Did PayByTouch Have It Right After All?
I don’t spend as much time rooting around in the depths of the technology stack as Brian does, but every once in awhile there are developments that emerge from the murky depths of hard-core technology architecture that catch my eye. Beacons, for example, are a hot topic lately.
Security is a hot topic too. That’s why this announcement from FIDO (Fast IDentity Online) caught my eye: they are releasing a framework and set of standards to make it easy for systems to support two-factor authentication. In other words, if someone wanted to combine an NFC payment with a PIN or later change that to fingerprint ID, this framework will make that simple and easy to do. Theoretically, it makes it easy to incorporate more types of authentication into a security strategy.
Why is this important? Along with all the usual stuff about the basic things that companies can do to be more secure when a big breach happens, there comes the moaning and groaning about balancing security against access. The more tightly that companies crank down their security – requiring complex passwords, for example – the more difficult it is for people to access their stuff. It’s the old joke: I’m supposed to have a unique password for every site, and each password is supposed to be made up of a random jumble of letters and numbers, some caps, some symbols. And I’m not supposed to write them down anywhere. And I’m supposed to remember them all. Yeah. Right.
Funny thing is, particularly around payments, what with the advent of EMV in the US, and the continuing challenge, even with EMV, of online fraud, and with the potential for mobile payments in the near future, there is growing pressure for some kind of two-factor authentication across all modes of payment. Chip & PIN, the basis of EMV, is a two-factor authentication, but it only works when there is a payment terminal, like in stores. It proves that the card and the PIN associated with the card are both in the same place (I’m drastically over-simplifying things, but this isn’t intended to be an article about EMV).
You can’t authenticate the card online, because last time I checked, laptops don’t come with card readers, whether magnetic swipe or chip reader. So even with EMV, when you shop online, you enter your card number manually, so even though you may enter the PIN as your second factor, it’s never validated against the chip.
And the way that some banks are talking about implementing EMV – with chip & signature instead of chip & PIN, the two-factor validation is greatly reduced. I’ve sprained my writing hand and signed credit card receipts with a barely-legible scrawl and have never had anyone ask to see my ID as a result – even after comparing my signature to the card! Chip and signature does no one any good for preventing in-store fraud. It just makes it a wee-bit harder.
But this framework thing for authentication got me thinking about all the various ways you can implement two factors. I have an iPhone 5s with the fingerprint reader. And I have to say it’s pretty cool. I’ve head some people say they’ve had issues with it, but I haven’t shared those issues. I’ve downloaded free apps from the iTunes store with a thumbprint, instead of remembering my recently changed Apple iTunes password, thanks to fear of getting my account hacked.
And I’m a member of Clear, which lets you cut through the line at certain US airports. It’s a two-factor authentication there, too – a chip-embedded card, and my fingerprint.
Which reminded me of PayByTouch and a couple other fingerprint payment schemes that emerged in the late ’90s and the ’00s. I long thought that payment was the wrong place to start. Yes, it’s certainly more secure than a mag stripe, even though some people will undoubtedly point out that it can be hacked. Or that governmental agencies might be tempted to plumb the depths of fingerprints on file at retailers and banks, thus violating privacy and laws of all kinds.
But I always though that the hangup on getting people to accept pay by fingerprint was just the fact that you were asking them to experiment with, basically, their checking accounts. To think that you could access money with just your fingerprint feels vulnerable, somehow. When I stopped to think about it, I realized that it felt that way because there was no second factor – there was no card.
Two factor authentication is a bit different than what PayByTouch tried to do. And the way that FIDO is going about it seems pretty open and flexible to me. But I do feel like the tide around biometrics as an authentication factor is starting to shift. And the shift came not from a focus on payments so much as on non-financial transactions like verifying my identity to skip a line at airports. I think the key to its success will be in combining it with form factors that consumers are already familiar with – like plastic cards, whether embedded with a chip or just a mag stripe.
Ultimately, it may not come down to an argument over whether NFC will win, or chip & PIN vs. chip & signature. If companies are flexible in the supporting infrastructure, the answer may be “as long as it’s two factors “. If we can get consumers used to that, then everybody wins.