With new EU regulations coming into place next September, Mastercard is predicting a significant increase in the use of biometric technology to authenticate who is paying.
With regards to card payments, currently just 1-2% of online transactions require cardholder authentication to complete a transaction (mostly likely using a password), but this is set to rise to up to 25% or 1 in 4 payments from next autumn.
The European rules aim to tackle online fraud, by increasing the number of transactions subject to two factors of authentication by the payer, known as “Strong Customer Authentication” (SCA).
Authentication for online payments and account access will be based on the use of two or more different factors in the future:
- Something you know, such as a password
- Something you have, such as a phone, or card
- Something you are, such as a fingerprint
This will mostly impact card payments made over the internet – be it a desktop or mobile purchase. It will also apply to some contactless transactions, as a periodic check to ensure the card is being used by its rightful owner. However, in store Chip and PIN transactions are already complaint and use two factors.
Although the heightened security measures are designed to protect consumers and businesses from being defrauded, payment networks are working with banks and the rest of the industry to ensure they are implemented without ‘disrupting’ the convenience of payments for consumers.
“MasterCard is spot on in its assessment; the use of passwords is woefully outdated as a means of online authentication. The problem has long been overreliance on yesterday’s approach and a reluctance to embrace the ways in which technology has transformed both our habits and the options available to us,” explains Andrew Shikiar, CMO of The FIDO Alliance – MasterCard has been a board member of The Fast IDentity Online (FIDO) Alliance since 2013.
“It’s encouraging to see that the tide is finally turning, thanks in large part to evolving regulatory requirements in response to escalating levels of online fraud. Far more secure methods of authentication, including biometrics, are now readily available at our fingerprints, which can greatly improve security and privacy for consumers accessing online services, while improving the user experience into the bargain.
As the range of activities we undertake online using mobile devices continues to rise, the more sensitive transactions – such as payments and money transfers – can be facilitated using device-enabled strong authentication. However, its success hinges on the industry’s ability to offer this at internet scale.
Biometric modalities deliver a number of user experience benefits, but not all biometric systems are built on secure, tried-and-true public key cryptography. Biometric authentication relies on matching an input to a held piece of original data, and how that matching process is managed – and in particular how identifying data is stored – raises a host of security and privacy questions. For instance, if data is held in an online central database, a breach of that data could be catastrophic.
On the contrary, a decentralised approach allows users to authenticate by using a private key on their personal device to sign a cryptographic authentication challenge from the service provider’s server. With this approach, the service provider only stores a public key associated with that user’s account, which cannot be leveraged by a hacker having infiltrated a database.
This is one of many reasons why leading service providers like Google, Facebook, Microsoft, Dropbox and many more have deployed FIDO Authentication to protect hundreds of millions of consumers around the world, while reducing the outdated reliance on passwords,” Shikiar concludes.