Forget fingerprints; Iris scans could validate mobile payments

But as the use of biometrics grows, concerns over privacy will remain

While mobile payment systems like Apple Pay and Samsung Pay are growing, they haven't lived up to the hype that surrounded their arrival in 2014.

But newer biometrics security technologies beyond the use of fingerprint scans could boost adoption rates when purchases are made in-store with smartphones. Those technologies include palm vein sensors or even sensors that assess a person's typing patterns or movements.

For online purchases, iris scans could help authenticate buyers. And while SMS (Short Messaging Service) is an option, banks want greater security when using SMS payments. That's where a multimodal approach -- integrating facial, voice and behavorial scans into what's required for a purchase -- might help.

Smartphone vendors and developers of payment software need to consider the multimodal approach and a variety of new biometric techniques to be successful in coming years, according to Tiffany Huang, an analyst at Lux Research. She recently authored a 50-page report, Securing Mobile Payments with Biometric Authentication (membership required).

"Biometrics are needed to improve mobile payment usage," Huang said in an interview today. "It's hard to see one biometric usage winning in the medium-to-far-term."

One reason for the slow adoption of mobile payments in the U.S. is that consumers don't see the value of using a mobile device instead of a credit card, she added. The roll-out of chip-enabled credit cards in the U.S. could eventually help boost interest in mobile payments, but hasn't apparently made a big difference so far.

A U.S. Federal Reserve survey of 2,137 people published last year showed that 75% didn't use mobile payments because they felt it easier to pay with cash or a credit or debit card, while 59% were worried about the security and privacy of mobile payments.

Huang researched dozens of companies in the mobile payment ecosystem, including banks and credit companies and hardware and software designers ande evaluated new biometrics technologies for ease of use, level of security and cost. Fingerprint scans were evaluated along with scans of palm veins, eyeprints, irises, ECGs (Electrocardiograms), voices and faces.

Different biometric approaches are needed depending on the type of mobile payment. In-store, most customers wouldn't want to pose for a few seconds in front of other customers in line for a facial or voice scan. Meanwhile, Huang found that palm vein sensors would be an optimal point-of-sale authentication technology, but would be prohibitively expensive.

Palm vein sensors are rare because they require a large piece of hardware to read the palm vein patterns in a hand, Huang said. Palm veins are 100 times more unique than fingerprints and can't be easily spoofed because the veins are below the surface of the skin.

Fingerprint sensors like those used with iPhones for Apple Pay and in Galaxy phones for Samsung Pay are the most mature biometrics for payments today and the hardware is relatively cheap. But Huang also said the capacitive (pressure-based) sensors can be spoofed by duplicates of fingerprint patterns, which is one reason the payments industry wants alternatives. (Newer fingerprint sensors use ultrasound or optics instead of capacitive sensing.)

Behavioral tracking is a technology that uses the sensors already in most smartphones like the accelerometer, gyroscope, touch screen and GPS. A user can be authenticated by how he or she interacts with a smartphone, including typing patterns. And a smartwatch could authenticate based on movements of the wrist. Meanwhile, GPS could be used to see if the location of a purchase fits in with a user's normal routine. Huang found that such technology has an 80% to 90% authentication accuracy rate -- lower than other types of biometrics -- which requires then adding in a password or other authentication method.

There are numerous small startups working on behavioral sensors, including Biocatch, AimBrain, XYverify and Plurilock.

Huang, in her report, found that the mobile payments industry will be a factor in shaping which biometric technologies gain popularity. "Many companies still want proof that a particular biometric is hardened," she said. She also noted that as new mobile payment platforms get introduced by separate industry players, like Walmart, it will be harder for one biometric approach to dominate.

"Mobile payments have not gone as quickly as we thought, but this year should ramp up,"Huang said. "Once biometrics are adopted to assure users [and banks] of security, it will help drive mobile payment adoption."

In addition to certifying that biometric technologies work, she said manufacturers need to be sure they pay attention to users' privacy fears.

"There are privacy concerns for biometrics as a whole, not just for mobile payment biometrics," Huang said. "Some consumers don't want anything like a camera used in a transaction because it has a Big Brother feel. You do hear that consumers are hesitant about biometrics."

Join the Computerworld newsletter!

Error: Please check your email address.

More about AppleBiometricsGalaxyPalmSamsung

Show Comments