5 Reason Biometrics for Payments Are a Bad Idea
Biometrics as a method of validating mobile payments seems to pop up every week. As someone who has worked in biometrics for over a decade, I think they are entirely inappropriate for most payment scenarios. Here are a few reasons why.
Identity-based security is always based on variations of three factors:
- something you know (PIN, password)
- something you have (phone, credit card, token)
- something you are (biometrics - face, fingerprint, iris)
You get more security by adding more factors. If you want to learn more about this, watch my Biometrics 101 video.
However, biometrics are a poor match for mobile payments. Here is why:
1. For small payments, biometrics are solving a problem no one has
When I go to Starbucks and buy a cup of coffee, I swipe my card and I am done. It literally takes seconds. The reason that merchants don't have people sign for small payments is that they are better off accepting a small amount of fraud and increasing their throughput by not having people sign. They make more money overall. Adding biometrics to this will slow this process down and not add any useful security. It's a lose-lose for the merchants.
NFC or other "tap your phone" to pay methods are even more convenient because you don't have to take out your wallet. You are probably talking on your phone anyway while ordering, especially if you are standing in front of me. Both of these methods are single-factor methods - they are about something you have that someone else will not have, and will be difficult to copy.
2. PINs work pretty well already
So let's say you need a bit more security for something bigger than a $50 payment. Just add in a PIN for your second factor. PINs are actually great security because they exist only in your head, assuming you don't write them down somewhere like an idiot. Things in your head can't be stolen or lost in a data breach because some IT worker copied the company secret database to a thumb drive and left it at Chuck-E-Cheese's. PINs are also resistant to a brute force attack as long as you limit the number of guesses per unit of time, or lock things down after too many bad guesses. A token (card/phone) plus PIN is VERY strong security and the foundation of how smart credit cards work in the EU, and soon in the US.
The presentation of a PIN is more reliable than biometrics. When you present the PIN "7823" to a system there is no question about whether it is "7820" or "6823" PINs are 100% clear, unlike biometrics which have to deal with lighting, dirty sensors, facial expressions and a myriad of other factors which can cause them to fail.
3. Biometrics are subject to spoof attacks
As much as we biometric researchers talk about "liveness detection" and variations on that theme, there is always the possibility that someone will collect our biometrics surreptitiously and replay them back to a sensor. Liveness detection has made great strides, but this will always be a back and forth cat and mouse game. Once your data is "out there" you will always have to be concerned that someone will collect it and find a way to replay it. You "broadcast" your biometrics all the time - your face is always out there and you touch things that could easily be used to lift fingerprints. Even your irises can be captured from a modern high-resolution photo. These kinds of spoof attacks are typically only found in Hollywood movies or the lab right now, but if biometric payments become mainstream they will become much more prevalent.
PINs are subject to a replay attack of course, but only if they are discovered. In contrast to biometrics, you don't broadcast your PINs all the time.
4. Biometrics are not revokable
If your PIN gets stolen because you wrote it down on a sticky at work, you can revoke it and get assigned a new one. Now that old one won't work anymore. If someone is able to replay your biometric via a spoof attack you have no way to revoke it. Tom Cruise ran into a similar problem in the movie Minority Report. He needed a new iris, so he had to have his eyeballs replaced. I may be going out on a limb here, but I think most people would see having their eyeballs replaced as a significant element of payment friction. I can't help but think this may harm the adoption rate of new technologies.
5. Biometrics are slow
Some great strides have been made in speeding up biometrics, especially in the realm of contactless biometrics. However, the process itself has a lot of steps and it is difficult to speed it up to the 1-2 seconds realm of current payment systems. For a biometric to work, the following has to happen:
- The image is captured by the sensor
- The image is filtered/improved by the sensor
- The image is translated to a mathematical template
- The template is compared to a existing database or template
- The results are communicated back
When some of these things go across a network, you add on latencies of seconds to the picture. That's just not as fast as a tap of a phone or a PIN. In many retail environments, seconds matter a lot.
6. Biometrics are probabilistic
When you present a password/PIN or token to a payment system it is accepted or not. It is correct or not. It is binary. As much as we want biometrics to be binary, and as much as we try to pretend they are, they never will be binary. A biometric comparison is a similarity measure. It can be strongly similar, weakly similar, strongly dissimilar, or weakly dissimilar. Or anything in-between. That presents a conundrum. What do we do when the biometric is 50% similar to what we expect? Is that good enough? How do we handle that?
All of these are things that increase the complexity of biometric payment systems and potentially slow things down.
I've presented a few reasons why I think biometrics are a bad match for mobile payment systems. However, as I mentioned, I have been working in the field for the last decade, and I am not masochistic enough to work in a field that has no future. Biometrics are great for certain kinds of problems, namely:
- Identification - I have a biometric (face, fingerprint), but I don't know who it belongs to. The classic law enforcement problem.
- Forensics - Fingerprints from a crime scene or surveillance images can be matches against other crimes or people who have been arrested
- Background checks - Search a person's biometric records against a known database of bad guys
- Proof of identity - In an environment that is not time sensitive, biometrics can be a very strong proof of identity
- As an additional factor - Biometrics provide a great additional factor to tokens and/or passwords for added security
In short, biometrics alone are not a good solution for payments, primarily because the technology is not a good match for the security/speed profile of that problem. However, they are still a great solution for many other identity problems.