As password theft continues to reach new heights, and with this year’s revelation of the snatching of 500 million Yahoo passwords, biometrics now seems to be gaining acceptance as a way of countering the trend and bringing greater security to online identification.
Are we seeing an ‘Apple effect’ or is it just that the general public has finally caught on? A few years ago, biometrics was generally thought of as pretty scary, but these days most people regard this approach to identity proof as quite acceptable. Ten years ago, the biometric passport idea aroused a noisy debate, but not anymore! This summer, Visa published the results of a survey carried out among European consumers. Two thirds of those polled stated that they were happy to use biometric identification to ensure the security of a payment. Three quarters of the respondents agreed that two-factor authentication – which combines a physical means of payment with biometric data – is a good way of securing a transaction.
It will come as no surprise to learn that the biometric technology people are most familiar with is fingerprint analysis, which is already available on all medium- and high-end smartphones. The next major biometric technology preference expressed was retinal scanning, followed by facial recognition. There are many other approaches, including reading the vein pattern on the palm of a person’s hand, which is sometimes used these days for security checks at building entrances, iris scanning and even DNA analysis. Then there is behavioural biometrics, which are based on uniquely identifiable patterns in human activities such as keystroke dynamics, voice timbre and phrasing, signature analysis and, more recently, heartbeat measurement. Researchers are currently looking into a variety of different methods, some easier and some more difficult to implement, some easier or harder to falsify.
Surprising popularity of selfie-based payment authentication?
Among the range of biometric technologies currently available on the market, there is one new approach that is gaining ground in tandem with the surge in use of smartphones: the selfie. In March 2015, Jack Ma, CEO of Chinese e-commerce leader Alibaba, demonstrated to the audience at the opening session of the CeBIT computer fair in Hanover, Germany how to use facial recognition, based on a selfie, to authenticate a payment. Now the technology has arrived in Europe, spearheaded by MasterCard.
Facial recognition technology has already been used with success for quite some time, but the burgeoning use of smartphones is opening up new horizons. French company Safran Identity & Security (formerly Morpho) has developed a selfie payment system. After you have downloaded the special app, all you have to do to register with the system is scan the chip in your passport using NFC and then take a selfie. Once you have done that, you will be able to authenticate any transaction just by snapping a selfie. This French system has found favour with Samsung, which started embedding Safran’s algorithms in its smartphones this year.
Vincent Bouatou, Director, Innovation & Business Support, at Safran Identity & Security, explains the sudden interest in the selfie despite the fact that these days many smartphones designed for the general public are equipped with a fingerprint reader. “In 1999, when we were Sagem, we were the first to put a fingerprint sensor on a telephone. But it was much too early and the market couldn’t understand why we were doing that,” he recalls, underlining: “However, by the time Apple installed TouchID on the iPhone 5S in 2013, it had become clear to everyone just how useful it was, given the amount of information now stored on smartphones. Entering a code is too much of a nuisance when you have to do it over and over again, so a lot of users simply wouldn’t do it.” Apple has perfected the integration of a fingerprint reader into its smartphones and the required gesture seems perfectly natural and user-friendly. Nevertheless, from a developer’s perspective, TouchID and Android smartphone fingerprint sensors only give one piece of information. But does this fingerprint really belong to the smartphone owner? If several people have access to a phone, it’s impossible to tell exactly whose identity has been authenticated. When it comes to payments, this makes a huge difference. "For a financial transaction, this information does not suffice and the transaction can subsequently be repudiated by the user," explains Vincent Bouatou. However, he points out, "with a facial recognition SDK [Software Development Kit], the developer has total control over facial recognition and can track the whole transaction cycle.”
Smartphone manufacturers are looking to encourage widespread use of biometric technology as part of their marketing strategy, but it is the Web giants who could give the technology a decisive boost over the next few years. Industry consortium the FIDO (Fast IDentity Online) Alliance includes the big names in biometrics, from the financial sector, plus also Google, Microsoft and others. The aim is to set up for each person a unique digital online identity which is interoperable with any Internet service. Vincent Bouatou, who is a member of the Alliance’s biometrics committee, points out that "biometrics will play an important role in the project. FIDO 1.0 has been published and Microsoft has announced its support for FIDO functionality on the Windows platform. This will generate massive adoption on PCs and lead to a new way of doing things on the Internet. I’m quite sure that all the other interfaces will follow suit very fast.”
Retailers involved in developing faster payment systems
In France, the Natural Security Alliance is pushing for the use of biometrics both in the banking sector and the retail business. Major French international retailer Auchan and French home-improvement and gardening equipment retailer Leroy Merlin are both members of the Alliance, which is writing the specifications for a common biometric security architecture. "Our specifications are agnostic in terms of which biometric technology is used, but we think that fingerprint reading is the approach that works best right now,” reveals the consortium’s communication manager, Romain Toulotte, explaining: "This technology offers two advantages. Firstly, there’s an enormous number of fingerprint sensors available at a wide variety of prices, ranging from sensors designed for use at customs control to those embedded in smartphones. Secondly, a fingerprint reader only works on the basis of something the user makes a conscious decision to do, unlike voice or face recognition, which can be carried out without the user’s knowledge.”
In the summer, the French Natural Security Alliance was given the green light by the CNIL, the French national commission that oversees privacy in the field of computer data and online information, so approved devices will start to be rolled out in France from now on. Auchan, which has a representative on the Alliance’s Executive Board, trialled this technology for payments at the Villeneuve d'Ascq shopping mall near Lille in northern France back in 2012 and is planning to conduct a full pilot test at the end of the year. MyAuchan loyalty card holders will be able to use fingerprint readers to identify themselves at the checkout and will also be able to use fingerprint ID instead of QR codes to pay for their shopping with the Fivory electronic wallet. The ‘Envies de Saison’ fast food chain will be launching the same approach in the next few weeks and horse race betting company PMU is also gearing up to use fingerprint ID to authenticate the identity of those placing racing bets.