Will biometrics finally replace passwords?

Published October, 2017 |

The future of financial services Print

In the 1989 science fiction blockbuster Back to the Future Part II, the two main characters travel forward in time to the year 2015. Here, it is not only possible to drive flying skateboards and wear self-lacing sneakers, but also to use fingerprints to authenticate payments at a device comparable to a tablet computer.

Nearly 30 years have passed since this fiction of using biometric factors for payment authorization, during which we have seen various initiatives in the field of biometric authentication by different (payment) players, e.g., banks, card schemes, point of sale (POS) terminal manufacturers, alternative payment methods or other technology providers. However, today, biometrics still play only a minor role, and authentication continues to be dominated by PIN codes, passwords and signatures. Against this backdrop, what will be the role for biometric authentication in the future world of payments?

1. Biometric authentication

Authentication can be defined as the process of confirming an identity claimed by an entity, Replace with “such as” being the true cardholder in the respective payment transaction. The authentication can be performed by one or more of the following means:

-    Knowledge: something the user knows (e.g., a PIN or password)
-    Ownership: something the user has (e.g., a card, token or mobile phone)
-    Inherence: something the user is (e.g., a biometric characteristic)

While payment transactions are normally authenticated using the first two categories, the application of biometric factors out of the third category, “inherence”, has recently become more relevant. Biometric factors include physical and behavioural factors. Whereas physical factors are innate, such as fingerprints, iris patterns or other facial features, behavioral factors are related to the pattern of behavior of the user, e.g., keystroke dynamics or cursor movements.

One major difference between biometric authentication technologies and other methods is that one has to incorporate probabilities in the authentication process: whereas a PIN or password can either be true or false, a biometric scanner (e.g., for a fingerprint) will usually return a probability that the authentication is a match. This poses challenges, especially for payment transactions where authentication errors lead to financial losses or chargeback processes.

2. The future role of authentication for payment transactions

In order to assess the role biometric authentication could have in the future world of payments, we have developed different hypotheses that differentiate between payment channels (POS vs. remote), payment instruments (card vs. other) and market characteristics (traditional card-focused vs. developing).

Hypothesis 1: In traditionally card-based payment markets with established payment infrastructure, biometrics will play only a minor role in the authentication of card payments at the POS.

In our opinion, in markets with an established, working card-based infrastructure, there is simply no actual customer need that would be solved by using biometric authentication: there is a learned and working process for paying by card at the POS using PIN or signature as the authentication method. A migration to biometric authentication means would require investment in infrastructure — either at the merchant’s POS (e.g., installing a camera for face or iris recognition) or for the issued cards (e.g., by issuing cards with an embedded fingerprint scanner). We do not see a reason for merchants or issuers justifying such investments as fraud is comparably low and we do not expect any willingness on the part of consumers to pay for using biometric authentication.

Hypothesis 2: The increasing prevalence and use of biometrics-enabled devices (e.g., smartphones) and the ultimate goal of having a uniform user experience across channels will promote the establishment of biometric authentication for payment transactions in the coming years.

For this hypothesis, we have to differentiate between POS and remote payments. At the POS, we see mobile payments finally gaining traction among consumers and thereby also promoting biometric authentication. Many existing mobile devices are technically capable of analyzing biometric factors — for example, through cameras, fingerprint scanners or microphones for voice recognition. Biometric authentication is already being used for unlocking phones and computers or for confirming actions. When conducting payment transactions at the POS, biometric factors can be used to supplement or replace other factors (e.g., PIN) without extra cost, but with added convenience for consumers and merchants. Examples are ApplePay or SamsungPay, which are making use of fingerprints as a biometric authentication factor.

For remote payments there is a comparable development: more and more payment transactions are conducted on biometric-enabled devices (smartphones, tablets, laptops, etc.). Online merchants are constantly trying to optimize conversion rates, or instance by selecting the most convenient payment methods. When integrated neatly, biometric authentication can further improve user experience in the check-out process — again, at no additional cost. Many payment method providers are already trying to integrate biometrics into their offering: for example, the Identity Check Mobile by Mastercard, ApplePay (with its remote payment functionality) and start-ups like Dublin-based Touchtech. In the future, we expect a convergence of POS and remote payment methods, intensifying the momentum described above to use biometric-enabled devices for conducting payments.

Hypothesis 3: In the medium term, biometrics as a direct link-to-account will be relevant for POS payments only in a few selected markets with previously underdeveloped payment infrastructure and in specific closed-loop use cases.

Biometric features have not only the potential to act as an authentication factor, but also to provide a direct link to a payment account and thereby replace the card as a payment medium. This usually requires the installation of dedicated biometric payment hardware at the merchant. For example, the US-based payment service Keyo uses palm scanners or the service Smile To Pay by Ant Financial (Alipay) that uses cameras for facial recognition. Because of the significant investment required, we see limited potential in developed payment markets; however, we expect selected markets to leapfrog card-based payments infrastructure and directly establish a payment system based on biometric authentication methods. This is currently happening in India, where there has been a major push by the government to use a central biometric identity register (called Aadhaar) for conducting payments.

Furthermore, we expect a growing number of use cases for biometric authentication in closed-loop systems, e.g., for events, festivals, specific merchants or cafeterias. Mostly, these use cases require a separate hardware infrastructure anyway, and biometric authentication would be a means to improve the customer experience. One example for this category is Liquid Pay in Japan. After having their fingerprints, passport and credit card information registered at their hotel, tourists can pay in participating stores using their fingerprint.

3. Conclusion and outlook

In conclusion, we can summarize that biometric authentication will have a significant role in the future world of payments. However, for traditional card-focused payment markets, there is simply no urgent need to use biometric authentication. Therefore, in these markets, we expect the establishment of new authentication methods to be connected with the use of new payment instruments like the mobile phone.

Legal and regulatory initiatives will further promote the use of biometric authentication as an additional means to enhance the security of payment systems. For example, in Europe, there is a regulatory push towards strong customer authentication methods. Customer experience and convenience are key success factors at the POS as well as online. Therefore, we will most likely experience the use of a diverse set of authentication factors that are intelligently selected, depending on the risk of fraud associated with specific transactions across channels.

Read more about payments here.