The Changing Face of Mobile Payments

You cannot fail to notice that biometrics is having an impact everywhere!  From access control systems to mobile banking and in particular it is likely to be facial recognition that will have the greatest impact over the next ten years.

According to research firm Tractica; facial recognition adoption will grow from 28.5 million mobile devices in 2015 to more than 112.8 million by 2024, and at the forefront of this prediction will be mobile payments and authentication.  While that is just a forecast, many mobile payment experts predict it will be far higher and as much as 450 million mobile bank customers will be using some form of biometric authentication by the end of this year, according to a recent study by Goode Intelligence.

Many predict that paying by face or a selfie will become more standardised than 
currently the fingerprint on your smartphone, such as Apple’s Touch ID which uses a fingerprint sensor.  This is because facial recognition is a more reliable form of biometric technology compared with a fingerprint.  The fingerprint sensor has already shown its vulnerabilities and been spoofed by various hacking organisations.  This could lead to a lack of consumer confidence if you have had your fingerprint template stolen.  It is not an easy process to retrieve because currently all fingerprints are stored on the device which means it cannot be compared against a central database to prove that it is “really” you.  Fraudsters are fully aware of this, therefore security is a very important part that biometrics must have. 

Facial recognition technology has around a 95% degree of accuracy.  However, facial recognition on its own should not solely be relied upon because biometrics is not an exact science and often depends on certain environmental conditions.  For example shading or poor lighting, shadows or even people of a darker skin may result in some failure rates.  Therefore a multimodal approach is required and using a combination of biometrics such as fingerprint, face, voice, iris and even vein is going to be necessary as well as it will also very much depend on what each user is comfortable with.

 If facial recognition is combined with other biometrics such as a voice, iris or fingerprint, then this raises the levels of certainty to around 99.5%.  It will also depend on the level of risk too.  Just accessing your bank account or making small payments may only require one simple level of authentication.  For example, when Apple Pay launched in the U.K. in July 2015, it will allow up to a £30 limit with just one touch of your finger to authenticate a transaction.  While this would be seen as a quick and easy way to pay for goods and services, consumers will also have to be careful because it is very easy to make mistakes and once the payment is made and left your account, it will not be possible to “undo”!

However the driving force towards faster payments and a frictionless way of paying via your mobile wallet is where biometric technology is going to play a central role in the verification process.  There are already many ways you can use your mobile device to pay for things and leave your physical wallet/purse and cash at home.  While currently the Touch ID fingerprint is how Apple Pay, PayPal, Samsung Pay, Android Pay and some banks will use as part of the authentication process, there are many other banks and payment services providers that are now considering a combination of both face and voice recognition through your mobile app.  Together with your fingerprint, they will form a part of your customer biometric profile.  Some banks are already using it.  In the United States, the USAA bank allows its digital customers a choice of either fingerprint, face, voice or pin to verify access or transactions.  They were able to recently survey over 1m of its customers and while the fingerprint was around 80% of what customers presently preferred, significantly facial recognition was their second choice.  Remarkably, the average age of their customers using this technology on the device was 38.  15% of those surveyed were also over 65.  Nearly half of those surveyed showed enrolment for the service was made without any advertising.  This shows that wide spread adoption was much easier than they had realised.

In fact there are many other examples where nearly all banks are getting in on the act.  Just recently Wells Fargo announced it was planning to pilot a combination of both voice and face recognition biometrics to authenticate mobile iPhone app users.

In the U.K., MasterCard are conducting an experiment with 500 of its mobile app customers with a facial recognition trial to authenticate purchases.  They have also just announced to start the same trials in the Netherlands and the U.S. too.  In China, ecommerce giant Alibaba Group and affiliated online payment service Alipay are aiming to use facial recognition technology for customers to log-in.

So over the next few years, using your biometric customer profile will become mainstream.  You will become the password.  Performing a selfie will be a simple way to access your mobile wallet, authenticate a payment and essentially prove who you are in real-time.  It will be part of the KYC (Know Your Customer) process and a bank or retail operator can see who their customers are and whether your face matches in their database.  This also has many benefits to prevent fraud.  It stops multiple accounts or account takeovers, and also it is very difficult for fraudsters to hack.  Another benefit in using biometrics is that it can be seen as replacing the dependency for passwords.

In Europe, the new EU Payment Services Directive or PSD2 which was ratified by the European Parliament this months, now comes into force over next two years and within the guidelines, the European Banking Authority are calling for stronger customer authentication (SCA) processes with regard to all internet and mobile payments as it becomes law.  This will mean that every ecommerce operator in all 28 European States must follow the new guidelines and will have to introduce more stringent methods for authenticating transactions.  Because of the unique human characteristics of biometric technology has to offer, it has been attributed as being one of the main methods in which banks and other companies can use as part of a two-factor authentication process.

The guidelines state that strong customer authentication is an authentication process that validates the identity of the user of a payment service or of the payment transaction (more specifically, whether the use of a payment instrument is authorised). Strong customer authentication is based on the use of two or more elements categorised as knowledge (something only the user knows, e.g. a password or a PIN), possession (something only the user possesses, e.g. the card or an authentication code generating device) and inherence (something the user is, e.g. biometrics, the use of a fingerprint, face or voice recognition) to validate the user or the transaction. These elements are independent (the breach of one element does not compromise the reliability of the others) and designed in such a way as to protect the confidentiality of the authentication data.

So there is no doubt biometrics are here to stay and whether we like it or not, it will become a way of life for mobile payments.