Smartphones have revolutionised the payments world. More and more people are using their mobile phones to transact. Whether it’s to tap and pay for a coffee at Starbucks, return a poker debt via a peer-to-peer (P2P) app or making a cashless donation to a homeless person via a QR code reader – contactless mobile payments is here.
In the everlasting balancing-act of security and customer experience, in the mobile payments realm, behavioural biometrics technology has become a popular authentication method. The rise of machine learning, artificial intelligence, and the continuous search to replace passwords has made behavioural biometrics a viable solution for mobile authentication.
One recent estimate predicted that the mobile behavioural biometrics market is expected to grow from USD 4.03 billion in 2015 to USD 9.33 Billion by 2022, at a CAGR of 29.3% between 2016 and 2022.
The base premise is that a user can be identified by learning and processing a multitude of specific and unique individual data points. Behavioural biometrics uses built-in devices sensors, such as the accelerometer and gyroscope in a phone, to measure and record a user’s behavioural pattern. For example, the way and angle you hold your smartphone, move your mouse or swipe your finger on a tablet screen.
By using behavioural biometrics, financial institutions, merchants, mobile wallet providers can create a unique user profile as part of the mobile transaction validation process. Silently, in the background, biometrics has been incorporated as an integral part of the in-store and online authentication process.
The need for an add-on
Although, mobile payments using behavioural biometrics authentication is comparatively a new concept, its acceptance and adoption in the marketplace have been relatively quick. But is behavioural biometrics without flaws and can it stand on its own as a solid mobile payments’ authentication tool?
One of the major challenges is the process by which the data is attained and mapped to a specific user’s identity. The lack of accuracy in capturing and binding identity indicators, to the specific user, can lead to failure of the system. For example, a user’s behaviour isn’t constant; people act differently when they’re tired, injured, intoxicated, preoccupied or in a rush. In addition, physical activity such as running or working out at the gym, that induces a high pulse or sweaty fingers will impact detection accuracy. The way people type at the office desk is different from when they’re laying with their laptop on their sofa at home. Behavioural biometrics can be impacted directly and indirectly by external variables and circumstances.
What makes behavioural-based authentication so revered are the unique binary identifiers that are associated with biometrics. However, what makes it so attractive may be its main weakest link. Physical biometrics data stored on external servers are very vulnerable to hackers and breaches. In the case that such the data is breached, the users are promised a lifetime of risk without the ability to modify or alter their data.
In addition, behavioural biometrics are only as strong as the built-in biometrics found in the majority of contemporary smartphones – and they are routinely spoofed by fraudsters and hackers within days or weeks of their release.
A related weakness in smartphone-based biometrics is that once the behaviour indicators are captured, they are difficult to change. Biometric templates are very much like hard-coded passwords that are very difficult to adjust. In cases where theft of the biometric templates, or the ageing of the user occurs, changing the biometric templates can be arduous and expensive.
The flip side of the dilemma is when biometric characteristics need to be changed. For example, fingerprints get worn with continuous use and/or injury, voice changes over time, facial recognition is impacted by age and/or illness.
A more comprehensive approach to mobile authentication takes into account a more layered approach that leverages the integration of biometrics, transaction data and device indicators to create a secure and user-friendly mobile experience. Instead of relying on one main identity indicator, the combination of multiple risk indicators provides a more accurate identity indication-throughout the users’ journey from onboarding to ongoing transactions.
What a layered approach provides to mobile payments authentication is context. The right balance between security and simplicity can be attained by identifying users dynamically, considering not just who they are, but also the context in which the transaction or session is taking place. As such, behavioural biometrics is impervious to context. By definition, it is connected to a specific user. And as such it does not provide any insight additional variables like the device used in a specific mobile payment, the transaction itself, the app, or the network being used to access business data. In addition, behavioural biometrics is limited in stopping data from being compromised on jailbroken devices or rogue networks.
The next -generation of layered based authentication software perceives behavioural biometrics as a single column in a multi-pillared structure. Essentially, it is imperative to supplement it with additional layers of adaptive authentication methods such as device-generated indicators and transaction based data.