics (something the user is) as the essential second factor for authenticating identities. After all, biometric characteristics are something the user always has easy access to, are difficult or impossible to counterfeit, and unique to the user. In some face-to-face transactions, we use a crude form of biometrics when we produce photo IDs to establish our identity. In highly secure facilities, fingerprints, palm prints, eye scans, voice recognition and similar biometrics have been employed for years.

For nearly a decade, researchers and technologists have focused attention on biometrics (something the user is) as the essential second factor for authenticating identities. After all, biometric characteristics are something the user always has easy access to, are difficult or impossible to counterfeit, and unique to the user. In some face-to-face transactions, we use a crude form of biometrics when we produce photo IDs to establish our identity. In highly secure facilities, fingerprints, palm prints, eye scans, voice recognition and similar biometrics have been employed for years.

Where online payment transactions are concerned, none of those techniques have been feasible to date, but the situation may be about to change, thanks to the widespread adoption of mobile devices along with the advent of EMV smart cards and the mandate by card networks to have EMV implemented in the next couple of years.

Smart cards are important because unlike mag stripe cards, they can store encrypted biometric information along with other data. Smart phones equipped with cameras can do the same thing, along with providing a handy device for measuring biometrics.

Fingerprint Transactions

Biometric Payments Online If anyone needed a proof of concept for fingerprint authentication using a smart phone, Apple provided it with the iPhone 5s, which now can be locked and unlocked by touching a fingertip to the device screen. What’s more, the fingerprint reading function can authenticate customers on the iTunes ecommerce site. Certainly it was easier for Apple to accomplish the feat with its integration and control over phones and the iTunes site, but at least for mobile shopping, most large retailers likely could pull that off.

Taking a different approach, companies like Florida-based SmartMetric Inc. are exploring and implementing ways for consumers to activate their smart credit and debit cards with fingerprint recognition, including a one-card NFC-powered digital wallet (which holds data for two or more payment cards) activated by fingerprint recognition. “This will enable institutions to offer a safer NFC solution than that which is currently available since the NFC Biometric Card will only be turned on when a transaction is underway,” according to Chaya Hendrick, SmartMetric President and CEO. Smart phones, on the other hand, typically have NFC enabled continuously.

For ecommerce conducted from desktop or laptop devices, the situation is murkier, especially since it is far from clear how ecommerce sites and card issuers will take advantage of the switch to EMV in card not present environments. Phillipe Benitez, VP Business Development, Payment Solutions at Gemalto , a global digital security firm, says CNP solutions around EMV-based cards will focus on technologies like one-time passwords, on-card displays and perhaps personal card readers. If he’s correct, then implementing fingerprint authentication as part of the transaction stream should not be difficult. And best of all, in many cases online merchants will have to make few, if any, modifications to shopping carts.

Pay By Face

Biometric Payments Online Closer to the edge of what’s possible, lies facial recognition technology as a means of authentication. Given the ubiquity of digital cameras, whether on laptops and desktops or mobile devices, facial recognition would seem to be a natural fit for ecommerce payment authentication.

In practice, however, using facial structures identified through cameras is daunting to implement. To understand why, look at Finnish start-up Uniqul , which, according to its press releases, promises “payment transactions in less than five seconds.” The company requires specialized cameras to be installed (no web cams), charges users a fee to sign up for the service, and stores reference biometric data on users’ faces in a central database that’s checked against the pictures from in-store cameras. The system is complex and likely to raise privacy concerns even as it improves transaction security.

For now, facial recognition is likely to get the kinks worked out through its use at ATMs, which have enough unique security concerns (remote unattended locations, 24/7 availability requirements) to warrant expensive development investments. U.S. ATM maker Diebold is experimenting with that now.

“It will be a while before you can sit down at your laptop and conduct a transaction with facial recognition for authentication,” says technology and security consultant Ron Damien of RD&A Consulting in Falls Church, VA. “The technology is proven, but I’m not sure consumers are ready to have their faces stored in a massive remote database. Smart cards which can store that data might speed up adoption by brick and mortar locations, but it will take much longer for online commerce.”

Consumers Appear Willing

They may not go straight for facial recognition, but consumer acceptance of some form of biometric authentication is growing. In a recent white paper, Nicole Reyes, a fraud-prevention expert for The Members Group , based in Des Moines, Iowa, notes that 51 percent of consumers in a recent survey expressed concerns about having their fingerprints stored in a remote database, but that also means that 49 percent are ready for biometrics, a percentage that might well rise if, for example, the fingerprint data is stored only on their payment cards.

Nearly everyone we talked to for this story raised the recent Target data breach, noting that with a combination of EMV and biometrics – or even biometrics alone – the data collected by the Target hackers would be pretty useless.

Given that a recent study by Javelin Strategy and Research found 12.6 million victims of identity fraud in the United States in 2012, it seems likely that more and more consumers will be willing to risk their privacy concerns for some additional payment security.