For digital payments to flourish, they must get bigger and bigger payments require stronger authentication.
Companies such as miiCard and PayPal are finding ways to use a mobile device's unique attributes to provide added security for mobile payments.
"It's one thing to transfer $10 for a small purchase, it's another thing to buy something substantial," says James Varga CEO of miiCard.
MiiCard is a digital security company and proponent of 'bring your own identity (BYO ID)' systems. "As the value of payments goes up, so does the fraud risk of that transaction, as well as the regulatory compliance burden," he says.
Varga describes the BYO ID concept as "a form of identity that's the equivalent to a photo ID and or a driver's license," wherein a user's smartphone could double as an authentication device, such as by identifying the device's unique attributes.
PayPal allows users who download the PayPal app to use their phone to authenticate themselves. The eBay subsidiary has invested hundreds of millions of dollars on contextual risk that includes use of mobile technology.
"Generally speaking, the best authentication system is one that the users don't notice because they don't have to engage with it," says Michael Barrett, chief information security officer for PayPal, who would not say how the company uses the mobile device's technology to vet users.
"We don't talk about the precise secret sauce or what data we use to determine someone is who they say they are. But there are a lot of variables that we can look at to make sure someone is a legitimate account holder," Barrett says.
PayPal is also a founding member of the FIDO Alliance (Fast IDentity Online) that lets applications, browsers, and servers speak the same language for authentication.
That should make it easier for different point of sale terminals to recognize a consumer's identity that derives from different mobile devices or uses technology from different security companies, Barrett says, adding that will lead to more use of new innovation in identity technology.
"We now have smartphones that can do voice recognition, or fingerprint biometrics or gesture recognition, if you wave your hand in from of the phone," Barrett says. "I can replicate someone's signature, but not a gesture."
There is potential for device-based authentication to gain traction in payments, given the frustration with traditional methods of authentication such as usernames and passwords, says Al Pascual, a senior analyst at Javelin Strategy & Research.
Some techniques, such as matching mobile devices to their owners, are used to secure payments transactions, Pascual says.
"Risk based authentication is already happening on its own," Pascual says. "RSA's primary product has clients including issuers and merchants that rely on the technology to not just score payments transactions, but also perform device fingerprinting of a PC or mobile device." RSA did not return a request for comment on its authentication technology.
The BYO ID approach reduces the number of identification steps required to execute payments, Varga says. For a typical payment from a low-risk location using a recognized mobile device, very little if any additional identification may be needed.
"It's a customer-centric approach to payments security. We focus on getting a person to regain control of their personal identity and share that with other sites and people as the person travels the internet," Varga says.
The use of BYO ID in the payments market is still early, and lacks a ubiquitous federated identity standard. In the case of miiCard, the payer and payee both have to be users of miiCard's technology, though the registration process takes only a few moments, Varga says. MiiCard's network leverages a relationship with bank technology vendor Yodlee to enable verification of 350 million identities in ten countries.