There’s a very good reason that passwords are dying and why many think we should be ready to let them go.
But what does the post-password reality look like? Today, that answer is mostly to be found in the marriage of two security ideas: bio-authentication via fingerprint scan — a la Touch ID — wedded to a data encryption protocol — a la tokenization.
“If we look at the history of access, it starts with the idea you know that is unique — a password or how to type out a code. Those secrets are becoming less and less secrets — passwords and user IDs can be compromised easily,” BioCatch CEO Ron Moritz told PYMNTS in a recent interview.
“The step that we’ve taken over the last decade has been to move away from the concept of something you know to the concept of something you have — a token, device ID, sending a one-time password to a cell phone and leveraging an out-of-band authentication. Where the world is going is to make this about you and something you are. This is where biometrics comes in — a fingerprint or an iris scan — which is part of identity that is hard to steal.”
Just tell that to the ~6 million employees at the U.S. Office of Personnel Management whose fingerprints were hacked. And YouTube abounds with videos on how to hack a fingerprint scanner using nothing more high-tech than Elmer’s glue.
So what’s next?
Many, many things.
Starting with a consumer’s circulatory system.
While many have said something to the effect of “security is the lifeblood of payments,” few have taken that quite so literally as a Japanese payment card company that’s currently testing a new palm vein technology through Fujitsu. The goal is to let buyers authenticate purchases using nothing more than their hands.
The tech works by creating a map of the vein pattern in a user’s hands and then links that pattern to card information. Several cards can be linked to one palm pattern.
According to the firm, the user “does not need to bring his or her wallet or any mobile payment device. Palm vein authentication is highly accurate and already being used for many applications, such as bank ATMs and high security area access control systems. Incorporating this authentication method with the JCB global network will create the world’s first payment way of its kind.”
Want payments security that tastes great but is less filling? Making something entirely “theft-proof” is likely impossible, but embedding something in one’s own body, or just straight up swallowing it, is probably as close to total security as one can get.
Or better to say: If someone is willing to try to go after something embedded or ingested, you probably have much bigger problems than that person wanting to steal your credit card data.
And on that logic, one of the next-gen authentication plans involves devices that can be embedded, injected and ingested, according to a PayPal executive who’s working with developers on the problem.
Jonathan Leblanc told The Wall Street Journal in the long run, authentication will shift from external identifiers like fingerprints to internal body functions like heartbeat and vein recognition, but after that, embedded and ingestible devices will allow “natural body identification.”
Ingestible capsules could detect glucose levels and other unique internal physical features then send that data out in encrypted form to authenticate a user. The devices might use stomach acid to power their batteries, he added.
Thin silicon chips containing EKG sensors could be embedded under a user’s skin to constantly monitor the heart’s electrical signature then communicate the data to wearable computer tattoos. Other attachable computers could include brain implants that would “put users in charge of their own security,” Leblanc said, adding that authentication is moving toward true integration with the human body.
Yup, the human heart is good for more than just pumping blood. Someday it will also be able to authenticate your online purchases as well.
Did Kim Kardashian inspire the next big thing in consumer authentication?
Selfies get something of a bum rap. Blamed for literal and metaphorical (i.e., Kardashian) car wrecks and emblematic of everything that everyone everywhere hates about millennials, the word “selfie” has become a sort of modern totem to narcissism.
But maybe selfies are misunderstood; maybe they could be used for something socially positive if just given the chance.
MasterCard, it seems, is willing to take that wager, as it is rolling out ID by selfie in the not-so-distant future.
This “Pay By Selfie” feature will make it possible for merchants to verify the identity of a shopper by looking at a photo of their face. It works pretty simply. A photo is taken every time a customer makes an MC purchase via a phone app. The pic is then used to authenticate the user’s identity — on top of the password — through cross-comparison with a photo the user has already supplied to MasterCard.
That rollout will continue throughout the United States in 2016 and go global in 2017.
According to Ajay Bhalla, president of MasterCard’s enterprise solutions division, though EMV chips led to fraud at in-person points of sale being reduced by 80 percent, the smart money’s on criminals evolving. “Fraudsters migrate to the digital world,” as he put it.
Selfie Pay is a larger part of MasterCard Identity Check. That service uses a variety of methods, from the complex (like this program) to the simple (like single-use passcodes sent to customers by SMS text message).
Cognitive Mapping ID
OK. Palm vein mapping is too far in the future, personal dignity prevents you from snapping a selfie for any reason and the day you have to swallow, embed or inject a microchip into yourself to safely shop online is the day you go back to brick and mortar.
Good news. The future is full of even stranger stuff, like cognitive biometrics, which isn’t interested in scanning your body so much as it is interested in learning how you behave.
Basically, this form of authentication uses the brain as a biometric indicator, specifically how it interacts with the world. Based on how hard a user types, or how they hold their phone, what times of day they surf, where they shop, when they shop, it is very possible to get a pretty good picture of a how a user acts.
And, more importantly, how they don’t act. This makes it easier to spot when the wrong person is using an identity and shut them down before they do any damage.
While most of us learn in kindergarten that we all have a unique fingerprint, most of us do not learn that our ears are pretty special, too.
The team at Yahoo Labs, however, is unlocking the specialness of the ear with Bodyprint, an authentication system that scans a user’s earprint.
This could make it theoretically easier to embed bio-authentication into any phone without an expensive (and, ipso facto, cost-inflating) scanner. Though a touchscreen is generally too low resolution to handle a fingerprint, an ear is is more or less ideally sized for a scan.
“While the input resolution of a touchscreen is about 6 dpi, the surface area is larger, allowing the touch sensor to scan users’ body parts, such as ears, fingers, fists and palms, by pressing them against the display,” the Yahoo Labs team wrote on the project’s web page.
The earprint scanning design might also add a usability edge, particularly for those who need to answer a call while driving or are otherwise engaged in something that might make a fingerprint scan inconvenient.
So far, early testing is promising.
“Scanning users’ ears for identification, Bodyprint achieves 99.8 percent authentication precision with a false-rejection rate of one out of 13, thereby bringing reliable biometric user authentication to a vast number of commodity devices,” the project site noted.
However, Yahoo Labs also noted work needed to be done on the recognition algorythms before wider tests could take place.
So, what have we learned today? That someday your phone will know you better than any person on Earth ever could — down to the veins in your hands and your earprint. We also learned that we have an earprint. We leave it to you to decide which of those two things is more unsettling.