Biometric payments to rock the world by 2024

Sceptics will turn their noses-up at the research, but as we increasingly drive towards a cashless society the trends are heading in the right direction.

According to findings from Juniper Research, biometric authentication will account for $228 billion worth of transactions by the end of 2019, before shooting upwards to $2.5 trillion by 2024. The biggest barrier to adoption, the presence of hardware on devices, will also be satisfied with the technology being embedded on 90% of smartphones by the same date.

“Biometrics has traditionally been used for in-person contactless payments,” said Juniper Analyst James Moar. “However, with an increase in the need for smooth authentication on all mCommerce channels, we anticipate over 60% of biometrically-verified payments will be made remotely by 2024.”

As it stands, biometric payments are a niche though in some markets, where mobile money is much more a standard, there is progress being made. There will of course be resistance to the introduction of new technologies, but eventually as more digital natives gain influence in society the concept of normal will be twisted and shifted.

Evidence for this is already present on devices today. According to Visa, 35% of smartphone users already use biometric authentication technologies as security for devices, primarily fingerprint or facial recognition, while some companies have also introduced vocal identifiers as passwords to access accounts. Banks and telcos have taken the lead here.

A decade ago it would have been deemed unthinkable for a user’s voice, fingerprint or face to be used as a password. Most would have assumed it was not secure enough, but then again contactless payments took criticism in the early years, and now look at how many people groan and moan when asked to input their PIN.

Interestingly enough, numerous studies have already indicated biometric authentication is more secure than traditional means. When you combine increased security alongside the convenience and speed of biometric authentication for payments, sceptics will start to pay attention.

There are niche trials focusing on biometric payments, Telia recently used biometrics in an ice-cream truck, though it does appear mainstream adoption of the technology might be here sooner rather than later.

Biometric authentication gathers momentum in the UK

The introduction of biometric authentication might have been met with some scepticism, and the technology still has its critics, but it does seem to be gaining traction in the UK.

According to credit reporting agency Equifax, not only are more Brits using the technology, but they are open to adopting such authentication and identification techniques in a wider range of scenarios. Opening a smartphone might be the most widely-adopted use of the technology, but how about age authentication in the pub?

71% of respondents for the survey are happy with finger-print or facial recognition to complete replace traditional PIN verification for accessing smartphones, while another 64% would be happy to see the technologies replace passwords for laptops. 60% of respondents are happy for biometric authentication for age verification and 58% would even be open to see voting ballots given the same upgrade.

Interestingly enough, the challenge which the industry will face is most likely to be around privacy and data protection concerns. With data breaches and leaks being reported in the press with continued regularity, consumer confidence will certainly be impacted. And the irony this survey has been sponsored by Equifax, the source of one of the biggest data breaches to date, has not been lost on us.

That said, while there are still data protection and privacy concerns to be ironed-out, new technologies will be needed to address the dangers and risks of the digital economy.

“As the rise in financial fraud continues, particularly when it comes to identity theft, it’s essential we develop and embrace new and innovative means to protect consumers,” said Keith McGill, Head of ID & Fraud at Equifax.

“The techniques being used to scam Brits are increasingly sophisticated and breaking into the old world of signatures and pin codes is bread and butter for today’s fraudsters.

“Further implementation of biometric options within the financial services sector will go a long way to tackle this. Tapping into our unique biological passcodes can help businesses and consumers stay ahead of the curve, and as the technology develops, it will become even more widespread, trusted and popular in the years to come.”

One telco which is trialling a similar proposition is Telia. Teaming up with Finnish bank OP, the duo is testing facial recognition payment solutions for an ice-cream truck. Using the biometric template uploaded through a camera prior to the purchase with the customers bank, a connected device is used by the merchant to authenticate the individual. The customer then authorises the purchase with a simple click once their face has been recognised.

This is of course a very rudimentary application of the technology, but with the introduction of 5G, edge-computing gathering pace and greater adoption of blockchain technology, biometric authentication could be a very reliable, efficient and secure means of managing identification and transactions in the digital economy.

The next big challenge will be the public perception of not only the technology, but a company’s ability to safely collect, store and manage data. The frequency of data breaches and leaks could undermine progress here, though a more responsible attitude towards security does seem to be emerging. Security does seem to be more than a pitch for PR points today, a welcome trend if the digital economy is to be an enabler not a risk to society and the economy.

Court rules companies can be sued for collecting biometric data without consent

A reminder of how quickly the technology world evolves; it’s not only regulations which need to catch-up, but business practices too, as a Supreme Court opens the door for privacy lawsuits.

In an interesting case, the Supreme Court of Illinois has set precedent for its Biometric Information Privacy Act (BIPA). Companies who have not appropriately obtained consent from individuals before storing biometric data can now be sued under the BIPA without said individual being damaged, fraud for example, by the scenario. The ruling makes BIPA a dangerous piece of paper, as effective use of the Freedom of Information Act could put a few in precarious positions.

This case, Rosenbach versus Six Flags, has pinned a 14-year-old against the amusement park for collection and storage of thumbprint data without informed consent. The BIPA prohibits companies from gathering, using, or sharing biometric information without informed opt-in consent, though the issue which the Supreme Court has been considering is whether there are grounds for a lawsuit without damage being inflicted to the user.

“Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act,” stated Chief Justice Lloyd Karmeier in his decision.

But why is this a dangerous decision for businesses locating or operating in Illinois? Because business practises are not keeping up with the tsunami of data which emerging, and many companies do not have fully visibility into the data which they hold.

One of the problems we saw in the build up to General Data Protection Regulation (GDPR) in Europe was an understanding of what data companies actually had their hands on. With the 21st century’s version of a land-grab seeing companies scrap for as much information as possible through the last decade, few companies actually managed to effectively store and categorize.

Before any company can consider calling themselves complaint (under GDPR, BIPA or any new data-orientated regulations) a full data audit would have to be completed; this discovery process was a critical step in the process. In conversations over coffee, a few consultants told us this was a significant issue for UK companies. During the audit, some were finding they were holding onto sensitive data, which they had no idea existed, and were in violation of data privacy and protection regulations.

BIPA is a no-where near as wide-ranging as some data protection and privacy regulations, though we suspect there will certainly be numerous companies who are now non-compliant under this new ruling and precedent. This is the issue with technology; it’s moving so much faster than the red-tape bureaucrats. Technology is implemented before regulations governing the usage, or business practises to ensure compliance, can be deployed. It creates a dangerous position where companies could be non-compliant without even realising.

In Illinois, as there no-longer needs to be proof of damages to individuals anymore, effectively placed Freedom of Information Acts could see similar cases brought in-front of the courts. In the rush to remain relevant through embracing technology, few have considered the boring aspect of regulation. Who would, considering how long it takes the courts to catch-up? But this is a case where being cutting-edge technology is a two-edged sword.

Judge says no to police forcing phone unlocks with face

A judge in the District Court for the Northern District of California has denied the police a warrant which would force suspects to open their phones through biometric authentication.

While it might seem like somewhat of an unusual scenario, we’re sure many of you are imagining a man pinned to the ground with a phone being waved in his face, it is important to set precedent in these matters. Just as law enforcement agencies cannot be granted a warrant forcing an individual to hand over his/her password, suspects or criminals cannot be forced to open devices through the biometric sensors according to the ruling.

The case itself focuses on two individuals, who are suspected of attempting to extort money from a third person through Facebook Messenger. The pair are threatening to release an embarrassing video of the third person should the funds not be transferred.

Northern California Federal District Judge Kandis Westmore ruled the authorities did not have probable cause for the warrant, perhaps due to the reason said messages and threats could be read through the third persons account, and the request was too broad. This is another example of authorities over reaching and not being specific, leaving too much room for potential abuse.

While this case might sound odd, the world should be prepared for more such rulings in the future.

“The challenge facing the courts is that technology is far outpacing the law,” the ruling from Judge Westmore states. “In recognition of this reality, the United States Supreme Court recently instructed courts to adopt rules that ‘take account of more sophisticated systems that are already in use or in development’.

“Courts have an obligation to safeguard constitutional rights and cannot permit those rights to be diminished due to the advancement of technology.”

In short, the rules and regulations of the land are not in fitting with today’s technology and society, but this does not mean law enforcement authorities can take advantage of the grey areas. This is perhaps an obvious statement to make, but it does hammer home the need for reform to ensure rules and regulations are contextually relevant.

While progress has been slow, there have been a few breakthroughs for privacy advocates in recent months. Last June, the US Supreme Court ruled in Carpenter versus US case that the collection of mobile location data on individuals without a warrant was a violation of data privacy and the Fourth Amendment of the US constitution.

The issue which many courts are facing is precedent. Lawyers are arguing for certain cases and warrants using precedent which is from another era. Theoretically, these rules can be applied, but when you consider the drastic and fundamental changes which have occurred in the communications world, you have to wonder whether anything from previous decades is relevant anymore.

As Judge Westmore points out, technology is vastly outpacing the pace of change in public sector institutions. This presents a massive risk of abuse, but slowing innovation is not a reasonable option. A tricky catch-22.