Karen Epper Hoffman
After a major failure several years ago, biometrics is enjoying a renaissance in payments. As usual these days, mobile has a lot to do with it. So does the fear of fraud.
Think of it as an authentication trinity—what you have, what you know, what you are. Despite having cards and passwords to identify us and initiate payments, technology gurus have been trying to incorporate that third piece, what users are, into the equation to not only provide a better means of authentication, but, they hope, a more convenient one.
A new wave of biometrics initiatives in payments may finally be opening that door to mainstream usage.
“We’re certainly seeing renewed energy around biometrics in the payments arena as well as the mobile and online-banking space,” says Julie Conroy, research director at Aite Group LLC, Boston.
Companies have dabbled to varying degrees in biometrics to initiate payments for years. But the technology got a black eye half a dozen years ago with the collapse of what had been the most prominent provider in the niche, Solidus Networks Inc., better known as Pay By Touch.
Now, especially in the light of developments such as the release of fingerprint sensors on smart phones like Apple Inc.’s most recent iPhone 5S and HTC’s One Max, payments executives are showing a renewed interest in biometrics that may take it from fringe technology to center stage.
“Biometrics is trying to make a comeback,” says Al Pascual, senior analyst for security, risk and fraud at Javelin Strategy & Research, Pleasanton, Calif.
‘Still in Its Infancy’
The key to biometrics’ resurgence in payments may lie not only in recent market changes, which have laid the groundwork for a more successful run, but also in how the technology is being viewed and applied.
San Francisco-based Pay By Touch launched in 2005 primarily as a system for allowing consumers to authorize grocery purchases by swiping their finger over a specially designed sensor. Conroy says unlike applications such as Pay By Touch’s, where biometrics acted as the “primary key,” the technology is now being promoted as just one of multiple layers of authentication.
“The Pay By Touch business had a lot of issues,” says Marc Barach, chief marketing officer for Jumio Inc., an authentication vendor that uses biometrics for payments. “In the past few months with Apple launching their use of fingerprint [biometrics], it has sent this into the limelight, created more interest in biometrics for all sorts of things.”
Indeed, Jean-Noel Georges, a global program director for San Antonio, Texas-based Frost & Sullivan, who has researched biometrics for payments globally, says Apple’s endorsement of biometrics carries a lot of weight in bringing biometrics to the attention of consumers.
He believes many people will start using the fingerprint scanner to unlock their phone and access Apple’s iTunes and other popular mobile applications, which will make them more familiar with the technology.
“Apple is making people more comfortable with biometrics,” Georges says. “And once people have the experience of using biometrics [there], they will use it for other things.”
Troy Bernard, director and head of advanced payments at Discover Financial Services, concurs.
“The launch of iPhone 5S is a step forward for fingerprint scanning as an authentication method,” Bernard says. “The iPhone is one of the most widely held consumer devices of all time. It is very likely that other handset manufacturers will embed fingerprint readers in their devices as a way to easily lock and unlock phones versus keying a PIN.”
Jamie Cowper, senior director of Palo Alto, Calif.-based authentication vendor Nok Nok Labs, points out that the industry group FIDO (Fast IDentity Online) Alliance, of which Nok Nok is a founding member, is investigating and promoting the use of fingerprint biometrics for payments authentication.
Similarly, in Europe, the MoBio (Mobile Biometry) project aims to develop advanced biometric technology solutions for authentication on personal mobile devices, according to Georges.
“It [biometrics] had been so focused on border control … but now people are starting to develop a new wave of capabilities,” Cowper says.
Discover’s Bernard adds that “biometrics as a means of payment authentication is still in its infancy.” His company plans to start testing Natural Security SAS’s biometric system at its Riverwoods, Ill. headquarters this month. Natural Security is a French authentication-technology provider that supplies biometrics systems to retailers and banks in France.
“We have performed some of the pre-trial work already in the lab such as loading biometric data into the fobs and in performing initial test transactions,” Bernard says. “Fingerprint technology is more and more becoming mainstream. Not only are biometrics being used for payments, but for authentication in many venues. The reason for the uptake is that there is a real need to provide improved authentication and the technology is improving, while the costs are decreasing.”
‘Getting Beaten up’
While Apple’s and HTC’s addition of fingerprint sensors to their mobile devices helps highlight biometrics, a number of other factors also are driving renewed interest in what is a family of technologies.
One basic aspect is that the read rate on most biometrics-enabled point-of-sale devices and other hardware has simply gotten better, according to experts.
“The industry has more faith in biometrics than in the past, across the board,” says Pascual. “They’ve been drilling down and improving error rates.”
As mobile payments takes off, biometrics presents a means to make payment authentication even more convenient. And more secure, given the widespread perception of the weakness of passwords.
“We are always looking for ways to make payments simpler without sacrificing security, and biometrics provides an opportunity to move in this direction,” says Bernard. “The value proposition for mobile payments is that the mobile phone is a smart device, capable of many functions, which you always carry with you. Typing in a PIN is friction. Placing your finger on the screen eliminates this.”
Aside from the number of devices that are expected to follow Apple and HTC and include fingerprint sensors, there’s also the fact, as Aite’s Conroy points out, that most smart phones now include a high-quality camera.
“The ubiquity of devices with cameras is the number-one factor that will facilitate biometrics for authentication,” she says.
Further underscoring the need for biometrics, she adds, is the increased levels of payment fraud, particularly online. A good part of that reportedly is the result of fraudsters migrating to the Internet after finding point-of-sale card fraud much harder to commit because of the growing use of Europay-MasterCard-Visa (EMV) chip cards in nearly all industrialized countries except the U.S.
“E-commerce merchants are just getting beaten up right now,” says Conroy. “Biometrics are not ironclad [protection] but they are one more layer of authentication.”
For many years, biometrics was seen as being stymied by a lack of consumer acceptance for scanning their fingerprint or their iris to make a payment, which some people saw as an invasion of privacy. However, as the technology becomes more mainstream, consumers are seemingly warming to the idea, for convenience’s sake if nothing else.
One recent survey, sponsored by PayPal Inc. and the National Cyber Security Alliance, found that 53% of respondents were happy to use fingerprints to authenticate themselves, while 45% were comfortable with a retinal scan, compared with 41% with offering photo identification.
Similarly, a survey of more than 2,100 British consumers found that nearly half of them would like to use biometrics for security. (The United Kingdom survey was sponsored by London-based payment processor, WorldPay, with results released in June.)
Enhancing Passwords
As identity and payments fraud “continue to grow on the mobile side” and less tech-savvy consumers attempt to conduct more and more complex transactions, the convenience of biometric authentication will become more attractive, says Barach of Jumio.
Earlier this year, Palo Alto-based Jumio introduced a feature for its NetVerify authentication product that compares a photo on an identification card with the user’s actual face as both are presented to a phone or PC camera. The feature, called Face Match, checks data points from both images to render a confidence score, which banks or merchants can use to either authorize or decline a transaction.
But Barach doesn’t see name and password, or card-based identification, being replaced by biometrics, but rather enhanced by them. Jumio’s Face Match technology is already being rolled out in money-transfer businesses, though Barach will not name specific clients.
“Biometrics is yet another factor to work with the primary factors,” he says.
Meanwhile, startup PayTango Inc. is aiming its authentication system at the younger and presumably more tech-accepting college crowd. In early 2013, the Mountain View, Calif.-based venture, founded by four Carnegie Mellon University students, began testing its system that associates a person’s payment cards with the cardholder’s fingerprints. PayTango’s terminal, which the company reportedly plans to introduce to college campuses, reads the prints from two of a consumer’s fingers. (Several calls and emails to PayTango were not returned.)
Biometrics also is making inroads in government payments. In October, General Payment Systems Inc. began installing biometric-based payment kiosks and tracking technology for people on probation through CSRA Probation Services, which serves about 60 state courts in Georgia. The deal is the first in the probation market for General Payment Systems, an Irvine, Calif.-based vendor that makes hardware to automate the collection of payments.
In this application, probationers will be able to complete the required monthly check-ins and make any required payments to the court using a thermal fingerprint scan. The biometric system ensures the identity of people on probation as they check in and make payment, which means the courts can place kiosks in remote locations that are easier for the probationers to visit regularly, according to Ron Hodge, chief executive of General Payment Systems.
“I believe biometrics is a good solution for certain industries, like this one,” he says.
Betting on Fingerprint
Many questions about biometrics remain to be answered, including which identifier will become most widely adopted. While Apple’s endorsement of fingerprint scanning would seem to boost that biometric, Georges of Frost & Sullivan points out that many other initiatives, including MoBio in Europe, are supporting facial-geometry recognition, or even a combination of face and voiceprint.
“Fingerprint may be the best compromise of security and customer experience,” Georges says, but adds that the jury is still out on acceptance.
Discover is betting on fingerprint. “So far, fingerprint is the most cost-effective technology to deploy on a large scale,” Bernard says.
But Jumio’s Barach says “it’s unclear whether fingerprint will be the winner. Critics of fingerprint [biometrics] present a compelling argument: why use an identifier that you leave everywhere?”
Essentially, Barach says that when it comes to biometrics, there is “no one size fits all”—the identifier that is used will depend on the audience and the application.
Cowper of Nok Nok Labs believes that fingerprint may mark the “first wave” of mainstream biometrics—because of the identifier’s relative maturity in technological development and reliability. Ultimately, he thinks that other emerging types of biometrics—voice prints, eye vein detection, cardiac pulse reading—that are less intrusive may take hold much further down the road.
‘The House Is Not on Fire’
But even fingerprint may still be some time off for widespread payments authentication, experts say.
“As we’re looking at the payments ecosystem, you will always have at the merchant level a reticence to put friction at the point of sale,” says Conroy. Instead, she believes the entrance of “transparent biometrics” like voice recognition will more likely start to take hold in 2014 and beyond.
“It will be a very, very slow adoption here,” says Barach of Jumio. “Most retailers and online mobile merchants will not want to put this out in front of customers. And the house is not on fire as far as they’re concerned.”
Barach expects that in businesses like money transfer and remittance, companies will begin slowly embracing biometrics over the next five years as yet another authentication layer.
“The new doesn’t kill the old here,” he says. “It’s rarely a zero-sum game. This will still not be a primary and standalone method.”
As Bernard of Discover points out, payments adoption is generally a long slog.
“Widespread technology changes take time, so it is hard to predict the timeline,” he says, noting that magnetic-stripe credit cards have been around for about 50 years and the EMV specification was created in 1994 but only now is coming to the U.S.
“Therefore,” he says, “we see biometrics co-existing with existing payment technologies in the near-term.”