Would you like to authenticate a payment with a selfie? MasterCard hopes you do.
The use case is simple. Swipe your card, and receive an alert on your smartphone asking you to show your face to prove you’re really you. MasterCard is currently testing this form of authentication with a small group of customers, the company revealed earlier this month.
Of course, customers aren’t required to do this, but those desiring additional security can now take a selfie rather than entering a code or password — what used to be called “SecureCode” in MasterCard’s app — to verify a payment.
A major card network endorsing facial recognition is a significant vote of confidence for biometric authentication. Hey, it can’t be worse than passwords.
Sarah Clark, vice president of product at imaging solutions company Mitek, praised the move, as well she might. Mitek is deeply invested in promoting the use of photos, or what the San Diego-based company calls “computer vision”, in financial services. Clark pointed out the service MasterCard is testing is more than snapping a simple photograph since it involves “liveness detection.” This means the camera will detect movement, to ensure the image it is seeing is not a photograph. Customers may even be encouraged to blink, for example.
Pointing a phone camera at oneself is a familiar experience, Clark said, and one that selfie-loving millennials in particular would find natural. “Facial recognition is a relatively mature technology,” Clark said, and provides another viable option for authentication for an industry in desperate need of replacing the password.
Fraud is still a problem for the mobile channel despite the various security controls that exist in mobile. “Mobile has geolocation, device reputation — a whole suite of tools that should make the channel more secure, but fraudsters go to newer channels,” Clark said. “Fraud is actually higher via m-commerce than e-commerce. 21% of all fraudulent transactions are on mobile, but there is still a significantly lower number of mobile transactions.”
Nick Holland, head of payments for Javelin Strategy & Research, pointed out that while using selfies to authenticate payments might seem gimmicky, “facial biometrics are coming along quite nicely as a robust form of authentication, and there are more phones in the market with a front-facing camera than those capable of capturing fingerprint biometrics.”
MasterCard said in its announcement that it does not store the facial images or videos used, but rather hundreds of data points gleaned from each image. This has raised criticism from security experts, who tend to prefer that all authenticating information stay on the device. MasterCard, of course, does not “own” devices the way Apple does, so that option is more difficult for them.
Biometrics are progressing rapidly, Clark says, and while just a handful financial institutions rely on them now, she expects that number to be significantly higher next year.
“There are lots of experiments taking place right now,” she said.