To err is human. Unfortunately, in our tech-driven and connected modern world, human error combined with complex password requirements creates a perfect storm of security risk for a growing number of mobile consumers.
With their increasingly frustrating parameters (warning: password must be at least 12 characters long, contain a capital letter, a number, a special character, and cannot contain a word, name, or a place), passwords can easily be forgotten, forcing developers to include a password reset feature that can be bypassed through simple social engineering or a brute force attack. What’s more, hackers can easily tap into a phone’s Bluetooth, NFC, or Wi-Fi connection and “sniff” your phone’s network traffic to swipe both locally stored passwords as well as passwords that unsuspecting users are typing in when checking their bank account balance, for instance.
In a nutshell, passwords represent an antiquated system of authentication, one that has no place in the world of mobile payments, where the stakes and risks of both monetary and identity theft are among the greatest, as witnessed by the 2.1 million Americans who had their phones stolen in 2014.
But thanks to advances in encryption and biometrics, you may no longer have to type ‘l0gZyJz&nk3r’ the next time you want to use your smartphone to pay for that impulse purchase — all that may be required is a swipe of your thumb, a scan of your iris, or perhaps even your heart rate. In partnership with Braintree, we spoke to some of the most brilliant innovators around biometric authentication to discover how they’re making passwords in mobile payments a thing of the past.
Your body is the password
You’ve surely heard a version of this popular advice: Create a complex and unique password, as doing so will make it hard for crooks to guess. However, even the most obscure password is vastly inferior to biometric authentication, which treats the body’s physical attributes, such as your own fingerprint or voice, as a form of code. Guessing the biometric “password” of a stranger isn’t really viable, as you’d need access to the would-be victim’s actual body — or body parts, a la “Minority Report” — to have a chance at fooling the system.
By taking advantage of the devices’ common features, such as the microphone, camera, or fingerprint sensor, mobile phones are capable of implementing layers of “multimodal” authentication methods to prove the user’s identity, such as a combination of voice and facial recognition. Multiple biometric checks make it next to impossible for hackers to spoof, or fool, the phone into giving them access.
Though security technologies like the fingerprint reader have been available on smartphones for many years now, users have been reluctant to adopt their use, preferring to stick with vulnerable PIN codes and pattern swipes instead.
“People choose convenience over security,” says Mikhail Gofman, professor at California State University, Fullerton, and an expert on multimodal biometrics. “The good thing about biometrics is that people are relieved from the responsibility of designing and remembering a strong password — you don’t have to remember your fingerprint, it’s a part of who you are.”
Biometrics in action
Several companies lead the charge to bring multimodal biometrics to mobile shoppers. Among these is Ireland-based Daon, which provides mobile biometric services for commercial enterprises like financial institutions and payment providers.
In addition to using voice, facial, and fingerprint recognition to verify the smartphone’s owner, Daon technology also takes advantage of the phone’s GPS locator to help determine the owner’s identity. If the user is accessing a given app from an expected location, such as their home or workplace, no problem. If the GPS registers from thousands of miles away, problem. Together, all of these biometrics are scored and passed through a formula to produce a combined authentication score that is measured against a predetermined threshold. Only when the authentication score passes that threshold does the user gain access.
As complex and time-consuming as biometric authentication sounds, in practice the process takes less time than keying a password into a smartphone. In a live demo hosted by Daon, a user was able to use biometric authentication to purchase things online and log into a bank account in seconds. To improve convenience, Daon’s authentication strictness can be adjusted; for less expensive purchases like a coffee, users may just scan a fingerprint.
“When we stop authenticating for things like passwords and start authenticating the person, many of our cybersecurity risks go away,” says Conor White, president of Daon’s Americas operations. “What we’ve done with biometric authentication is to make it both secure and convenient.”
Biometrics of tomorrow
As the commercial adoption of biometrics for mobile phones increases, it’s important for both hardware manufacturers and software developers to adopt stringent standards that guarantee mobile security in the long run. This need for an industry standard was the impetus for Nok Nok Labs, a Palo Alto, Calif.-based authentication company, to found the FIDO Alliance, a nonprofit made up of veteran security experts whose mission is to develop authentication specifications, including those for biometrics.
Founded in 2014, the FIDO Alliance has quickly grown to 215 members, and they come from every part of the smartphone supply chain, including chip manufacturers like ARM, software companies like Google, and card associations like MasterCard (Daon is also a member of the board). This diverse representation gives the FIDO Alliance a unique advantage over other standards forums as it ensures every component in the biometric authentication process meets the industry specifications.
One of the most critical security standards the FIDO Alliance advocates for is client-side registration and authentication, which essentially means that your biometric data is authenticated only by your smartphone and never leave the actual device. Further, thanks to the growing adoption of PCI DSS standards (a security standard used for online payment processing), merchants can use payment processing platforms, such as those offered by Braintree, to safely encrypt and transmit sensitive customer data, thus mitigating the impact of server-side data breaches.
“We don’t believe that enterprises and corporations should be in the business of aggregating biometric templates,” says Rajiv Dholakia, VP of Products at Nok Nok, “because inevitably whenever you aggregate any secrets, it represents a very tempting target. That’s why passwords are such a problem.”
The sophistication of biometrics promises to improve in line with smartphone technology. The latest authentication methods include infrared iris scans and behavioral biometrics, which measure the way you hold your phone, the way you sit and how you walk. With the growing ubiquity of fitness features, it’s expected that the next generation of mobile biometrics will use electrocardiograms, or heart beats, to authenticate users.
Considering the vast number of ways biometrics can be used to authenticate a smartphone’s owner (some have even proposed using body odor for authentication), gone is the need to remember a long and complex password when making a mobile payment — you already carry the most unique password: yourself.
Biometric authentication makes mobile payments fast, easy and reliable, removing the need for hard-to-remember passwords. Now that you know how your customers can shop in confidence, consider Braintree as your mobile payment platform to take care of the rest.