Photographee.eu - Fotolia
MasterCard is testing a new facial recognition authentication system for online payments; users can download the credit card company's mobile app, which will scan their faces to approve payments (users can also select fingerprint scanning for authentication). Is this a good idea? Can facial recognition authentication on mobile phones replace passwords?
The key to dominating the online payment industry is security and ease of use, which is never an easy combination to get right. Authentication methods -- the most important security step in a payment transaction -- that don't rely on troublesome passwords, tackle both security and ease of use and are gaining in popularity for both online and in-store purchases. New credit and debit cards offer contactless transactions using Near Field Communication (NFC), known as tap and pay, but the real battle is moving to mobile apps that enable users to authorize payments using their smartphones.
The Apple Pay and Google Wallet apps already let users tap and pay with their Apple or Android phone, and now MasterCard has joined the fray by announcing an app that will approve online transactions with a facial scan -- pay by face. The credit card company is hoping to introduce other biometric authentication methods like fingerprints, voice recognition and heartbeat, which would truly be a contactless and uninterrupted transaction.
MasterCard hopes the use of "selfies" will replace SecureCode, the password-based system currently used to verify the identity of its customers shopping online. Users with the MasterCard app receive a pop-up request on their phone at the point of sale asking for authorization. This is completed by looking at the phone and blinking once. The blink is required to thwart the use of photos to fool the camera; Google's Face Unlock and Liveness Check features were both easily deceived by holding up a photo to the phone’s camera. By using facial recognition authentication technology, the app can convert the image into a unique binary string, which is compared to the stored string held by MasterCard. If the two match, then the transaction will be authorized.
MasterCard wants to, "identify people for who they are, not what they remember," and biometric authentication offers a lot of advantages over passwords as users can't forget them, they're unique, and they are easy to provide. The fact that today's smartphones can capture fingerprints, voice and facial images removes the need for costly and cumbersome external readers, but devices used to read or measure a biometric can still produce false negatives and false positives. People leave their fingerprints all over the place, which is the equivalent of the password written on a post-it note, and it's fairly easy to copy them and create a replica in silicone. Someone's voice is also easily captured, and dynamic biometrics like blinking can be captured and copied.
The protection of biometric information is extremely important, as unlike a password, a fingerprint or face can't be changed. MasterCard has not yet explained how the app will protect and transmit biometric-based authentication data, but hopefully the phone's ID will be tied to the authentication process to add another layer of protection. Interestingly, although Android phones can be unlocked using facial recognition, Google labels the option low-security and experimental, feeling a PIN is still the safer option.
MasterCard is not alone in trialing pay by face. Alibaba demoed its facial recognition technology for making payments earlier this year, and consumers do seem to be happy using biometrics for authentication. Facial recognition authentication will certainly make the checkout process quicker, and if biometric authentication raises the security bar higher than current card payment systems, then it's a move in the right direction. No system will ever be 100% secure, and easy security is better than strong security that nobody uses.
Learn how accurate MasterCard's voice and facial recognition systems tested
Dig Deeper on Biometric technology
Related Q&A from Michael Cobb
By performing ongoing risk assessments, organizations can keep their SSH vulnerabilities at a minimum and ensure their remote access foundation is ... Continue Reading
Sending sensitive information in attachments is inherently unsafe, and the main way to secure them -- encryption -- can be implemented inconsistently... Continue Reading
Spyware can steal mundane information, track a user's every move and everything in between. Read up on the types of spyware and how to best fix ... Continue Reading