Q&A: LexisNexis on biometrics’ emerging risk and undeterred growth
Biometrics is a growing field these days, especially since Apple introduced Touch ID, and while early payments risks associated with multiple enrollments are causing some concern, the benefits far outweigh the pitfalls, according to Kimberly Little Sutherland, senior director for identity management at LexisNexis Risk Solutions.
As the adoption of mobile wallets grows, consumers are enjoying the ease of being able to authenticate a payment with the touch of a finger while retailers and banks are enthusiastic about what promises to be a very secure method of authentication. However, with users of solutions such as Touch ID being encouraged to enroll multiple family members’ fingerprints on one phone, some fraud claims have occurred, pointing more to challenges with the rollout of this new technology more than any inherent shortcomings.
In an interview with Mobile Commerce Daily, Ms. Sutherland discusses how retailers and banks can address these issues and why, in the end, biometrics are still a very secure and user-friendly option.
As biometrics move into the market in a bigger way, are any unexpected risks showing up?
We have definitely seen, over the past couple of years, biometric adoption skyrocket with solutions like Apple’s Touch ID, which has been integrated into their Apple Pay. And, now Samsung Pay and other mobile wallets will be rolling out other solutions that are powered by the biometrics prints. That is great.
But, biometric authentication used in combination with mobile wallet are intended to be a more efficient and more secure manner of processing of the payment, and it is intended to provide both purchase confirmation and payment authorization.
Unfortunately, biometrics enrollment today is not as secure sometimes as what the payment and retailer side of the business think it is. I think it is a great solution but I think there are also some challenges that we are starting to uncover as we see more adoption.
What risks are retailers encountering with payments authenticated via biometrics?
There have been banks and retailers that have come out to show concerns around having multiple types of biometrics enrolled on the same device. This has to do with the biometrics enrollment side.
So, when Touch ID was first deployed, Apple would encourage users to consider looking at processes where you want to enroll your spouse or your child in addition. So, Apple made it an open enrollment process and gave you the ability to enroll five different fingerprints. It could be your fingerprints or fingerprints belonging to different individuals.
That is kind of opposite of the way that credit card issuers think of users of a credit card. It should only be the authorized users of the credit card.
Are these enrollment issues leading to fraud claims?
There definitely have been fraud claims and fraud concerns around mobile wallets in general and payments authorized via biometrics. I think the numbers are still being calculated as to what the magnitude of this is. But, it is only something that is going to continue to grow as more adoption takes place.
So, the key is to be able to educate the consumer on the challenges right now with biometric enrollment and the limitations that exist. And, help the consumer with best practices on how to manage their biometric enrollment on their mobile device. On the retailer and bank or credit card issuer side, also help them with ways to have more of a risk-based approach to accepting a biometric or even accepting the use of the mobile wallet in general.
What can retailers do to address the enrollment issues with biometrics?
When a retailer is thinking about using biometrics, they need to consider are there additional measures they need to be able to ensure they are working with the right individual.
We are definitely seeing bank doing this. When they are leveraging the mobile wallet, at the time of enrolling the credit card, they are performing additional identity verification processes. That allows them to add additional security measures that are going to be enabled with this biometric print.
We don’t necessarily see retailers wanting to add any additional friction in the process. But we think for higher volume transactions or higher value transactions, a retailer may also want to consider additional identify verification processes prior to just accepting the authorization with the biometric.
Besides the enrollment issue, are there any other concerns with biometrics?
Biometrics is a very strong form of authentication and they are a very easy-to-use method, so we have not seen any significant challenges. I think biometrics adoption should continue.
The real area is the enrollment of the biometric – is it being tied to a particular identity. And, right now the technology doesn’t really allow the biometric print to be tied to an individual or to give different types of authorization to a biometric.
An example would be, maybe I can enroll a biometric print A and that is only allowed to unlock my phone. And biometric print B can be used for payments. That ability doesn’t exist today.
Are there any limitations associated with biometrics in terms of supporting privacy or integrating with retailers’ CRM systems?
Biometrics should only really be used as the authentication method and it should still be able to be tied to the transaction and to the broader CRM process that the retailer has. It should be considered a very efficient approach, and if done properly, a more secure method for that payment process for retailers.
Biometrics works wonderfully with being able to support privacy enhancing models. There is no need to actually submit the full fingerprint to the retailer. These are all done with models of the print and a proxy for the print. That aspect of it is a very secure and privacy enhanced approach.
Looking beyond fingerprints, do you expect other forms of biometrics to take off?
The more types of biometrics modes that are available to the consumer, the better we are going to see adoption. So while one person may not feel comfortable enrolling their fingerprint, that same person may feel more comfortable with enrolling their voice. Or using their face for facial recognition.
The best model would be for retailers and users of biometrics to offer multiple ways to authenticate. Because there could even be times when a biometric may fail, if the lighting is not right, or maybe my hands are full and I can’t use my fingerprint.
Biometrics is not the only way to authenticate. I think that you should have multiple modes to meet the needs of the individual consumer and alternative forms of authentication should, for some reason, that biometric not work.
What we are seeing is that when you give consumers choice, regardless of the industry, consumers want to be able to have a model that is more customized to them. And, if it is deployed properly, it shouldn’t be a challenge to the organization that is trying to use this technology.
What is the acceptance level from shoppers and retailers for biometrics?
As more mobile devices allow the use of biometrics – and we are definitely seeing that increase – shoppers have embraced that method. There have been high levels of adoption across multiple demographics. We see not just younger individuals, but also older adults seeing the value of not having to pull out multiple credit cards or remember multiple passwords and being able to enable all that with their biometric print.
I think we are going to see this trend continue. It is such an easy-to-use approach, because it is inherent to us – it is something that is always with us.
How big a role do you expect biometrics to play during the holiday shopping season?
I think we are going to see large transaction volumes through mobile wallet-enabled processes. People want to be able to shop efficiently during the holiday season, they want to shop securely. And, the current ways that the mobile wallet has allowed the use of fingerprints and more authenticated processes with enrolling your credit card, we will see many more people want to use that method. I think we are going to see some high numbers in 2015 and even higher in 2016.
While there are risks with accepting biometrics, the retailers should really consider the benefits of how that will enable additional transactions from an ease of use standpoint and from a privacy-enhancing standpoint as well.
As long as we really consider that there should be a risk-based approach to all forms of transactions, biometrics should be no different.
Chantal Tode is senior editor on Mobile Commerce Daily, New York