Credit-card companies, banks and vendors are changing how they verify consumers’ identities. Passwords and PINs could become less important. Biometric analysis could become the norm.
The proving ground for the latest in payment technology is Europe, where a new law could encourage greater use of biometrics in a bid to reduce burgeoning payment fraud.
Starting September 2019 in the European Union, a large portion of online payments greater than €30 (currently about $35) will require multifactor authentication. Consumers will need to use two of three things to verify transactions: something they know, like a password; something they have, like a digital device, perhaps a USB token, that identifies them; or something they are: biometric data.
Proofs based on physical characteristics, like fingerprints and faces, are slowly becoming more common. This legislation will likely cause them to surge.
Most consumers using biometrics will likely do so on their phones, many of which already have technology that payment-service providers will use to verify payments—such as
Touch ID fingerprint sensors or Face ID facial-recognition software on its iPhones.
Making the payment process frictionless could determine which providers prosper—and which languish.
“We’re helping the industry move toward biometrics as a preferred method,” says Mark Nelsen, senior vice president at Visa Inc. “Customers are getting more comfortable with those solutions, and they’re our preferred method, too.”
Another company hoping to profit from the change is Veridium, a New York-based biometrics firm.
“We’ve built our company around trying not to change the way you interact with technology too radically,” says Chief Executive James Stickland. “You could plug in Touch ID or Face ID, and that’s great because people are used to it.”
Veridium also provides an authentication technology it calls 4F that turns smartphones, even older models, into fingerprint scanners.
How Will You Be Paying?
Numbers of smartphones globally using biometric authentication, including fingerprints, face and voice recognition, for payments, in millions
Ease of use will be paramount to companies in the payment-services and biometrics sector. Vendors and payment-services providers “have to meet requirements on the fraud side and provide a good user experience,” says Frances Zelazny, chief marketing officer at BioCatch, a firm based in Boston. “If they can’t manage their fraud, they’ll go away,” Ms. Zelazny says. “And if they can’t manage their user experience, they’ll go away” because consumers won’t use them.
Behind the scenes, BioCatch and other biometrics companies are working on technology called behavioral biometrics. That technology allows vendors and payment providers to analyze users’ actions and habits to determine whether a transaction should be considered valid. Criteria include whether the transaction is in line with a user’s usual spending pattern, made from a familiar location, or aimed at someone who often receives payments from that user.
“With touch-screen devices, we have a lot of sensors, so we’re able to infer how you swipe, the pressure you put on the screen, how much of your finger you’d leave on the button as you pause before the next one,” says Dr. Neil Costigan, CEO of BehavioSec, a behavioral biometrics firm. “Not so much what you’re doing as how you’re doing it.”
Though behavioral biometrics can’t be used as one of the three proofs mandated by the EU regulation, the EU guidelines say that payments of €30 to €500 will be exempt from multifactor authentication if they are judged to be sufficiently safe—a determination that behavioral biometrics can help to make. Smoother, more secure verification processes minimize false alarms when cards are declined, thus reducing abandoned purchases.
Still, biometric solutions face barriers to adoption. Veridium’s Mr. Stickland says: “People’s education is probably the most immature element of utilization. The end user has to be more aware.”
“What concerns us is consumer awareness,” says Visa’s Mr. Nelsen. “We know the consumer has no idea really what this regulation means.” And, he adds, “with hundreds of millions of customers making online payments, and millions of merchants receiving them, older technologies won’t disappear overnight.”
Meanwhile, even if customers do take to biometrics, a full rollout of the technology may take some time.
“Part of the challenge has been lethargy. We’ve seen that with chip and PIN in the U.S.,” says Mr. Stickland, referring to the card industry’s ponderous transition away from requiring signature-based payments.
As a result, he says, the move away from plastic cards—and toward mobile-based authentication—is “probably a 10-year journey, not a two-year journey. But I think plastic will be gone altogether in 10 years.”
Passwords, too, will be around for quite some time. Mr. Nelsen says that biometrics systems already in place still use passwords as backups for authentication.
“The only way to get rid of passwords is to have a number of biometrics, so if one fails, you can use another one,” he says. “We’ll start to see more biometrics used to verify identity…. You’ll walk up to the counter, use face recognition to initiate the payment, and that’s it.”
Mr. Frankl-Duval is a Wall Street Journal reporter in London. Email: firstname.lastname@example.org.