According to new research from Visa, consumers across Europe are interested in using biometrics when making a payment – especially when integrated with other security measures. Nearly three-quarters (73%) see two-factor authentication, where a biometric is used in conjunction with a payment device, as a secure way to confirm an account holder. Two-factor authentication includes something you have, such as a card or a mobile device; something you are, such as a biometric; or something you know such as a PIN or password. When looking at the range of different payment situations at home or on the high street, over two-thirds (68%) want to use biometrics as a method of payment authentication. Online retailers have the most opportunity for gain as nearly a third (31%) of people have abandoned a browser-based purchase because of the payment security process.
Jonathan Vaux, Executive Director of Innovation Partnerships said:
“Biometric identification and verification has created a great deal of excitement in the payments space because it offers an opportunity to streamline and improve the customer experience. Our research shows that biometrics is increasingly recognised as a trusted form of authentication as people become more familiar with using these capabilities on their devices.
“However, one of the challenges for biometrics is scenarios in which it is the only form of authentication. It could result in a false positive or false negative because, unlike a PIN which is entered either correctly or incorrectly, biometrics are not a binary measurement but are based on the probability of a match. Biometrics work best when linked to other factors, such as the device, geolocation technologies or with an additional authentication method. That’s why we believe that it’s important to take a holistic approach that considers a wide range of enabling technologies that contribute to a better end-to-end experience, from provisioning a card to making a purchase to checking your balance.”
When looking at the benefits of biometric authentication – the process that validates a person’s identity by measuring an intrinsic characteristic specific to an individual such as fingerprints or iris patterns – half of Europeans (51%) state that biometric authentication for payments could create a faster and easier payment experience than traditional methods. Similarly, a third (33%) like the fact that biometric authentication means that their details would be safe even if their device was lost or stolen.
“As we move into the future, consumers will have an increasing number of choices in how they pay. Just as the payment behavior will change dependent on where you are and on what device you are shopping, the methods of authentication will need to be use-case appropriate. While biometric forms of authentication offer significant opportunities to achieve the right balance between convenience and security, they are not the only answer. In the future we will see a mix of solutions dependent on the purchasing situation. By adapting our standards to recognise these technologies as valid forms of authentication now, we can help provide the environment for payments to continue to take place securely, conveniently and discreetly.”
Familiarity of Fingerprint
In the study of over 14,000 European consumers, the research reveals that discretion and familiarity with biometric forms are important factors for uptake. With the advent of mobile payments, fingerprint recognition is deemed to be the most favourable form of biometric payment for its ease of use and security. When looking solely at the perceived security of biometric technologies, 81% of consumers see fingerprints as most secure, followed by iris scanning (76%).
This is why more than half (53%) express a preference for fingerprint over other forms of biometric authentication when using it for payment.
Across Europe, few people say they would prefer voice or facial recognition as a payment method in a range of payment situations whether physically in a shop paying for goods or services, or shopping online at home (12% and 15%, respectively). In the UK, these figures fall to 8% and 12%, respectively, for voice or facial recognition as payment forms.
The Balance Between Security and Frictionless Commerce is Key
With over two-thirds (67%) of consumers recognising the importance of security details to protect one’s identity, new forms of authentication must reach a balance between speed and security.
The research found that biometric authentication is almost equally valued in face-to-face payment situations where speed efficiencies are a priority as it is for online transactions. This is reflected in the findings:
- 48% want to use biometric authentication for payments when on public transport
- 47% want to use biometric authentication when paying at a bar or restaurant
- 46% want to use it to purchase goods and services on the high street e.g. groceries, coffee and at fast food outlets.
- 40% want to use it when shopping online
- 39% when downloading content
Commenting on this, Robert Capps, VP at NuData Security, an award winning behavioural biometrics company, said “This study proves that there is a strong desire on the part of consumers to have secure AND frictionless user experiences when interacting and transacting online. The desire, however, might not match up with the reality of the situation. Physical biometrics such as fingerprints, selfies and voice authentication are seen by some as the ‘holy grail’ in user authentication, but they aren’t fool proof, and there are other challenges that may block their widespread adoption in non-face-to-face interactions.
The fact that 53% of respondents see fingerprints as a viable security solution isn’t surprising, given that they are already part of the authentication lexicon, and solutions such as Apple’s Touch ID have given consumers a glimmer of the future of biometrics, while delivering an outstanding user experience. Such solutions have a central place in the overall security mix, part of a good multifaceted approach, but they are still static data points that can potentially be misused in the wrong hands. While not generally acknowledged by the general public, fingerprints can be spoofed and unlike passwords, fingerprints last a lifetime. The lasting and permanent nature of fingerprint data may actually have more negative impacts than passwords which can at least be changed.
Loss of fingerprint data is not just a theoretical concern, as several large breaches over the last couple of years have exposed fingerprint data en masse. As stolen data is often traded and consolidated into larger, more accurate consumer profiles that can be used for a number of nefarious purposes from espionage, to identity theft, and financial fraud.
Selfies and voice biometrics also have contextual issues in that it may not always be appropriate to take a selfie or provide a voice sample to authorize an online transaction. Particularly in a place where such activity may be frowned upon or disruptive (such as a meeting, on public transit, airports, or in a culturally sensitive place).
Beyond the social and cultural issues, there are concerns about how a move to physical biometrics may provide a false sense of security to consumers and institutions, given the wealth of physical biometric data that is shed by a person through their day to day life.
While liveness verification has become a standard in modern physical biometric verification systems, they are not without flaws that allow pre-recorded or captured biometric data to be replayed. Voice samples are recorded with every voicemail you record. Fingerprints are left behind on every object you touch. Your iris and facial data is recorded with every photo you pose for. Recent data breaches have also shown that high fidelity physical biometric data can be stolen in bulk, just like credit card numbers and user credentials – effectively making these physical biometrics more static data that can be stolen and reused to impersonate you in non face-to-face transactions.
The way forward is to balance the need for a frictionless customer experience and actual security that focuses on the use of non-static signals and indicators of human identity – signals that cannot be stolen, reused or replayed for impersonation.
Passive biometric solutions identify suspicious activity in a completely passive and non-intrusive way by understanding how a legitimate user truly behaves in contrast to a potential fraudster with legitimate information. So, even if the fraudster has your spoofed fingerprint, and all of your account information, organisations can look at your behavioural events, biometrics, device, geography and other layers to determine if you are the real actor behind the device or fingerprint.
Users can even be rewarded for good behaviour with a white glove experience, or extra perks and incentives, giving bands and e-commerce companies the unheard of potential to actually improve their brand experience with their security layer.”