Biometric authentication has been "replacing" passwords for a long time, but for the most part accounts still rely more on remembered credentials than physical identifiers.
This may change soon, as the enabling hardware and the business cases for biometrics are closer to reality than ever before, according to Bob Reany, executive vice president of identity solutions at MasterCard.
"The 'Internet of Things' won't be driven by a central resource, but it will be a bunch of relationships," and manual authentication techniques won't work in that environment, either from a safety or usability perspective, Reany said.
MasterCard recently announced its collaboration with Daon, a Reston, Va.-based mobile biometric authentication technology company. Daon is supplying part of the technology to support MasterCard's Identity Check, which uses mobile devices to secure e-payments and mobile banking through fingerprints and facial recognition, or "selfie pay." Identity Check uses a mix of embedded smartphone technology such as device cryptography, geolocation and biometrics to prove the user's identity for contactless payments.
"The first password was used in 1960. There is very little technology in existence that gets used 56 years later," said Conor White, president of the Americas for Doan. "Almost everyone has a smartphone and can do a voice, fingerprint or camera."
The card network is working with Daon and other providers, as well as its own internally developed technology, to protect payments that EMV chip cards can't protect. That's an increasingly wide range of form factors that includes PCs, phones, tablets and other devices, and MasterCard has been developing and testing different security measures in an attempt to match the demand coming from consumers, merchants and security experts.
"There is an increase in successful completion of transactions when someone is authenticated in a way they like," Reany said, adding what's needed is a way to give consumers options to use fingers, eyes or snapshots seamlessly across mobile or other connected devices to quickly authenticate users at the point of purchase, in any channel or time. "You want to create a network that defines you."
There's also a business imperative for biometric authentication, since MasterCard must keep up with other companies that are using selfies to verify identities, including Digital Insight, Alibaba and Sionic Mobile.
Much of the technology—including selfies—is not new, even for authentication. Governments have used biometrics and mobile technology to manage facilities access for years. What's changed is the comfort level and availability of the hardware for consumer use, Reany said.
"It would have been great if consumers had a piece of computing equipment in their pockets that could be used for biometric authentication in the past, but that didn't happen," Reany said. "The mobile environment and the safety of the mobile environment as the technology matures are big factors in driving demand now."
The rapid proliferation of smartphones, tablets and camera-enabled computers has created a new ecosystem of devices that can support a variety of biometric authentication mechanisms, said Julie Conroy, a research director at Aite Group.
Passwords' useful days are long past, given the number of credential pairs compromised in data breaches, and the fact that it's actually easier to authenticate with a selfie or a fingerprint than keying in a password into a tiny smartphone keypad, Conroy said.. "All this has led to the tipping point where consumers are finally ready for mainstream use."