Threatpost details new payment authentication technology from two credit card companies, Visa and MasterCard, which hope to improve security by using biometric data like fingerprints and cardiac rhythms.
Will biometric data make for more secure transactions? Surprisingly, the answer to that question has as much to do with convenience as it does with security.
Current password systems are flawed. Most passwords are…
- Too simple. Many passwords lack number and letter combinations.
- Too short. People use shorter words because they're easier to remember.
- Too common. The top two worst passwords in 2013 were "123456" and "password."
So why do we keep the current password systems in place? The answer: it only takes a second for a user to type in a password. So far, users have been resistant to change, balking at any additional layers of security.
Visa and MasterCard hope that by using fingerprint authentication, they'll offer a simple way to verify online transactions that won't seem inconvenient to users accustomed to typing their passwords quickly. To understand how this might work, let's take a closer look at biometric authentication.
How Biometric Authentication Works
Currently, Visa and MasterCard offer systems like "Verified by Visa" and "SecureCode" that require users to enter a password when they make an online transaction. If users and merchants have these systems enabled, when cardholders attempt to make an online payment, a new dialogue box will open and require them to enter their payment password.
However, users don't like this system because it's slow and the dialogue box offers a clunky interface that reminds some information technology professionals of phishing scams that try to trick users into entering passwords.
As Visa and MasterCard have sought to replace this system, they've settled on biometric authentication – a system that is secured by a user's unique biological patterns, like…
- Heart rhythms.
- Retina patterns.
Though they haven't released the full details yet, these two payment companies plan to use fingerprint sensors, one-time passwords, and wristbands (to track heartbeat rhythms) to make for faster authentication. The system might resemble Apple Pay, which uses a fingerprint sensor on the iPhone to authenticate mobile payments.
Will Biometric Authentication Actually Catch On?
For years, we've seen Internet companies and security researchers offer alternatives to traditional password / login security. But none of these have caught on.
Nearly two years ago, Google started to push the idea of having users wear rings or use keys they can plug into USB drives in order to login. That was two years ago, and no one is walking around with a Google ring. (If you don't believe this was a real thing, read this Wired article.)
So will Visa and MasterCard's plan actually work? Or is this attempt destined for the same obscurity as the Google ring?
One factor helping these companies is that they have a lot at stake. Banks and credit card companies pay for a lot of the cost of a data breach. Because banks have to reimburse users for fraudulent purchases and replace their cards, they often have to pay millions when a retailer is hacked. In fact, the Target data breach ended up costing banks $60 million just to replace cards.
It's in Visa and MasterCard's best interest to find a way to improve security without inconveniencing cardholders. If they can do so and market their product (at least as well as Apple Pay), ecommerce sites and online retailers will have to start adopting this new technology.