Did PayByTouch have it right after all?
Through a special arrangement, what follows is a summary of an article from Retail Paradox, RSR Research’s weekly analysis on emerging issues facing retailers, presented here for discussion.
FIDO (Fast IDentity Online) recently announced plans to release a framework and set of standards to make it easy for systems to support two-factor authentication. If someone wants to combine an NFC payment with a PIN, or later change that to fingerprint ID, this framework will make that simple. Theoretically, it makes it easy to incorporate more types of authentication into a security strategy.
Why is this important? Along with all the usual stuff about preventing breaches, security has to be balanced against access. The tighter the security measure — requiring complex passwords, for example — the more difficult it is for people to access their stuff. It’s the old joke: I’m supposed to have a unique password for every site, and each password is supposed to be made up of a random jumble of letters and numbers, some caps and some symbols. And I’m not supposed to write them down anywhere. And I’m supposed to remember them all. Yeah, right.
The FIDO announcement comes as companies call for some kind of two-factor authentication across all modes of payment with the continuing challenge of online fraud and mobile payments arrival.
Chip & PIN, the basis of EMV, only works when there is a payment terminal, like in stores, but it doesn’t do a good job at preventing online fraud, where the chip part is missing.
But this framework for authentication got me thinking about all the various ways you can implement two factors, and my fingerprint reader on my iPhone. I’ve downloaded free apps from the iTunes store using my thumbprint with no issues. As a member of Clear, I cut through lines at certain U.S. airports with a chip-embedded card and my fingerprint.
Which reminded me of PayByTouch and a couple other fingerprint payment schemes that emerged in the late ’90s and the ’00s. I always thought that the hang-up around their usage was that granting access to money with just a fingerprint felt vulnerable. But two-factor authentication — with a card — may ease those concerns.
With biometrics increasingly used as an authentication factor in non-financial transactions, increasing trust may arrive for financial ones if combined with familiar form factors like plastic cards, whether embedded with a chip or just a mag stripe. FIDO seems like it’s helping that along.
Ultimately, the argument may not be NFC vs. chip & PIN vs. chip & signature. If companies are flexible in the supporting infrastructure, the answer may be "as long as it’s two factors." If we can get consumers used to that, then everybody wins.
Discussion Questions
How would you like to see two-factor authentication evolve for retailers? Do you favor multiple forms of authentication? What promise does biometric identification offer?
It is a balance for consumer between convenience and security and I think security will weigh out with multiple forms of authentication being the norm. Consumers – in the US at least – already carry their wallet and phone at all times, and can pay with their phone even though the credit card is in their pocket as well.
With the advent of biometric, it may lessen the convenience play as now the consumer can carry one device or credit and use biometrics as the second authorization, which could work both in bricks and mortar as well as online.
The short answer to the headline is “no.” PayByTouch did not have it right. That’s not to say that fingerprint technology doesn’t make sense, or have a future. It’s a great concept, but we shouldn’t saddle it with the PBT debacle.
PayByTouch had a major problem in that it told shoppers they didn’t need any form of identification other than their fingertip. But the users (and there weren’t many) who took that to heart were in for lots of frustration when the software was down (which was often). PBT also focused too much on the “wow” factor of the technology (which wore off quickly) and not enough on the benefits.
Fingerprint identification makes sense in a world of complex passwords, but let’s be realistic. It’s only a matter of time before someone figures out a way to replicate fingerprints, so a two-step process, i.e. chip and card or something, will still be necessary. The only sure way is with rolling codes and algorithms built into cards tied to fingerprints. But that’s a ways off.
PayByTouch had an interesting idea, but it didn’t have a clear vision. There were myriad management problems as well. It’s a good thing CEO John Rogers wasn’t selling purple Kool-Aid.
I think shoppers are more than ready to embrace 2F (Two-factor, nice new catchphrase, huh?) authentication right now. PBT was embraced by a couple prominent retailers and consumers were giving their thumbprints without hesitation. With all of the hacking going on these days, consumers are ready and willing for this.
The basic idea behind FIDO Alliance is sound. Two (or more) factor authentication where one of these remains on the device (e.g., thumb print or iris scan) and not in someone’s database should be attractive to online consumers. Not having to remember login IDs and passwords is another positive to consumers.
From the retailer side, improvements in security without having to invest heavily in back end authentication ought to get their attention.
I have no idea if biometric authentication will ever take off or not. But the one thing I do know is that PayByTouch is NOT a valid test of the idea. I had the opportunity to visit their offices in SF several times during their heyday, and it was clear that they were far more interested in flash than in substance. It was a case study in how to waste VC money and in how to mismanage a company into oblivion.
I’d love to see a real test of biometrics (or other two-factor authentication techniques) for retail payment. Smart phones may well have changed the game. Until now, the cost of fraud has also been below the capital cost + risk of lost sales…but there’s no reason that calculus couldn’t change.
I absolutely see multiple forms of authentication as the norm! With today’s technology, it should also a requirement.
There are many ways to do this without inconveniencing the consumer or taxing their brains too much. The finger print is one of them, face recognition, sending a random pin to the smart phone. All of these are potential secondary authentication.
The important thing to note here though is, it should not be fixed. There should be choices as to which identification we choose. Sort of like when our computer needs to verify and asks if we want to be sent a pin number to allow access or answer the secret questions. We have to stay at least a step ahead of the hackers, and one thing they can’t pick is our brain! Not yet, anyway!
And that’s my 2 cents!
Getting buy-in from consumers on 2F authorization really comes down to education and providing options that are manageable and appealing.
If retailers are flexible in upgrading their supporting infrastructure, and allow the consumer choice of the 2Fs that most appeal to them, then I can see greater buy-in.
As an example, I use 2-step verification on my Google account and Google Wallet. It was easy to set up and came with instruction videos. I really appreciate the extra security.
Optical scanning, face authentication, combined with simple finger print IDs are robust, and currently in use (customs uses these throughout the USA). No passwords to forget, to mixed security, to copy or lose, no breach….
Dual-factor authentication adds another level of much need security for consumers. However, the biggest issue is ensuring that retailers prevent the repository of information from being breached. You can always change your PIN or get your credit card replaced in the event they are compromised, but you cannot change your fingerprint. Perhaps the best model is one in which the storage of the critical second factor authentication is stored by an external service which then makes it available to retailers, or others, on demand through a secure and encrypted API call.