Paying without passwords and PINs

Share

How Canadians interact with money – both physical and digital – is changing as financial technology evolves.

Back in 2000, ING Direct Canada – the digital bank that became Tangerine Bank – piloted a "biometric" mouse that would scan users' fingerprints to help bypass the need for passwords.

"Installing the mouse involved 16 different registry changes," says Charaka Kithulegoda, Tangerine's chief information officer, referring to changes to computer settings. "We said, 'The tech works great, the concept works, but the experience is awful.'"

The bank has long had its eye on biometric technology, which uses physical attributes to verify a person's identity, but reality took a while to catch up with Tangerine's ideals. Last month, the company released a rebuilt iOS app that, among other things, lets users scan their eyes or say a password out loud to log in to their bank accounts.

The password – and its fraternal twin in the banking industry, the PIN – has long been acknowledged as a nuisance, something else to forget amid the rush of day-to-day life. To move past the password, financial institutions and their card-product partners are now racing to offer different biometric technologies in its stead, using society's smartphone saturation to make banking easier.

Now that smartphone technology is powerful enough to verify identities with eye scans and fingerprints, letting clients use those for banking is a natural move to give them more choice, Mr. Kithulegoda says. "Password and PINs – we see them as something you know," he says. With biometric authentication, which the bank has long been interested in, "you can use something you are, and something you have."

Tap-based payments and "mobile wallet" tech such as Apple Pay are becoming more accessible in Canada, increasing consumer appetite for easier ways to use their money. Britain-based Juniper Research Ltd. released a report last year that suggests people will download at least 770 million biometric authentication applications worldwide a year by 2019.

The sector's quick maturation has encouraged the development of all kinds of new ways to identify people by their unique traits. Some ideas are easy to understand – such as face and fingerprint recognition – but there are some unique identifiers in the market or in development, including gait, voice and heartbeat-based verification.

Last March, MasterCard began a soft Canadian roll-out of new biometric payment authorizations through fingerprint matching and what they're calling "selfie pay" – photo verification through a person's mobile phone. After a few months running the program through Bank of Montreal corporate cards, the credit-card company plans to expand to all of Canada this summer.

Even if the online purchase is made on a separate device, the company will ping the user's phone to do the authentication. Like traditional in-person credit card purchases, which require both a card and PIN to identify you, the biometric authorization requires two steps: a unique biological identifier and a smartphone with a unique "token," like a credit card number, registered to you.

The company has run pilots for biometric technology both in the United States and in the Netherlands; 86 per cent of American participants reported finding it easier than password authentication.

MasterCard's "selfie" technology measures physical likeness, but depth as well, and is therefore able to detect when someone is fraudulently holding up a photo rather than taking an in-person selfie. It also requires you to blink. Because of this, "the technology can detect between a photo and a real person," says Catherine Murchie, MasterCard's senior vice-president of processing, enterprise security and network solutions.

New technology tends to arrive with new fears, which MasterCard has prepared for. "We've gotten some really funny questions," Ms. Murchie says, "like what happens if someone loses a significant amount of weight, or used Botox? … Basically, because of the way the measurements are taken at points on your face, those measurements aren't going to change."

The entities ushering in the new paradigm of verification generally acknowledge that there are still kinks to work out, but believe biometric authorization will be at least as secure, if not more secure, than passwords – especially given the obvious shortcuts many people take when picking passwords. Cracking passwords, Ms. Murchie says, is "easier than getting access to thumbprints."

Without a face-to-face interaction, it's harder to prove your identity online. "You can't build a relationship with computers," says Jan Pilbauer, CIO and vice-president of payments and technology with the Canadian Payments Association, which clears and settles billions of dollars of transactions each day and oversees safety in the Canadian payment ecosystem. "When it comes to money, people get very serious. We need to make sure payments are based on strong authentication."

The two-factor authentication – here, phone plus biometric ID – is crucial, Mr. Pilbauer says. As is the need for strong data encryption. "If your password gets compromised, and it happens quite often, you have to learn another one. It's quite simple. But if your thumbprint is compromised or stolen, you can't change it. You also have a finite supply of fingers."

This is something consumers need to be concerned about, says Woodrow Hartzog, an assistant law professor at Alabama's Samford University who focuses on privacy and electronic agreements. "If your face print or fingerprint is compromised," he says, "you can never be fully sure about the integrity of that ever being used again as an authentication mechanism."

Two-factor authentication is key, Prof. Hartzog says, but using biometric ID for one of them has more consequences than, say, confirming via text message. A phone number is easier to replace than a fingerprint if it's compromised. Put otherwise: Biometric IDs aren't the only option to replace the password. But companies considering biometrics, he says, must be willing to shoulder any fallout that could happen, should the security of their consumers' biological IDs become compromised.

Security is top of mind for Interac Canada, the debit-card leader that has pushed chip-and-PIN technology in Canada since 2009 – a hard-to-defraud update to card transactions that has seen less traction elsewhere in the world. As it builds out mobile banking platforms with banking partners, says Avinash Chidambaram, the organization's vice-president of product and platform development, Interac plans to add additional personalized layers of security without slowing down the user experience.

Digital payments are easily tracked, for instance, meaning buying patterns can build up, allowing the company to use behavioural analytics to construct a profile of a user – and therefore be alerted when patterns break down. "Multiple factors of authentication combine to give you a great experience and much higher security," Mr. Chidambaram says.