MasterCard rolled out an interesting initiative a few weeks back in South Africa. The company developed cards with an additional layer of security to counteract fraud — a biometric fingerprint sensor. By combining chip technology with your fingerprint, the company can now verify the cardholder’s identity for in-store purchases. The process is quite simple in that you stick your card into the terminal during payment. The biometric fingerprint sensor on the card, which is powered by the terminal, takes a fuzzy image of your fingerprint and matches it against the biometric information stored in the card. If the biometrics match what is stored on the card, then the payment is processed.
A Step Forward with a Few Hurdles
The idea behind using biometrics like MasterCard fingerprint or facial recognition systems is to speed up e-commerce, while making it more convenient to shop by taking away the need to remember yet another password as well as reducing the potential for fraud. Fingerprint authentication is just one way of providing additional security for payment transactions. In general, authentication processes are based on three factors: (1) something you know, (2) something you have, and (3) who you are. In the traditional “Chip and PIN” authentication used in EMV card transactions, the first two factors are satisfied but not the third. A fingerprint is one way to achieve this third factor of authentication — as are other authentication methods like iris, face, and voice recognition.
Authentication is essential to ensure you are who you say you are. It’s important to note, however, that fingerprint authentication has its downfalls. Similar to Touch ID, this scanner is only capturing a small part of the fingerprint in its sensor. By design, that isn’t as efficient as capturing full fingerprints, or even better, more than one full fingerprint. Most of these sensors are vulnerable to presentation (or spoof) attacks. For example, someone can create a mold of a fingerprint using something as simple as Play-Doh. This can be worrisome, as the intent behind biometric authentication is to ensure the right person is using the right card. Despite these known issues, MasterCard is taking a notable step in the right direction. Biometric authentication is more secure than the typical PIN, password or signature. However, it’s not an exact fingerprint so a hacker can hack it because it’s not cryptographically secure. For the time being, databases will always be targets for hackers. So biometrics sound like a secure method of authentication — assuming no one ever hacks into a sensitive database, which would never happen, right?
The United States – Land of the Passwords
Yair Finzi, Co-founder and CEO of SecuredTouch, believes that “MasterCard entering the American market won’t really be an issue, as it will give consumers more confidence for in-store transactions. Of course, with stronger in-store security, fraudsters will move online, just like they did when chips became popular.” However, he believes that the question is not one of biometrics but one of the security landscape as the entire transaction from the onboarding of the client, know your customer, verification techniques help to profile a customer, becomes a question of data security and ownership of the data stored. Taking all this into account is what is essential to utilize artificial intelligence and behavioral patterns.
It’s probably not a surprise that companies such as MasterCard are now leveraging biometric authentication to verify purchases beyond mobile payments. “With so many new biometric sensors hitting the mainstream, consumers are moving away from passwords towards a fully biometric user experience,” says George Avetisov, CEO of HYPR Corp. “As a leading innovator in this space, MasterCard has proven that enterprises will support a variety of authentication methods – and that customers will adopt them.”
The step of applying biometrics to a card also means there is now the capacity for microelectronic circuits. Meaning the next evolution could be a link to your mobile, and then you could go into partial keys or data. This could make payments more secure than it is today which would only help increase security. Not to say that attacks won’t become more sophisticated, but there will always be a trade-off with opposing standards of ease of use against security functionality. However, the more requirements to perform a transaction, the less likely a customer is to complete it. The trick is finding the balance between security and a positive and simple user experience.
The Future of Authentication
Security has never been a binary equation, as there are layers of security. There is no absolute safeguard to date, yet MasterCard’s biometric feature is a step in the right direction. Security is more about a landscape. It’s better to have 1% more security than yesterday. When you look at the payment transaction itself, there’s a sequence that the payment or the zero’s and one’s travel through. When studying customer behavior, analytics including spending patterns — which allows the profiling of a client.
For now, the future of secure authentication is behavioral biometrics, which is based on the specific ways in which the user interacts with her device, like finger size and pressure, typing speed, swipe angles, etc. Behavioral biometrics allows for continuous authentication, ensuring a device isn’t hijacked after the fingerprint or username/password is entered. Behavioral biometrics also strengthens mobile privacy, as it identifies individual users, selectively blocking access to sensitive information or actions.
Technology advancements are happening at a record pace, especially in the authentication space. But it’s rarely the speed of advancement that is the greatest barrier to adoption — it’s the experience. For example, the adoption of mobile payments has been slow, because consumers have yet to see the experience as better than the current method, namely credit cards. Is a tap better than a swipe? Consumers are still undecided. Look at the consumer backlash surrounding EMV, simply because it takes a few extra seconds at checkout. Check image capture also took years to become mainstream because it requires just the right lighting, yielding several attempts and increased frustration among consumers.
Despite the drawbacks, MasterCard is taking a step in the right direction by adding this additional level of authentication — the typical PIN isn’t secure, and a simple signature doesn’t ensure that the person using the card is who they claim to be. What’s important to note here is the need for biometric authentication to ensure you are who you say you are — beyond just having a card or knowing the PIN.