Security & Fraud

Digital Security 2016: At The Crossroads Of Biometrics, EMV And Mobility?

Between biometrics, EMV and mobile security, it’s been a busy year in Digital Identity. These trending topics have generated plenty of news over the past year and are in rotation again at Money20/20 in Las Vegas. For October’s Digital Identity Tracker™, PYMNTS spoke with Brett McDowell, executive director of the FIDO Alliance, about developments in the industry and its future. You’ll find that, along with headlines and a directory of 74 major players — including six additions — inside.

It’s been a busy 12 months since the last Money20/20, as new technologies and threats have disrupted the security space time and time again.

As the conference kicked off in Las Vegas last October, merchants and retailers around the United States began dealing with the effects and fallout of October’s EMV liability shift, as the technology became the standard for all retail payments.

But while merchants have now had more than a year to adjust to the new technology, retailers still lag behind when it comes to chip card adoption, causing frustration and confusion for consumers, even with chip-based cards decreasing counterfeit fraud by 60 percent, according to Mastercard.

Meanwhile, biometric security methods have seen a big boost in the past year, as major financial institutions and companies, such as Mastercard and Alibaba, increasingly embrace the new tech as a viable, more effective measure than outdated security methods, such as usernames and passwords. Similarly, the continued steady global increase in the use of mobile devices helped fuel the development and release of new tools to security companies, as well as access to richer, deeper user data.

As Money20/20 2016 rolls along, PYMNTS caught up with Brett McDowell, president and CEO of Fast IDentity Online (FIDO) Alliance, to discuss hot topics in the digital identity space, along with the trends the industry may well be focused on a year from now. McDowell said that he expects these and other new technologies to soon replace more traditional methods of authentication and verification, such as passwords.

It’s EMV all over again

A year since the EMV shift, it may seem like retailers have had more than enough time to adjust to new standards surrounding the use of chip-enabled credit and debit cards, but problems still remain for many merchants.

As it currently stands, only 30–40 percent of all American retailers reportedly have active EMV acceptance terminals. What's more, according to the National Retail Federation, nearly 60 percent of merchants who have updated their systems can still not accept chip-based cards, as they continue to wait for their POS systems to be certified.

On the positive side, EMV features seem to be having the desired effect on card security, with instances of counterfeit fraud, the primary target of chip protections, reportedly dropping by a solid 60 percent.

McDowell told PYMNTS that, even with the problems the technology has caused merchants, observers should expect to see more EMV use in the coming year, based on those positive results. In particular, he noted that more providers would look to duplicate those results by following EMV’s lead when it comes to replacing PINs and passwords with new forms of verification.

"Chip-enforced, hardware-backed security is what we're seeing as a major trend in other ecosystems," McDowell explained. "That same technology that you see in the chip on those cards is showing up increasingly on every new flagship high-end device."

Biometrics coming on big

In several recent Digital Identity Trackers, PYMNTS has documented the rise of biometric technology, including developments in retina and fingerprint scanning solutions, among others.

The authentication method, which includes using different biological indicators to verify users, has been a constant newsmaker this year, often trumpeted as a superior replacement to what many see as outdated methods, such as usernames and passwords. Back in July, the Federal Financial Institutions Examination Council went so far as to recommend that banks and other financial institutions ditch one-factor authentication methods, such as usernames and passwords, for more secure biometric methods.

Iris and fingerprint scanning not only improve on many of the security weaknesses that doom usernames and passwords but also make a customer’s experience with a product simpler. New solutions from providers, like Google and Mastercard, have looked to use a person’s voice or photograph to authenticate users, and McDowell said he was not surprised to see major companies readily invest in the technology.

“The usability, the user experience benefits are just undeniable, and that is what’s driven the commercial interest in biometrics,” he said. “It used to be that, if you wanted to do strong customer authentication, you had to incur significant cost in doing so and you had to very much diminish the quality of the user experience, but that doesn’t seem to be the case with biometrics.”

McDowell added that he expects these new methods, and others, to become the norm in the future.

“In short, biometrics are here to stay,” McDowell said.

Mobile security on the move

The proliferation of biometrics has been powered, in large part, by a rise in the use of mobile devices, which often have biometric features built directly into them — with fingerprint scanners on the home buttons of Apple iPads and iPhones and retina or iris scanning cameras.

But mobile devices offer more than just biometric protection. McDowell noted that, while built-in biometric features are a promising sign for the future of mobile security, smartphones and tablets offer a range of data and features that can be used to protect devices and accounts of all shapes and sizes.

Most importantly, he said, secure elements and trust execution processes in mobile devices have greatly improved in the past year. Those advancements, coupled with other features and capabilities of mobile devices, could unlock new possibilities for security providers.

“Add the telemetry that is provided from a mobile device, in terms of location and all the other signals that a fraud team can use to help ensure they’re dealing with the same user, and you have the strongest security story you’ve ever had,” McDowell said. “Not just for mobile devices but for payments and commerce.”

Getting ahead of what’s next

Besides all being featured at the Money20/20 2016 Conference, McDowell noted that biometrics, EMV and mobile security each share another similar element: All three potentially stand to replace password/PIN credentials, which, he said, are often more susceptible to hackers and other bad actors.

He pointed to the recent security breach at Yahoo, in which fraudsters stole login credentials, comprised of email addresses and passwords, for more than 22 million user accounts. He said that biometrics could have the potential to remove the need for usernames and passwords, much the way EMV is intended to eliminate the need for cardholders to enter debit card PINs. Gazing into his figurative crystal ball, McDowell predicted that the common thread of PIN and password removal would become critical as security breaches continue to pour in.

"It keeps getting worse every year," he said. "So, as long as we have that trend, we have to have solutions that don't put the credentials in the cloud where they can just walk out the door."

More companies, including major players, like Amazon, are investing time and money into the technology, and McDowell also forecasted that a range of industries and verticals will embrace these new technologies as more options become commercially available.

“One thing that’s going to happen over the next year is going to be the commercialization of technology that’s been developed this year,” he said. “I think we're going to start seeing a very fast proliferation of applications in it, commerce and otherwise, taking advantage of that technology. Better user experience. Better security.”

Could it be that, by the time Money20/20 2017 rolls around, PINs and passwords could be teetering toward the end of the plank? Stay tuned.

To download the October edition of the Digital Identity Tracker™, click the button below. 








About The Tracker

The Digital Identity Tracker™, powered by Socure, is a forum for framing and addressing key issues and trends facing the entities charged with efficiently and securely identifying and granting permission to individuals to access, purchase, transact or otherwise confirm their identity.



About: Accelerating The Real-Time Payments Demand Curve:What Banks Need To Know About What Consumers Want And Need, PYMNTS  examines consumers’ understanding of real-time payments and the methods they use for different types of payments. The report explores consumers’ interest in real-time payments and their willingness to switch to financial institutions that offer such capabilities.

Click to comment