Metrics related to human characteristics to authenticate identity and payment may take a little more time to measure up to expectations
A KFC store in the eastern Chinese city of Hangzhou hit international headlines when it introduced a new way for customers to pay for their food – a Smile to Pay facial recognition system, which is among the first of its kind in the world.
The system, which is the brainchild of Chinese e-commerce company Alibaba’s Ant Financial affiliate, is targeted at young people, who are expected to account for most of the country’s anticipated growth in consumption over the next decade.
To use Smile to Pay, customers need to have signed up to the Alipay app first. A 3D camera is situated at the point of sale to scan customers’ faces to verify their identity and the system also includes a so-called “liveness detection” algorithm.
Smile to Pay is smart because, not only is it great marketing, but it also makes customers move their faces so you know it’s not just a photo
Jeremy Light, managing director of Accenture Payment Services in Europe, Africa and Latin America, explains the algorithm’s benefits: “One of the weaknesses of facial and voice recognition software is that it can be spoofed, so you have to ensure people are in a live environment. But Smile to Pay is smart because, not only is it great marketing, but it also makes customers move their faces so you know it’s not just a photo.”
Although using biometrics technology to enable secure payment in retail stores is far from common practice today, Mr Light does expect it to become widespread over the next few years, spurred on by the growing use of mobile technology as the primary way in which consumers interact with the world.
Since Apple first introduced fingerprint recognition on its iPhone in 2013, the use of biometrics in the mobile apps space has leapt mainly due to the technology’s convenience, which means people no longer have to remember multiple passwords.
On the back of this situation, Eddie Grobler, executive vice president of ACH (automated clearing house) systems and integration at Mastercard’s Vocalink, expects the use of biometrics software to become mainstream within the next three to four years and to increasingly “converge into the payment space” in the process.
Another significant factor likely to spur adoption, meanwhile, is the fact that both banks and payment service providers like the technology, which is considered more secure than using traditional PIN numbers. It also reduces the need for creating costly one-time passwords and is seen as a useful means of complying with increasingly stringent payment regulation.
As a result, providers such as Mastercard are jumping on the bandwagon. Although not rolled out by any UK banks as yet, its Identity Check Mobile system will enable cardholders to authenticate online payments or access bank services using a selfie, eye scan, voice or fingerprint.
The vendor has likewise trialled a biometric card in South Africa and Bulgaria, which enables cardholders to use their thumbprint rather than a PIN to authorise an in-store payment.
But Matt Lewis, research director at information security consultancy NCC Group, believes it will take time before biometrics software is as ubiquitous in retail as it is in the mobile arena.
“People haven’t necessarily thought through the logistics, but you need to implement complex back-end infrastructure to store biometrics data, and in the UK there are a lot of regulations around data protection and privacy,” he says. “So adoption is likely to be much slower in this area due to the added regulatory hurdles.”
Mr Light, on the other hand, believes that the real future lies not in any single form of biometrics software, but in a KFC-style mix of flavours. This approach involves combining traditional biometrics technology such as face recognition with newer artificial intelligence-based behavioural biometrics. This software works passively in the background to recognise, for example, how you hold your phone or key in your PIN, to prevent spoofing.
“The market is maturing and there’s still a way to go. But within two years, every bank that matters will use some form of biometrics and, increasingly, there’ll be passive biometrics in there as the technology significantly increases accuracy,” he says.
By combining traditional and behavioural biometrics, a Spanish client last year slashed the fraud rate for mobile banking by a huge 90 per cent, Mr Light says.
Although single biometrics may be quicker to use, the problem is they can lead to false positives, incorrectly accepting a match between the stored biometric template and a third party, and it is this inaccuracy that is currently the single biggest inhibitor to the technology’s adoption, says Mr Light, although he does acknowledge that things are improving.
But Mr Lewis is not convinced that biometrics will be the silver information security bullet that some hope for.
“I think we’ll see a bit of a bell curve. Initially it should help to combat a lot of fraud as it’s not as straightforward to fake biometrics as is to find out someone’s password. But over time criminal gangs will find ways of attacking systems because there’s so much money in it and they’re highly motivated,” he says.
The biggest concern here is, once such deeply personal information is stolen, it is impossible to change or revoke. But because such a situation is “so disastrous for the user”, Mr Lewis believes the fear factor could likewise inhibit take-up.
Mr Light has a positive outlook. “In future, biometrics will become the payment authentication method of choice. It’s the goal of banks to get rid of passwords and get away from having 50 per cent of transactions challenged, which means that people simply use other cards. So it’s definitely the way forward – in fact, it’s inevitable,” he concludes.