Biometrics are pretty cool right now. We’ve got accustomed to using them to unlock our smartphones, gain entry into our workplaces, and now increasingly to make payments or to authorise financial transactions.
In the real world and not the online world that many of us inhabit, biometrics improves identity management, provides an additional level of security, and is a useful tool in combatting fraud (including payment card fraud.) Most of all they offer convenience, and a feeling that we are all finally embracing new technology.
Yet in the online world, particular in the payments industry, the role that biometrics has to play is only just beginning to become clear. Biometrics have been identified as one of the factors that can be used in the PSD2 two-factor authentication directive, based on using two of the following three elements:
- Knowledge, something only the user knows (e.g. PIN or password)
- Possession, something only the user possesses (e.g. card)
- Inherence – something the user is (e.g. fingerprint)
But in practice how does this work with online payments?
Mobile payments are a good fit for biometrics
M-commerce (buying online using a mobile device) is booming. According to eMarketer’s most recent retail and ecommerce sales figures study, global m-commerce sales rose 40.3% last year to $1.357 trillion, representing 6.0% of total retail expenditures and accounting for 58.9% of digital sales.
Biometrics and mobile payments are a good fit. Smartphones and tablets are enabled with fingerprint readers, cameras and microphones so there are a variety of options to use biometrics for identity management. Already many banking apps are using this technology, for example Samsung users can unlock their TSB bank app using an iris scanner, and Barclay’s customers can use Siri’s voice recognition to pay existing payees or mobile contacts without having to open the banking app.
Many mobile payment apps use biometrics to authorise transactions. The technology also exists to authenticate payment card purchases and other online payment methods with biometrics. Mastercard’s biometric credit card can already authenticates in store purchases using a compatible card reader, doing away with PINs.
Mastercard have also announced that by April 2019 online customers will be able to authenticate their card purchases using a fingerprint or iris scan. Customers will be asked to verify their identity on their smartphone, and confirm their purchase whether online, over the phone or when using contactless payments on a mobile.
Customers using PCs or laptops for online transactions won’t have to remember a password to authenticate their card, instead a message sent to their mobile will request they scan their fingerprint or iris to process the transaction. This will work in a similar way to sending a one-time password to a mobile phone and will replace 3D Secure and other password / PIN based authentication methods.
Is this good news for merchants? I think so. It reduces friction in the payment process, customers don’t have to remember passwords and it meets PSD2 requirements for strong customer authentication.
MuchBetter customers already use biometrics to protect their payment app account, and with a free MuchBetter Mastercard branded debit card they will soon be able to use biometrics for authenticating card payments. Our experience is that customers are keen to embrace biometrics as a convenient method to manage their money, and to keep their money safe.