Mastercard’s Bob Reany on trends in biometric payments authentication
The payments industry is in the midst of a shift toward strong forms of authentication. Mastercard’s decision to retire the signature for in-store purchases in the US and Canada in 2018 represents one part of this shift, as do a series of recent announcements related to the company’s use of new identity technologies including biometrics for mobile devices and credit cards.
The proliferation of effective tools for authentication on newer mobile devices, and the use of on-device matching are two major trends influencing the shift towards authentication approaches like “selfie pay,” Mastercard Executive Vice President of Identity Solutions Product Bob Reany told Biometric Update in an exclusive interview.
From 2015 through 2017, advanced technology was being introduced into a payments ecosystem not entirely ready to make use of the data it created.
“The financial payments system couldn’t absorb it,” Reany says. “How do you know what to do with an iris scanner when Samsung introduces it? How do you know how safe the new Apple facial recognition is? You don’t. The banks don’t have any way to deal with that.”
Reany says that is changing, with collaboration from industry stakeholders and groups like the FIDO Alliance. “The ecosystem is finally able to absorb the data.”
Significant challenges remain, however. When asked about the split between facial recognition for new iOS devices and the integration of under-display fingerprint sensors in Android devices, Reany strikes a cautionary note: “Yeah, it’s actually a little worse than you say. When you go to these dedicated authenticators, the part of the phone that’s dedicated to figuring out who you are, they vary by brand and not just by operating system. It’s even more fractured or diverse.”
The kinds of mobile devices owned, and how recently they were released differs between individual consumers but also between regions, and Mastercard seeks to include all of them. Despite this challenge, the company is confidant that by playing an active role in the creation and adoption of standards, it can take a neutral position based on consumer choice, and reduce fraud and improve user experience while doing so.
Reany sees consumer choice increasing and authentication system performance improving with new cameras and image processing systems. “I see the image processing stuff getting better and more sophisticated. I know that sounds very techy, but when you pick up your phone, what do you do? You pick it up and you look at it. Well if it’s doing an image process on me as I’m looking at it, which I must to do use my phone, that’s the best consumer experience possible. So, we see the trend to go to image processing stuff; iris, facial recognition, 3D facial recognition. Samsung, Microsoft and Apple are all doing a lot of work in that area.”
Breakthroughs such as the integration of infrared sensors into image processing systems make them easier to use, particularly in lighting conditions which would previously have been problematic. Reany also points out that two irises contain more data than a single fingerprint, and are harder to spoof.
Biometrics are just one part of Mastercard Identity Check’s fraud prevention method, however.
“Biometrics is cool, and it gets people excited, but its one factor,” Reany says. “Device identification, geolocation, behavioral analytics, biometric analytics like how you hold the phone, height to eyeball; we’re looking at five or six things in addition to the (login) biometric.”
These layered factors make it practically impossible to scale mobile device payment fraud, which makes the ecosystem an unattractive target for criminals, particularly with the stronger factors enabled by newer devices.
“It doesn’t make financial sense for the bad guys,” Reany explains. “If we had everybody using these great new devices, we would basically put those people out of business, but right now, not everybody’s using them.”
In addition to working on standards for mobile device authentication, Mastercard has been running pilot projects for smart cards with on-board fingerprint sensors, as it nears the end of a long and technically demanding process.
“From an engineering standpoint, getting a fingerprint reader on a card that doesn’t have a battery, that has a limited processor, that has limited storage, has been a very interesting challenge that we’ve been working on over the last few years. But the good news is: We have them!”
The cards are developed by a consortium of companies, including IDEX, which Reany lauds for helping to improve their usability. They are powered by the minimal current they can draw from existing point-of-sale terminals, enabling successful trials to be carried out with Pick n Pay and Absa Bank in South Africa, and UniCredit Bulbank in Bulgaria.
“Putting the system on the card, and having it work with the infrastructure that exists today was a really big deal,” Reany says. “It introduces biometrics into a market, without having to change your point-of-sale system at all.”
In the Pick n Pay trial, Mastercard was able to reduce the time necessary for authenticating shoppers enrolled in any of a range of rewards and loyalty programs from nearly 30 seconds to less than one. Development work on the biometric payment cards continues, as manufacturing scale is needed to drive the cost down. A remote enrollment process must also be developed for adoption in developed economies, so Reany predicts they may reach those markets in 2019, but in nations with developing economies and more “greenfield” payment markets, fingerprint payment cards are about to take off.
“I think you’ll see most of the innovation completed in the first half of 2018, and it will be a matter of starting to roll things out later in the year,” he says. “It’s all about scale an integration, and making that innovation pipeline pay off. That’s what this coming year is about.”
The developments in authentication on both mobile devices and smart cards are bringing payment processes closer to a future without passwords, which frustrate Mastercard customers, result in failed transactions, and provide inadequate defense against fraud. Reany is encouraged by the potential of tokens with on-device matching, which eliminates the “honeypots” of data that attract criminal attention, and lead to large-scale breaches. As authentication technology and standards continue to evolve, payment processes will continue to change.
“FIDO is an industry group that’s marching down this path,” Reany says. “We’ll get it, but it’s still going to be a few more years.”