I’m not referring to the corny joke about the bar patron who wants to get a free delicious drink. This time it will be one of the main fintech trends expected this year. Global Payments’ study, based on interviews with leading payments experts, surveys of consumers and businesses, and ultimately analysis of many other papers, gives us a comprehensive view of what could drive the world of innovation in 2023. This undoubtedly includes biometrics.
Extending biometrics to consumers
Biometrics is a set of data about certain physical characteristics of a person that are unique to that person and not repeated in another person. A typical example is the fingerprint we know from detective stories and dactyloscopy obtained at crime scenes. A fingerprint is simply one single fingerprint, and it can be used to identify one person in particular. For the purposes of this article, let us now leave aside the cases of some identical twins in which we can observe some of the same biometric features.
According to the above material, 86% of consumers are interested in expanding the use of biometrics to verify their identity or make payments. Here you can see that everything bad is good for something. The recent spread of the popularity of biometrics has been driven mainly by the coronavirus pandemic, which has seen, among other things, the rise of contactless mobile payments. This eliminated the need to touch the payment terminal. Specifically, if you pay with your mobile phone, it uses biometric data from your fingerprint or facial biometrics.
According to a Globe Newswire survey, nearly three-quarters (74%) of consumers worldwide have a positive attitude toward biometric technology. The advantages of biometric authentication for consumers include simplicity and security. According to another study, 70% of consumers think biometrics are easy to use and 46% think they are more secure than passwords or PINs. Let us now look at this in more detail.
User safety
Using biometrics is both easier and safer in several ways. We “carry” biometric data such as our finger, our face or the iris of our eye with us at all times. With regard to covering the face with a veil or just a scarf in bad weather, it seems more practical to use fingerprint dactyloscopy, but that is a detail from this point of view.
Unlike passwords or PINs, no one can copy our data. In this respect, I remember an experiment made by a group of enthusiasts at the time when the first iPhone with a button that sensed the biometrics of the user’s finger appeared on the sales network. This bunch decided to trick the system with a fake fingerprint. They finally succeeded! However, it should be added that this required some 36 technological steps and, above all, the cooperation of the owner of the finger in question, whose biometrics were copied to another mobile device.
Another advantage is that you can forget your password and the password recovery procedure itself is either very complex or too simple, which devalues the security level. The actual biometrics cannot be forgotten.
Last but not least, biometrics is completely unique to one person and is much more complex and complicated than any commonly used password to date. Its detection and replication is therefore virtually impossible.
Use in payments
The year 2023 should bring further development of biometrics in payment services. According to the aforementioned study by Global Payments, when asked “which type of biometric authentication are you likely to accept on your computer?” nearly 70% of businesses cited fingerprint as the number one choice. Why businesses? Not only the consumer, but also the other side of the transaction, i.e. businesses and retailers, must consider payment confirmations to be reasonably secure.
Hence the next survey question “which types of biometric authentication are you likely to accept from your customers?” Nearly 70% said they cited face as the number one choice. So nothing new under the sun, the finger and face dominate biometrics today. Incidentally, 32.6% said they would also like to accept iris scans – this biometric is very secure.
However, it means a potential revolution in payment, as the consumer will no longer necessarily need a payment card in any form, but will only need his own finger, face or iris to make a payment. While you can forget your credit card at home, you can forget your mobile phone (although it seems as likely as forgetting your own head), you cannot forget your own biometric data. This eliminates the risk of unavailability of the means of payment.
Money like in the palm of your hand
Well-known online retailer Amazon is rolling out biometric palm authentication for its customers through Amazon One, a biometric authentication device that allows users to verify their purchases using the palm of their hand. Apple and Google have had this technology for a long time, you might argue. Yes, but that’s technology right in your mobile phone, but here we’re talking about scanning your biometrics at the payment terminal. By the way, you can see this palm scanning technology for example in the main building of ČSOB in Prague, where it works for employees at the entrance turnstiles.
Mastercard has introduced a face-based biometric payment program for standard retail outlets. This biometric checkout program also allows customers to pay directly using their own biometrics – allowing shoppers to scan their face or other biometric and access their payment from a pre-set payment card. Mastercard standards require that this biometric data be converted to a digital template and encrypted, rendering the data unusable. In addition, biometric data is not transmitted directly, but authenticated.
Behavioural biometrics
The world of biometrics is alive not only with fingerprints, iris images, voices or faces. Behavioural biometrics, i.e. tracking the user’s behaviour – how he moves the mouse, how fast he types, etc. These elements are also very widespread today.
A good example is the reCaptcha service. Its basis is the so-called Turing test. The purpose of this is to distinguish whether the answer to the questions is given by a human or by a technical device, typically a computer or, as it is often called today, artificial intelligence. We know the service as a prevention of spam or unwanted robotic behaviour. We are forced to transcribe numbers and letters in various ways, which the average reader often has great difficulty with. Similarly with images, for example, you have to mark images where there are mountains, and some images don’t make this clear at all. So, in summary, the current reCaptcha is somewhat annoying for users, and ways are being sought to make it less annoying for users than it really needs to be.
Behavioural biometrics, i.e. the behaviour of the user itself, is just such a solution. To mimic such behaviour is too difficult for machines today in the complexity and individuality of each user. Of course, it may only be a matter of time before computers can do something like this.
Another invasion of privacy?
So what is the difference between using, for example, a fingerprint on my mobile phone versus a fingerprint on a payment terminal? I’m afraid the difference is quite large. If you use biometrics on your device, your biometric data still remains on your device and your mobile, tablet or computer performs a comparison of the input (fingerprint, face scan…) with your own data internally only within your device. Nothing goes out, just yes/no information about whether or not the user has been correctly authenticated by biometrics. So the external application only gets this authenticated/unauthenticated response, no one else gets a peep from your biometrics.
However, if you provide your data (such as a palm print) to a payment terminal, the data about this print must be stored somewhere else, otherwise it cannot be verified. So the question is whether you will trust such a provider enough to ensure that he or she, or anyone “along the way”, will not misuse the data. Some companies and systems have demonstrated their credibility. For example, the aforementioned Mastercard has been operating a payment card system long enough to trust such a system from a security perspective. Since the card company does not receive user data directly, but through another company, such as a bank, it is up to your discretion how much you trust such an intermediary.
There is no need to worry about touch operations, as many consumers today are getting a negative view of touching a payment terminal that was previously touched by x number of people with unknown medical conditions. For example, the palm is scanned in a non-contact scanner, not to mention the face, of course.
Your biometric data is now stored, for example, in a chip in your passport. This is then used at automated check-in counters if you are travelling abroad outside the Schengen area. Generally, such processing is considered secure as your data is managed by a public authority under the law.
There’s also the general question of who might collect your biometric data in the first place. The European Parliament voted in 2021 for a resolution banning biometric tracking of people across the board, including by state authorities such as the police. Such surveillance would be involuntary from the point of view of the citizens, i.e. they themselves would not give their consent to it, and by the very nature of the matter, no one could give such consent to widespread surveillance.
It is therefore likely to be up to each of us to whom we voluntarily provide our biometric data and to whom we do not. It is obvious that this data is very crucial and absolutely unique, and it is therefore more than appropriate to assess both the advantages and risks of extending biometrics into cyberspace.
Jan Müller
image by Freepik.com
