Biometrics and the Payments Industry

Dutch painter Vincent van Gogh is arguably best-known for cutting off one of his own ears, an incident that occurred on December 23, 1888. According to the Van Gogh Museum in Amsterdam “it was the first of several serious breakdowns that plagued him until his tragic suicide a year and a half later.”1  

Main Content

Biometrics and the Payments Industry

Aug 27, 2018

Biometrics and the Payments Industry

Dutch painter Vincent van Gogh is arguably best-known for cutting off one of his own ears, an incident that occurred on December 23, 1888. According to the Van Gogh Museum in Amsterdam “it was the first of several serious breakdowns that plagued him until his tragic suicide a year and a half later.”1

Not everyone believes that van Gogh’s injury was self-inflicted, however. Most notably, perhaps, two Hamburg-based historians, Hans Kaufmann and Rita Wildegans, have argued that van Gogh’s ear was actually lopped off (with a sword) by fellow artist Paul Gauguin.2 Regardless of what actually happened to van Gogh’s ear, an injury such as that could conceivably take on added significance in the near future, if ears emerge as the future of physiological biometrics, as some observers have suggested.3

If you believe that’s an unrealistic scenario, NEC Corporation, has developed a personal identification technology that “uses the resonation of sound determined by the shape of human ear cavities to distinguish individuals…. Since the new technology does not require particular actions such as scanning a part of the body over an authentication device, it enables a natural way of conducting continuous authentication, even during movement and while performing work.”

Indeed ears do have their share of advantages when it comes to biometrics. “Ears are unique,” says Michael Boczek, President and CEO of Descartes Biometrics, a company that specializes in mobile ear detection security apps, noting that they are “stable and enduring, which means [they] change very little over the course of one’s life,”4 as opposed to, say, faces, which can change significantly over the course of many years.

Regardless of which method(s) of authenticating users “win out” in the long run, it’s pretty clear that the preferred data used to identify people is in the process of evolving. Going forward, the data used to identify us as individuals may be either physiological (like fingerprints) or behavioral (keystroke dynamics, for example) — or some combination of the two. That’s because the field of biometrics has advanced considerably since Apple® introduced the iPhone® fingerprint sensor TouchID® in 2013, with businesses and researchers highly motivated to find new and improved ways to fight fraud and combat cyber security threats.5

Advantages and disadvantages of biometrics

As we noted in a previous TSYS blog,  Beyond the PIN, Password, “the main advantage of biometrics is that it allows you to prove your identity using characteristics that make you unique. So the data is much less likely to be forgotten, stolen or forged, in contrast to using something you possess (like a document or card) or something you know (like a password or secret phrase).”

The disadvantage of using biometrics to authenticate someone is that if the information is stolen or forged, it’s more difficult to replace the information (i.e. you can’t get a new fingerprint, for example). Some security conscious individuals have pointed out, too, that certain forms of biometric data may be relatively easy to obtain, such as leaving your fingerprints on a glass in a restaurant.

Biometric data is anything but immune from hacks and attacks. According to an article in Wired, “researchers from mobile security firm Vkansee [have demonstrated the ability] to break into Apple’s Touch ID system with a small piece of Play-Doh® … similar to what security researcher Tsutomu Matsumoto did with a gummy bear over a decade earlier with another fingerprint sensor. And researchers at Michigan State University … released a paper that describes a method for spoofing a fingerprint reader using conductive ink printed with an ink jet printer in less than fifteen minutes.”

The promise of the future

On the other hand, creative new approaches — including multifactor biometric authentication — could help the biometrics industry overcome many of the challenges that will inevitably present themselves.

An Acuity Market Intelligence white paper in September, 2017, Taming the Authentication Beast: Simplifying and Enhancing the Customer Journey with Biometrics in the Cloud argues that “the Financial Services industry must radically improve the customer journey to reap the rewards of the Digital Revolution” as “mobile and digital financial service solutions are failing the test of consumer expectations.”

In other words, to solve fundamental authentication challenges “a new ‘identity-centric’ paradigm is needed … one that will unleash the power of FinTech innovation by recognizing an individual — not just a device — on the other end of a request for information, money, credit, or any financial service.” So forget about passwords and other secrets.  According to Taming the Authentication Beast, “The true promise of Identity-Centric IT is to create a foundation based on Unique Verifiable Identity (UVI) — and individual human identity that has been verified via biometric authentication and linked to an established, vetted digital identity.”

What is needed, stated the white paper, is biometrics in the Cloud — that is, centralized or “server-side” biometrics — where “biometric data is captured locally on-device, converted to a biometric template on the device, [and] then the template is encrypted and sent to a server for authentication.”

One of the advantages of Cloud biometrics is that “the loss, damage, or failure of a single device [would] not require re-enrollment or un-enrollment, as biometric data is not accessible on the device.” At the same time, should a biometric template be somehow compromised, it could be revoked and replaced with a new one.

The paper also suggests utilizing multifactor, biometric-cloud step-up authentication. That is, “a user might be asked to authenticate one of several biometrics, or multiple biometrics in a specific sequence,” to name two possibilities.

In this way, payment processors and other financial service providers would be able to deliver an appropriate level of friction based on the risk or value of the transaction. Moreover, machine learning  could be used to improve the ability of biometric solutions to identify unusual behavior, recognize fraud and determine step-up authentication needs.

While it may be relatively early in the game to determine all the ways biometrics will be utilized for authentication purposes in the payments and financial services industries, it seems clear that physiological or behavioral biometrics — or both — will likely play a significant role in the near future. Or at least they should, as secrets-based solutions like passwords are increasingly unwieldy and lack the security necessary for the financial services industry to reach its full potential.

As the biometrics industry continues to move forward, the payments industry will be “all ears” to determine how it will affect merchants and customers.

1. On the Verge of Insanity, Van Gogh Museum, https://www.vangoghmuseum.nl/en/stories/on-the-verge-of-insanity?v=1#0

2. The Real Story Behind van Gogh’s Severed Ear, ABC News, https://abcnews.go.com/International/story?id=7506786&page=1

3. Why Ears Are the Future of Biometrics, M2SYS Blog on Biometrics Technology, http://www.m2sys.com/blog/guest-blog-posts/why-ears-are-the-future-of-biometrics/

4. Biometrics Are Coming, Along With Serious Security Concerns, Wired, https://www.wired.com/2016/03/biometrics-coming-along-serious-security-concerns/

5. iPhone 5S Comes With TouchID Fingerprint Scanner, CNET, https://www.cnet.com/news/iphone-5s-comes-with-touch-id-fingerprint-scanner/

Contact Us
About Our
Merchant Services

Get your Free Quote, Now!

After you have submitted your information, a TSYS representative will contact you.

All fields are required to submit form. Your information is private and secure. We do not accept adult businesses

Customer Support Form