Biometrics and Mobile Payments Security

Last month saw the launch of the Apple iPhone 5S, with an integrated fingerprint sensor, Touch ID. Much has been written about Apple’s intentions; all we know for certain is that today you can use the fingerprint sensor to unlock the device and to make purchases via iTunes and the App Store. If, as expected, Apple does allow 3rd-party developers access to Touch ID, then can we expect to see this technology used to enable mobile payments?

There is a growing shift towards the use of biometrics to support both login and transaction verification, this is occurring for number of reasons:

-- New capabilities in modern devices – Apart from the Apple fingerprint sensor, the latest generation of smartphones contain a wide-range of sensors that can be leveraged to help identify a user – these might include high quality cameras to perform facial recognition, or microphones to support voice biometrics. Of equal importance, they contain embedded secure elements and secure Operating Systems to support the secure creation and storage of biometric templates – a smart card within your phone.

-- Increasing sophistication of Biometric technology – Historically most implementations of biometrics have been focused on secure building entry or border control. These use cases assume that the user is being observed as they enter their credentials, a very different scenario to the remote authorization of a payment via a mobile device. We have seen the biometrics industry react to these new business opportunities by improving their algorithms and introducing anti-spoofing capabilities, to try and limit fraud.

-- Broad distribution – Laptops with fingerprint sensors have been shipping for more than 10 years, without seeing significant usage. The problem has always been the same – what can you use them for? Until now it hasn’t been possible to use the fingerprint sensor on your Windows PC to shop online, access your online bank or perform any of the other functions that we typically use passwords for, there has been no incentive for Payment Service Providers to support individual solutions. Apple’s introduction of biometrics to a mass-market device has the potential to alter this situation. We are already seeing some of the major Android phone manufacturers being linked to biometrics, and the expectation is that tablets will follow this. Microsoft is also looking at this space, with Windows 8.1 offering enhanced support for Fingerprint Sensors.

The main challenge and opportunity around biometrics is around consumer acceptance. A new survey, sponsored by PayPal and the National Cyber Security Alliance, published recently suggests that consumers are comfortable with the idea of using biometrics instead of passwords. The survey showed that 53% were happy to use fingerprints, with 45% preferring retinal scan and 41% with photo identification. These results are not dissimilar to a survey which we conducted with the Ponemon Institute earlier in the year, where the majority of respondents in the UK, Germany and the United States were happy to use biometrics with Banks and Credit Card companies, amongst other trusted organizations.

The payments industry needs, therefore, to consider how to support new and emerging biometric technologies. Both the regulators and the industry groups must consider when biometrics are a sensible replacement for the traditional username and password to allow Payments Service Providers to take advantage of the new technology present in their customers’ hands.

Jamie Cowper is Senior Director at Nok Nok Labs