'Internet of Things' payments needs silent authentication to work

Register now

Think about the friction-laden authentication processes that currently take place during payments in the Internet of Things (IoT).

Should a public transit mobile payment be limited by the fact that a phone isn’t recognizing its holder’s fingerprint? Should connected cars require entering a PIN to pay straight from the dashboard at a drive-through? Shouldn’t payment-enabled wearables rely on geolocation as a key authentication factor?

Until silent authentication becomes commonplace in payments across devices, platforms, service providers and merchants, IoT payments may struggle to take off in earnest.
For some time, we’ve talked about two-factor authentication (or more broadly, multifactor authentication) as a best practice for payments security in the physical and online domains. If you haven’t implemented 2FA by this point, you’re frankly doing it wrong.

To date, 2FA has typically consisted of a combination of something we have, such as a payment card or mobile phone, and something we know, like a PIN or password. Increasingly, biometrics replace the latter with something we are, a biological factor that can’t be readily copied, forgotten, lost or stolen. Having laid that foundation, as the entangled web of payments gets more complex upon being fused with the Internet of Things, 2FA may fade into the sunset in favor of a new gold standard: silent authentication.

The concept of silent authentication can manifest itself in a form as straightforward and unassuming as an app running in the background on a smartphone, using machine learning and data analysis to constantly identify and authenticate its user. Silent authentication is derived from three core consumer trends: trust in the connected devices that make up the IoT, the unabated desire for simple experiences, and the growing affinity for highly personalized services.

Talk of trends is cheap, though, and there’s a significant amount of innovation required to turn that concept into reality. We’re just now reaching a point where an IoT device and surrounding services can capably pack enough power to enable silent authentication.

The promise it holds is for our digital lifestyles to no longer be compromised by an endless treadmill of carelessly stored and rarely remembered usernames, passwords and PINs. Instead, silent authentication through modern devices and sensors will pair those physiological biometrics, including fingerprint, facial and iris recognition, the shape of a hand or vein pattern, or even a heartbeat, with behavioral characteristics, such as the way an individual walks, types on a keyboard or talks, plus surrounding signals and geolocation.

That precise conglomeration of characteristics, signals and data points is combined into a rich, multidimensional profile of each unique customer or user, which serves as the underpinning of silent authentication.

A device and the network of service providers connected to it can then use that individual profile to accurately analyze, in real time, the credibility of any payments transaction. Low-risk payments can be processed without the need for additional authentication steps. Conversely, if the authentication system spots something out of the ordinary, extra measures can be implemented to prevent the possibility of fraud.

It helps to consider silent authentication as part of several junctures in an everyday scenario like an e-commerce purchase, where identification and preemptive authentication at “check-in” will gradually come to replace 2FA at checkout.

In this example, an online purchase could occur via PayPal or a similar payment service, silently authenticated by the customer’s profile, rather than necessitating password recall and entry or possibly even a Touch ID scan. Once the merchant is ready to dispatch the goods, its system selects the most appropriate means of delivery, based precisely on where the customer is geolocated at any given moment. In the spirit of modernization, let’s say that’s by drone.

A message is then pushed to the buyer, proposing a time and place to hand over the goods. If the customer confirms it is convenient, the parcel is sent on its way. Upon arrival, by leveraging silent authentication again, the drone can immediately recognize whether the purchase has reached its rightful recipient. If everything checks out, the transaction is completed, without the consumer ever having to proactively authenticate themselves. If there’s cause for concern, additional authentication can still be employed.

When it comes down to it, silent authentication holds the key to a frictionless future across the realm of IoT payments.

For reprint and licensing requests for this article, click here.
Internet of things Authentication Digital payments Retailers Identity verification ISO and agent