A Quickening Pulse

Components

Biometrics in electronic payments didn’t have much life until last year, when Apple’s Touch ID and other applications gave the technology a shot of adrenaline. What’s next?

It’s Act II for biometrics in payments.

The now-defunct Solidus Networks Inc., better known as Pay By Touch, dominated Act I for a few years with its fingerprint sensors that found their way into hundreds of grocery stores. But the sprawling company went bust in 2008, a victim of its own excesses, and with it seemingly went most of the payment industry’s interest in biometrics for authenticating transactions.

It turns out, however, that the interest was still there, just underground for a while as tech companies began developing new biometric systems. For example, Jumio Inc. in late 2013 came out with its Face Match technology to help merchants using its Netverify service to assess whether the image of a face on a photo or identification document presented during a mobile or online transaction matches the customer’s actual face (“In Your Face,” January, 2014).

At about the same time, technology developers learned how to better exploit the possibilities of biometrics in the booming smart-phone market. In the most prominent instance of this application, Apple Inc. unveiled its Touch ID system for the iPhone 5S in 2013. Apple built Touch ID right into the phone’s home button and enabled iPhone users to unlock the device without typing a password.

Meanwhile, PayPal Inc. secured a spot on Samsung’s hot new Galaxy S5 smart phone, which uses near-field communication (NFC) technology and has a fingerprint sensor in the home button. The sensor enables the phone’s users to pay with PayPal for purchases they make on Web sites or in stores that accept the payments service.

That was cool enough, but it wasn’t until last September that biometrics and payments hit the big time.

That was when Apple, with its high-powered marketing machine and massive brand presence, unveiled its iPhone 6 and 6 Plus models that enlisted Touch ID for use with the new Apple Pay contactless mobile-payments service. The service, which draws on the new phone’s NFC technology, lets the user complete a purchase by simply tapping the iPhone on a contactless card reader while touching the home button.

Apple Pay gave a huge publicity boost to NFC and tokenized transactions, but it also shone new light on biometrics. Crooks can easily forge signatures and, with not too much effort, guess or steal many passwords, but it’s pretty hard—though not impossible—to outwit biometric authentication technology. After all, everybody’s unique.

“Apple Pay is an immense opportunity to improve payment security,” says Al Pascual, director of the fraud and security practice at Javelin Strategy and Research, Pleasanton, Calif.

Biometric Pilots

Thanks to Apple and the Samsung-PayPal pairing, most of the recent attention on biometrics and payments has gone to services that analyze fingerprints.

That emphasis on fingerprints seems to align with consumer preference. Consumers rank privacy as their most important consideration when using biometric authentication, according to a 2013 Javelin survey of more than 3,200 consumers. And they like fingerprints the most out of the menu of biometric-authentication options.

But there are other biometric systems, including ones that record or scan eyes, voices, and palms, not to mention the facial-recognition technology Jumio uses. Each has advantages and disadvantages.

“Fingerprint is just the first stop; there will be other modalities,” says Art Stewart, vice president of the biometric products division at San Jose, Calif.-based Synaptics Inc., a developer of security systems and features for electronic devices.

Stewart previously was an executive at AuthenTec Inc., a Melbourne, Fla.-based company that Apple bought in 2012 for $356 million. It developed the technological foundation of Touch ID. Synaptics bought fingerprint-authentication technology provider Validity Sensors Inc. in November 2013 for $127.8 million.

But it’s not just tech companies that are interested in biometrics nowadays. So are financial institutions, according to researcher Shirley Inscoe, a senior analyst at Aite Group LLC, Boston. And they’re not confining themselves to merely supporting Apple Pay.

“I know that many of them are doing pilots,” says Inscoe, declining to name any publicly because of client confidentiality.

This new interest in biometrics from banks and credit unions springs from multiple sources, according to Inscoe. One is ease of use—no hassles with scratching out a signature or remembering a PIN, two authentication devices traditionally used by financial institutions.

“We as Americans just demand that things be very easy, very simple, and very convenient,” she says. “We just don’t want to be bothered.”

But two other factors are privacy and customer service, she adds. Voice-recognition software has been gaining acceptance at financial-institution call centers in the past several years in part because the technology can discern a caller impersonating a legitimate customer, says Inscoe, who says some call centers keep voice recordings of known “bad guys” for comparison.

In addition, such systems can reduce customers’ wait times by up to two to three minutes compared with conventional phone-based verification, making both customers and managers happy.

“Some of these forms of biometrics have the potential to save financial institutions a lot of money,” she says.

‘Enabling the Plumbing’

Biometric payments got a big boost on Dec. 9 when the Fast IDentity Online (FIDO) Alliance, a non-profit with more than 150 members in banking, payments, technology, and other industries, published Version 1 of its standard for a better system of online authentication than the vulnerable user name and password.

Backers of FIDO, which was formed in February 2013, say the standard’s two final specifications will enable payments providers and other organizations that want strong authentication to easily add biometrics and other technologies to their data-security systems.

That’s important. Weak or stolen login credentials play a role in 76% of data breaches, according to the FIDO Alliance, citing data from Verizon Communications Corp. studies.

“Today, we celebrate an achievement that will define the point at which the old world order of passwords and PINs started to wither and die,” Michael Barrett, president of the FIDO Alliance and former head of data security at PayPal, said in a statement. “FIDO Alliance pioneers can forever lay claim to ushering in the ‘post-password’ era, which is already revealing new dimensions in Internet services and digital commerce.”

Version 1.0 of FIDO’s standard includes the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) specifications. UAF provides protocols that enable non-password authentication using biometrics or other technology. U2F adds a second layer of authentication to existing password infrastructure.

Device manufacturers, including computer and smart-phone makers, along with online service providers, can use the open, interoperable specifications.

FIDO relies on a base layer of software from Palo Alto, Calif.-based Nok Nok Labs Inc., according Javelin’s Pascual. Using that layer, online- and mobile-commerce providers as well as other companies can build authentication systems into their services that don’t rely on the old password-based systems.

“The beauty of FIDO is it makes things far easier than they had been in integrating authentication,” says Pascual. For example, using the FIDO specs a bank wanting to add voice authentication to its mobile-payment service doesn’t have to go with purely proprietary technology. “You can test a variety of solutions,” says Pascual. “It gives you a lot of flexibility.”

Ramesh Kesanupalli, founder and chief alliances officer at Nok Nok Labs and a co-founder of the FIDO Alliance, says the specifications promote development of authentication technology for mobile devices running Google Inc.’s Android operating system, and even work with products from companies that haven’t joined FIDO Alliance, such as Apple.

“The beauty of the FIDO spec is it will work with Apple and non-Apple devices,” says Kesanupalli.

Adds a FIDO Alliance spokesperson: “We’re completely agnostic, we’re just enabling the plumbing.”

The first draft of the specifications came out last February. The PayPal-enabled Samsung Galaxy S5 was the first product to use so-called “FIDO Ready” software based on the UAF spec. PayPal is one of the FIDO Alliance’s six co-founders. Last July, China’s huge Alibaba e-commerce site began accepting FIDO-based payments using the Samsung Galaxy S5.

Nok Nok announced when the FIDO standard was released last month that the new version of its S3 Authentication Suite supports the final UAF specification. The company also said it had raised $8.25 million in Series C funding.

‘A Natural Extension’

FIDO’s standard seems likely to spawn a new generation of biometric-based hardware and software. As noted, the most prominent systems today rely on electronically scanned and recorded fingerprints, and for good reason. Fingerprints are easy for consumers to provide, and consumers are familiar with the concept of using fingerprints for verifying identity thanks to countless crime movies and TV shows.

In that 2013 Javelin survey, fingerprints not only came out on top, they won by a wide margin. Some 31% of respondents named fingerprints as their preferred biometric solution for online use, nearly three times the nearest competitor.

Those alternatives include eye-based systems such as vein mapping and iris and retina scans; palm-based technologies such as hand geometry and vein analysis; facial recognition such as that used by Jumio; and voice recognition.

For now, however, it seems like the fingerprint will dominate biometric payments, especially mobile payments. Speech systems can pick up ambient noise, and facial recognition’s effectiveness can be reduced by poor lighting, notes Kesanupalli of Nok Nok Labs.

“Fingerprint becomes a natural extension of what you can do with a cell phone,” he says.

Payment providers and tech companies may have a big sell job ahead of them, however. Some 29% of Javelin’s respondents had no preferred biometric-authentication preference, and, perhaps more important, 15% would not use any of the methods researchers presented.

But industry executives are confident the technological issues, especially making the same stuff work on Android and Apple phones, along with consumer-acceptance problems, can be solved and thereby lift mobile payments.

“All the ecosystem partners will align, eventually,” says Synaptics’ Stewart. “It’s a little harder to do when you’re not a vertical like Apple. It’s the single reason why mobile payments have taken so long in this country.”