The PayPal application is seen on an iPhone in this photo illustration on June 18, 2018. (Photo by Jaap Arriens/NurPhoto via Getty Images)
Some biometric authorisation systems require some kind of liveness detection as part of the identity verification process © NurPhoto via Getty Images
Experimental feature

Listen to this article

00:00
00:00
Experimental feature

For online businesses, customer authorisation for internet payments can come at a cost. Given that almost 40 per cent of ecommerce transactions are impulse buys, any interruption to the transaction gives a customer a chance to rethink the purchase.

One in three online shoppers in the US have abandoned a transaction rather than re-enter payment details, according to Statista, the data provider. While regulation has forced businesses to accept this drop-off as worthwhile to combat fraud, security such as one-time passwords can fail or be beaten.

One solution, security experts say, is biometric authentication.

The technology uses biological data such as fingerprints and facial recognition to approve transactions and provides a smoother payment system. It is also hard to hack.

Almost half of consumers with biometric technology on their smartphones have used it to authorise payments — up from 35 per cent the year before, according to Deloitte’s 2018 mobile consumer survey. By 2022, analytics group Acuity Market Intelligence estimates that 1tn transactions will be authorised by biometrics each year.

The European Banking Authority, the EU banking regulator, clarified its acceptable online payment authorisation methods in June. In line with wider EU rules, it says all biometric techniques, including methods such as finger vein recognition, are acceptable.

Implementation has begun: in October NatWest launched the UK’s first fingerprint-authorised credit card (developed by Mastercard), while Visa has tested its version with the Bank of Cyprus.

“The main concern for biometrically authenticated payments is the dependence on the consumer to have a modern device,” says Iain McDougall, UK and Ireland manager of Stripe, an online payments company.

“Even as biometric authentication becomes more standard on hardware, and smartphone penetration increases further, there will be people excluded from biometrics for the foreseeable future.”

Biometrics are expanding to include software-based methods such as gait analysis or typing behaviours. For ecommerce merchants, these offer passive verification that can feel frictionless for consumers.

Online customers are unlikely to be deterred by methods that require little input on their part, says Jean Salomon, chief executive of the European Association for Biometrics, a non-profit group.

Yet fingerprint verification, the most popular biometric method, is vulnerable to security breaches. “Masterprints” can be generated using machine learning to match with a large number of fingerprints, while individual prints can be recreated from high-resolution photos, as highlighted by a hacker who applied the technique to Ursula von der Leyen, then German defence minister, in 2014.

Similar spoofing is aimed at facial and voice recognition. Dean Nicolls, vice-president for global marketing at Jumio, a mobile identity-verification start-up, says the rise of deepfakes, which can generate video, image and voice likenesses, is the biggest threat to biometric authorisation.

“Most leading [biometric identification] players have embedded some form of liveness detection as part of the identity verification process,” he says. Liveness detection often requires participation from consumers, such as speaking random numbers. However, this not only slows online transactions but can be “easily spoofed” by deepfakes, adds Mr Nicolls.

Storing biometric data also heightens the risk of breaches. In August, researchers from cyber security group VPNMentor found they could access the fingerprints, facial recognition information and other unencrypted data of more than 1m people through a web-hosted platform.

As the usual advice to change a password after a breach cannot apply to “inherent data” — information based on physical traits — the burden is shifted to payment providers, banks and merchants to change authorisation methods if biometric data are compromised.

Mr McDougall believes that relying on inherent data mitigates vulnerabilities in human behaviour. “In the vast majority of cases, the human factor is the weak link in cyber security,” he says. “Biometric verification means that people don’t have passwords so can’t be tricked into handing them over.”

Not all biometric vulnerabilities are malicious: biases and flaws in biometric verification algorithms could cause authorisation to fail in specific circumstances.

Facial recognition has failed when applied to people of colour: Joy Buolamwini, a Ghanaian-American computer scientist, discovered that a face-matching system did not work until she wore a white mask.

The solution may be to combine biometric information. According to Ryszard Choras, a computer science professor, this would increase accuracy while making it tougher for hackers to acquire data.

This complexity, however, puts the approach out of reach for online businesses as it requires more data, more computing resources and more sophisticated science.

Although biometric authentication is a welcome advance, Mr McDougall says the industry must continue “to offer non-biometric methods of authentication, even if biometrics become the dominant standard”.

Get alerts on Biometrics when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)
About this Special Report

This three-part Cyber Security series covers Ecommerce, Artificial Intelligence and Data.

The final part of the series examines the importance of cyber security for ecommerce. The looming peak shopping period presents more opportunities for hackers; cyber insurance becomes mainstream; and the rise of quantum computing raises questions about encryption methods

Follow the topics in this article