6 minute read 24 May 2018

How biometrics could finally replace PINs and passwords when we pay

By

Kai-Christian Claus

EY Global Payments Leader

Strategic advisor for leading players in the global payments industry. Enthusiast with passion and energy.

6 minute read 24 May 2018

Show resources

Could biometric authentication increase convenience and security when we make payments, both online and at the till?

In the 1989 science fiction blockbuster “Back to the Future Part II,” the two main characters travel forward in time to the year 2015. Here, not only is it possible to ride flying skateboards and wear self‑lacing sneakers, but also to use fingerprints to authenticate payments at a device resembling a tablet computer.

During the nearly 30 years that have passed since the film was released, we’ve seen many initiatives in the field of biometric authentication. These have come from different payment players including banks, credit card companies, point of sale (POS) terminal manufacturers and alternative payment method providers.

But despite these initiatives, biometrics currently only play a minor role in payment authentication, an area that continues to be dominated by PIN codes, passwords and signatures.

That situation is likely to change, however, as new technology and changing consumer expectations affect how we pay for purchases.

What is biometric authentication?

Authentication can be defined as the process of confirming an identity claimed by an entity. For example, someone confirming that they are the true cardholder making a payment.

Authentication can be performed by one or more of the following means:

  • Knowledge: something the user knows, such as a PIN or password
  • Ownership: something the user has, such as a card, token or mobile phone
  • Inherence: something the user is — or, in other words, a biometric characteristic

Payment transactions are normally authenticated using methods drawing on the first two categories. But the application of biometric factors — in the third category — has recently become more feasible.

Biometric factors include physical and behavioral factors. Whereas physical factors — such as fingerprints, iris patterns or other facial features — are innate, behavioral factors are related to the user’s patterns of behavior, such as keystroke dynamics or cursor movements.

One major difference between biometric and other authentication methods is that biometric techniques have to incorporate probabilities in the authentication process. A PIN or password supplied by someone making a transaction is either correct or incorrect. But a biometric scan of, say, a fingerprint will usually only return a probability that the authentication is a match.

This poses challenges, especially for payment transactions, where authentication errors lead to financial losses or chargeback processes.

A different role in different channels and markets

In order to assess the role biometric authentication could have in the future world of payments, we have developed different hypotheses that differentiate between payment channels (POS vs. remote), payment instruments (card vs. other) and market characteristics (traditional card-focused vs. developing).

Hypothesis 1: In traditionally card-based payment markets with established payment infrastructure, biometrics will play only a minor role in the authentication of card payments at the POS.

In markets with an established card-based infrastructure, there doesn’t seem to be a customer need that using biometric authentication would solve. Such markets already have processes that work and that people know — PIN or signature — for authenticating card payments at a POS.

Moving to biometric authentication would require investment in new technology, either at the merchant’s POS (e.g., installing a camera for face or iris recognition) or for the issued cards (e.g., by issuing cards with an embedded fingerprint scanner).

Compared with the cost of such technology, fraud losses are comparatively low. So it seems unlikely that merchants or card issuers could justify such an investment. And there’s no reason to think consumers themselves would be willing to pay in order to use biometric authentication.

Hypothesis 2: The increasing prevalence and use of biometrics-enabled devices (e.g., smartphones) and the ultimate goal of having a uniform user experience across channels will promote the establishment of biometric authentication for payment transactions in the coming years.

At the POS, mobile payments are finally gaining traction among consumers and are thereby also promoting biometric authentication.

Many existing mobile devices are capable of analyzing biometric factors — for example, through cameras, fingerprint scanners or microphones for voice recognition. And biometric authentication is already being used for unlocking phones and computers or for confirming actions.

When conducting payment transactions at the POS, biometric factors can be used to supplement or replace other authentication methods, such as PIN, without extra cost, but with added convenience. Apple Pay and Samsung Pay are two mobile payment services that already use fingerprints as a biometric authentication factor.

Biometrics for remote payments

More and more remote payment transactions are being conducted on biometric‑enabled devices, such as smartphones, tablets and laptops.

Online merchants seeking to optimize conversion rates are likely to select the most convenient payment methods. And, when integrated neatly into the payment process, biometric authentication can improve user experience — again, at no additional cost.

Many payment method providers are already trying to integrate biometrics into their offering. For example, Mastercard’s Identity Check Mobile and Apple Pay’s remote payment functionality.

In the future, we’re likely to see a convergence of POS and remote payment methods, which will further encourage the use of biometric-enabled devices for conducting payments.

Hypothesis 3: In the medium term, biometrics as a direct link-to-account will be relevant for POS payments only in a few selected markets with previously underdeveloped payment infrastructure and in specific closed-loop use cases.

Biometric features not only have the potential to act as an authentication factor, but also to provide a direct link to a payment account, thereby replacing the card as a payment medium.

Using biometrics in this way usually requires the merchant to install dedicated biometric payment hardware, such as the palm scanners of US-based payment service Keyo, or the facial-recognition cameras used by the Smile to Pay service from Ant Financial (Alipay).

Because of their high cost, these technologies are likely to have limited potential in developed payment markets.

However, less developed payment markets may well leapfrog card-based payments infrastructure and directly establish a payment system based on biometric authentication methods. This is currently happening in India, where the government has made great efforts to encourage the use of a central biometric identity register (called Aadhaar) for conducting payments.

There’s also likely to be a growing number of use cases for biometric authentication in closed-loop systems, such as those for events, festivals, specific merchants or cafeterias. Mostly, these require a separate hardware infrastructure anyway, and biometric authentication would be a means to improve the customer experience.

One example for this category is Liquid Pay in Japan. After having their fingerprints, passport and credit card information registered at their hotel, tourists can pay in participating stores using their fingerprint.

Conclusion and outlook

Biometric authentication is likely to have a significant role in the future world of payments. However, for traditional card-focused payment markets, there is simply no urgent need to use biometric authentication.

In these markets, the establishment of new authentication methods will likely be driven by the use of new payment instruments, such as the mobile phone.

Legal and regulatory initiatives will also promote the use of biometric authentication, as an additional means to enhance the security of payment systems. For example, in Europe, there is a regulatory push toward strong customer-authentication methods.

And the growing importance of customer experience and convenience at the POS, as well as online, may also drive the take up of biometric authentication for certain kinds of transaction.

So while biometric authentication is unlikely to replace PINs and passwords anytime soon, it will take an increasingly important role as one of a diverse set of authentication methods. For each payment, the authentication methods chosen will be selected based on the nature of the transaction, the risk of fraud and the channel used to make the purchase.

Summary

While biometric authentication is unlikely to replace PINs and passwords anytime soon, it will take an increasingly important role as one of a diverse set of authentication methods.

About this article

By

Kai-Christian Claus

EY Global Payments Leader

Strategic advisor for leading players in the global payments industry. Enthusiast with passion and energy.