- Key Insights: Biometric authentication is migrating to e-commerce.
- What’s at Stake: Banks face pressure to upgrade their security and payments technology.
- Forward Look: While there are hurdles to adoption, the market for biometric technology is expected to expand.
Federal Bank, a private sector bank in India, recently began a
“Say goodbye to
Here’s how it works
On the checkout screen of the partner merchant app, users choose the tokenized card from the available options and receive the biometric authentication page directly. From there, they can authenticate the payment using fingerprint or Face ID. Typical banking transactions take around 45 to 60 seconds; using biometric authentication, transactions can be completed within three to four seconds, according to the bank.
To be sure, consumers in the U.S. are getting more comfortable using biometrics to authenticate themselves, including for
With card-not-present transactions, there’s no way to know the consumer is really making the purchase, said Suzanne Sando, lead analyst in the fraud and security practice at Javelin Strategy & Research. Even if an SMS or one-time password is required at checkout, these are vulnerable to criminal interception in a variety of ways. One method is SIM swapping, where attackers use social engineering to trick a mobile carrier into transferring a person’s phone number to a new SIM card they control, allowing the bad guys access to all incoming SMS messages and calls. Malware can also intercept SMS messages, or consumers can be tricked into sharing one-time codes with bad actors.
Read more about biometrics.
Although consumers are repeatedly warned not to share one-time codes with anyone, they often disregard this advice. Making matters worse, Sando said she has been asked twice in the past few years by legitimate banks she’s doing business with for her one-time password, which is a big no-no, and has the potential to confuse customers.
Employing biometrics for e-commerce transactions would make online shopping more secure, Sando said, adding that she hopes it will become the norm for e-commerce authentication within the next few years. “There are far more secure options out there” than SMS and one-time passwords, Sando said.
Hurdles to adoption
Getting to that step is another matter entirely, however. Goode Intelligence predicts there will be almost 3.5 billion biometric payment users by 2030, but it remains unclear how quickly biometrics will be widely adopted for e-commerce authentication. In many instances today, customers aren’t required to authenticate themselves when making an online purchase, while some payment methods, like
Apple Pay uses biometrics (face or Touch ID) to authenticate the customer during the transaction, while PayPal and increasingly others now support passkeys, a FIDO authentication credential based on FIDO standards, Zil Bareisis, director of retail banking and payments at Celent, wrote in an email.
It might be challenging to get merchants to adopt biometric authentication for e-commerce because they typically want to make purchasing as frictionless as possible, and adding a layer of security could impede that, said Jim Mortensen, strategic advisor in the fraud and AML practice group at Datos Insights. ”I do think it’s going to grow, but I think it’s going to grow slowly unless there’s some regulatory requirement to require it to be rolled out or adopted more rapidly,” he said.
There have been some attempts to add more security for online purchases. Mortensen points to American Express, which has added facial recognition and fingerprint to its SafeKey solution for online transactions. During online checkout at participating merchants, SafeKey’s advanced technology works in the background to make sure it’s really the cardholder initiating the transaction. If necessary, Amex asks the customer to confirm their identity with their face or fingerprint, an App notification, or a code.
There’s also 3D Secure, which provides an extra layer of security in card-not-present online transactions, but it’s more commonly used in Europe, due to regulatory requirements regarding authentication, Mortensen said.
Consumers are already comfortable with one-time passwords for authentication, so it’s just a matter of moving them toward a different—more secure way—to authenticate themselves, Sando said. Having customers sign up once to enroll their face or fingerprint shouldn’t take long, and they might be more willing to do so in exchange for added security, she said. These other methods “are not getting the job done,” she added.
To be sure, consumer acceptance of biometrics has been increasing. Research from Datos Insights found that 19.5% of consumers polled last year would most prefer facial recognition to access their bank account, while 24.8% of respondents said they prefer fingerprint biometrics. In 2018, only 3.8% named facial recognition as their preferred method.
At the very least, Sando said banks should enhance their use of behavioral biometrics to help reduce fraud for online transactions. Behavioral biometrics relies on user activity patterns to detect deviations and potential fraud. With strong behavioral biometrics in place, spoofing becomes more difficult, she said.