Biometrics have created a great deal of excitement in the payments space, offering an opportunity to streamline and improve the customer experience and avoid much of the friction caused by more traditional authentication such as passwords. Recent Visa research shows that 73% of people would like to use biometrics as a form of two-factor authentication. So how are we responding to the exciting opportunities offered by biometrics?
Firstly, it’s important to look at the role Visa has always played in enabling new technologies such as biometrics. By adapting our standards to recognize these technologies as valid form of authentication for card transactions we can help provide the environment for our members to begin testing and rolling out biometrics for their user experiences. Banks such as ABSA in South Africa have already used this standardisation to proceed with pilots using fingerprint at ATMs. We’re increasingly working with our issuer and acquirer partners to explore usage of biometrics to better understand what learnings and experience they offer. We have been supporting a WorldPay pilot using FingoPay where the finger vein initiates the customer payment at point of sale and have also been working through Proofs of Concept with InAuth (securing the device),and potential scoring systems to recognize the biometric (ThreatMetrix). We have also agreed a strategic partnership with Safran (formerly Morpho),a recognised world leader in the biometrics and authentication space, to help improve our understanding of the implications and opportunities created by this new technology.
As these pilots progress some key themes are emerging:
User experience is as important to the customer as security
Many of the biometrics pilots demonstrate that testing the User Experience (UX) is critical to customer adoption. Roughly half of the people we surveyed think that biometrics will make payments faster and easier than traditional security methods; however, at a recent conference I attended, TFL stated their concern that using biometrics at turnstiles would slow down pass through rates.
There is no one biometric solution that will work for every situation. For instance, background noise can affect voice recognition, and people may not want to take a selfie in a high-end restaurant when it comes time to pay the bill. Technological limitations may be an issue as well as fingerprint being constantly read on a phone will become more reliable than a scenario where it is used on a single occasion in a store. As we explore standards and certification, it is as important to assess the impact on user experience – what is the success rate for transactions? Do we see false positives (wrongly validating the customer) or false negatives (wrongly declining a valid customer)? As merchants have increasing influence over managing the payment flow, successful registration and checkout ratios will be key determinants of the success of the technology.
“Biometrics +” for authentication?
It’s important to state that, while biometrics offer significant opportunities to achieve the right balance between convenience and security, they are not the only solution and we believe it’s important to take a holistic approach that considers a wide range of enabling technologies that contribute to ensuring safe, frictionless payments. Biometrics work best when linked to other factors, such as the device. One of the challenges for biometrics exists for scenarios where it is the only form of authentication undertaken (for instance linking fingerprint to credentials) – early tests show that the results may not be 100% accurate, resulting in some false positives or negatives.
Closed vs open loop
The most common biometric authentication use cases today exist in closed loop scenarios where the biometric is held with one, generally trusted, party – Touch ID for Apple, facial recognition at UK airports – and this control enables a user experience. Organisations such as the FIDO alliance (of which Visa is a member) are seeking to try to create open standards, but it is still relatively early days. We will continue to see biometrics used in closed loop environments, such as banking or ATM access, but there is still considerable distance to travel before a biometric can be a universal, open enabler of access. Key issues, such as ownership of the liability in the commercial framework, will also need to be resolved as part of this process.
How do we make customers “feel” these technologies are safe?
Many new forms of biometrics tend to promote themselves as “the safest” form of biometric or “safer” than their counterparts. This can be extremely counter-productive. Some key consumer concerns persist about customer options if biometric credentials are stolen – changing a password or PIN is relatively straightforward but how do I “change” my fingerprint for instance? The customer cannot, and should not, be required to be an expert on the relative security of one form of biometrics over another – they expect their card provider to act on their behalf and ensure they are protected irrespective of the underlying technology. Unless customers feel they can use the technology safely they will resist adoption.
Will the industry need to standardise around limited numbers of biometrics to remain viable?
Our own experience on Verified by Visa has demonstrated that a lack of standardisation and consistency in the user experience can create frustration and impact adoption. There is yet to be any clear biometric “winner” and that may have impact on the growth of biometrics. With the advent of the Internet of Things and increasing numbers of connected devices now able to make payments, the appropriate biometric will also need to be considered contextually. While some biometrics, such as Touch ID, have already begun to gain widespread adoption I’m sure many others will emerge and seek to become integrated into the customer journey. Some user experiences will be better suited to selfies, some incorporated into wearables, and within Visa we are therefore consciously agnostic so that, subject to delivering safe, frictionless payments we are keen to explore how we can incorporate various biometric technologies that are “enabled by Visa”. However, a lack of standardisation may prove to be a sufficient industry challenge that, at some point, we need to collectively address – Chip and PIN has been successful because it has been a mutually agreed standard.
In summary, it’s clear that biometrics are still at an early stage in their evolution and it’s still too soon to make definitive calls on which biometrics will gain mass adoption. We will continue to support the opportunities to improve the customer experience but also recognize that there are still some significant questions that need to be answered before these solutions are fully integrated into the payments landscape.