Face value: Biometric verification gains speed

First came the swipe and sign, then came chip and PIN and now you can tap-and-go. Soon, you'll validate your credit card transactions in-store and online using your unique physiology. Like something out of James Bond, you'll be able to choose from one of several biometric options, including fingerprint, iris or even heartbeat recognition, as credit card companies and Canadian banks search for a payment method that's more secure and convenient for their consumers. 

"We believe passwords are a real problem," says Nick Dinh, vice-president of mobile payments at MasterCard Canada. He emphasizes that's especially true when you have several online accounts with their own password formats and requirements. "We're getting to the point where biometrics are a viable option to improve the checkout experience for both consumers and merchants, while enhancing security and reducing fraud."

MasterCard's new biometrics app, MasterCard Identity Check, is in the pilot phase and should roll out in 2016. Identity Check works by allowing you to set up a biometric profile for online shopping. At checkout, you'll be prompted to confirm the transaction on your phone using either a fingerprint or your face -- that's right, Identity Check will recognize selfies. Transactions won't be approved until they are verified. biometric-verification

MasterCard also will layer biometrics such as fingerprint recognition into its digital wallet platform, MasterPass. The card issuer is far from alone in its thinking.

"Visa is currently working on a prototype that incorporates iris scanning technology with its online payment service, Visa Checkout," says Sam Shrauger, Visa's senior vice-president of digital solutions. "Already, we support Apple's Touch ID for Visa Checkout
authentication and will do the same when the Android OS supports a similar authentication process."

Seeking even more unique characteristics
A fingerprint or a face are much more secure than a password, but
they also present two inconvenient flaws. Not only are traces of your fingerprint left on everything you touch, giving more advanced criminals the opportunity to copy it, but these are authentications that are transaction-based and must be re-authenticated every time you pay.

Therefore, MasterCard is onto another, more unique identity verification. It has collaborated with the Royal Bank of Canada and a Toronto-based technology company, Nymi, to pilot another biometric solution: a payment wristband that uses the electric wave pattern of your heartbeat (also known as an electrocardiogram, or ECG) for verification.

Nymi is currently working with MasterCard and RBC to pilot a project that syncs the Nymi band's heartbeat-based biometric signature to your MasterCard account and combines it with MasterCard's existing tap-and-go PayPass infrastructure. Instead of tapping your card, you'll tap the Nymi Band at checkout.

"We've shifted identity from a model that, in the past, has been very transaction-driven -- proving your identity at every single touch point -- to a single authentication that can persist for however long the person wears our device, and that obviously extends to the payment space as well," says Shawn Chance, Nymi's vice-president of marketing and business development. "You don't have to enter a PIN; you can go through the course of your day and do a contactless payment at every terminal you encounter by tapping your Nymi Band against them."

"Your ECG is unique to you because it's actually driven by the unique characteristics of your physiology," says Chance. "That's things like the size and the shape of your heart and its orientation relative to your other vital organs. [Those things] are very different from one person to the next, but remain consistent within one person over a period of time ... so it recognizes whether that person is the same person who authorized the profile or an incumbent or an intruder."

The band is also unaffected by small variations in your ECG rhythm caused by exercise and stress.  However, larger cardiac events may mean the wearer must redo their biometric profile and the device isn't guaranteed to work for those with permanent cardiac disabilities.

"I can't say we've done large enough scale studies on people with arrhythmia or heart conditions to know how reliable that would be," says Chance. "Suffice it to say, we're running a lot of pilots right now and we know it's reliable for the mass market."

Promise of expansion
Bornstein also confirmed that RBC is looking at a number of biometric technologies to improve access to other aspects of the banking experience such as online banking, mobile banking and ATM authentication. RBC is also hoping to weave Nymi's biometric payment technology into existing wearables already on the market.

"Bring us your Swatch, your Tag, your Timex and if it's payment compliant, we'll work to get payment  on it," says Bornstein

Nymi believes in choice as well and has begun several conversations with other manufactures of wearable devices, so that the Nymi biometric capability can be available across several platforms. But the company maintains that persistent identification would have to be included.

"We are also working with other Canadian Banks, but we haven't announced who they are out of respect for their wishes at this time," adds Chance.

See related: How age, income, education affect preferred payment types, 5 myths about contactless payments
Published July 17, 2015

Most recent Product Features Stories