Mastercard Identity Check uses a phone's built-in camera or fingerprint reader to scan the user's face or fingerprint during checkout. The phone itself is also identified during this process as an additional factor of authentication.
This system will automatically appear as an option at merchants that offer SecureCode, which is Mastercard's version of 3D Secure. Thus, only the issuer needs to make any changes to enable biometric authentication for e-commerce purchases.
First Tech Federal Credit Union added SecureCode in 2015 as part of its EMV migration plans. Mastercard's other pilot partner from 2015 was ICS, a unit of ABN Amro, which tested the technology in August of that year.
Content Continues Below
Alipay's 'smile to pay'
A KFC location in China has introduced Alipay's "smile to pay" facial recognition system, as part of an effort to lure younger consumers, in September.
Yum China Holdings, which operates the country's KFC locations, is partnering with Ant Financial's Alipay to power the smile pay feature at a high-tech concept KFC location in Hangzhou in eastern China, the first deployment of Ant's facial recognition software, which Ant introduced as a concept in Germany two years ago.
Consumers pay by scanning their faces at an ordering kiosk and entering their phone number as a security precaution. Reuters reports Yum is trying to boost sales in China following a series of food safety scares and changing consumer tastes in the past five years.
Back in 2015, USAA was the first major U.S. financial institution to deploy a full-scale rollout of voice and facial recognition.
"The ubiquitous adoption of the smartphone has altered the market; you no longer need kiosks or readers, the smartphone is a multifactor edge device" for biometric authentication, said Tom Grissen, CEO of Daon, the Fairfax, Va. software company that developed the biometric technology with USAA.
"Four out of five end customers who have experienced the technology prefer it over a PIN or password," Grissen said in a 2015 interview with American Banker.
USAA chose facial recognition so it could deliver biometrics to the largest base of Android and iOS users possible; all smartphones have cameras that make face capture quick and easy.
Voice recognition is also heavily reliant on environmental factors like background noise, but facial recognition, is impervious to just about anything except bad lighting, USAA said.
The banking company also uses device identification in the background, so each time a member logs in, an encrypted token is sent from their phone to USAA that is matched against the ID of the device registered at enrollment. So for a fraudster to successfully impersonate a member with a photo or video (or trying to mimic their voice), they would also have to steal the member's mobile device.
The other safety mechanism is that USAA requires the member to blink, which rules out the use of a static photo.
The ill-fated Samsung Galaxy Note 7 was the company's first handset to include an iris scanner, with plans to use the feature as authentication for in-app payments.
Samsung wasn’t the first handset maker to deploy an iris scanner—Microsoft supported a similar feature on two of its Lumia models introduced in 2015—but this was the first time an iris-scanning camera will be available on a smartphone model sold in all global markets, according to Samsung.
Though the Note 7 was recalled due to dangerous battery failures, Samsung kept the iris scanning feature in future devices and added facial recognition to the Galaxy S8, which launched in early 2017.
Content Continues Below
The human touch
It's not just smartphones that can recognize faces — people can do it too, and mobile wallets from Square and PayPal had features that asked a store clerk to weigh in on whether a person matched their picture.
Back in 2012, PayPal worked with ShopKeep POS to test the feature at a film festival in New York. Users would use the PayPal app to check in at a store or event, which caused their photo to show up on a clerk's screen. When checking out, the user would provide their name, and the clerk would check that the person's face matched the photo on file.
Pay with Square, a now-defunct mobile wallet from Square, operated in much the same way.
More recently, Google tested a similar payment method with McDonald's customers in 2016. Called the Hands Free system, the cloud-based technology allows the consumer to complete a hands-free payment without presenting a phone or opening the Hands Free app, which is linked to a payment card. A user initially setting up the Hands Free app provides a selfie and initials as part of the authorization process.
When Sionic Mobile introduced its own selfie-authentication system in 2015, it was aware that consumers may not be ready to use their faces for security.
About 25% of consumers in a market test were "really uncomfortable" with using selfies or driver's licenses as part of identity checks. Ron Herman, CEO and founder of Sionic Mobile, wasn't deterred.
"We're OK with those odds. For us it's a matter of securing people," Herman told PaymentsSource in 2015.
As a way to ease people into using selfies, Sionic offered consumers the option to try its rewards and loyalty service for small purchases of up to $25, which bypass the authentication protocol.
"This allows them to feel our service out and find out if it's worthwhile," Herman said. "Then they go through the authentication."
The eyes have it
Jumio has seen strong growth with its mobile digital ID verification service that uses selfies as one piece of a formula to validate a user's identity. But scammers have figured out how to use photographs as substitutes for selfies, prompting Jumio to develop a feature that detects eyeball movement to ensure an image is live and not static.
Jumio added a feature within its Netverify online verification service in July, requiring consumers to follow an object on the screen with their eyes in a randomized pattern.
“If an object is moving on a random basis, we can pretty much exclude photos, printouts and pre-recorded videos from being substituted for a live camera photo,” said Reinhard Hochrieser, Jumio’s director of product management.
Jumio also added technology that measures “micro-expressions” on a consumer’s face, including whether a user blinks or smiles, as another layer of security to prove that the image captured is a real person, Hochrieser said.
"What we’re witnessing is that as more applications go mobile, fraudsters are moving right along to hack mobile security tools, so it’s a constant battle of innovation between fraudsters and technology vendors,” said Robert Prigge, chief revenue officer at Palo Alto, Calif.-based Jumio.
Prigge concedes that adding new complications to its processes may increase friction for users during the initial customer sign-up, but he said financial institutions and enterprises using Jumio’s services favor adding this step.
“Companies want to be sure they’re matching the right person, and consumers express more confidence in services with escalated fraud protection,” Prigge said.
If the eye-tracking system can't verify a user's identity, Jumio has a fallback solution that requires users to take a series of selfies, Prigge noted.