Tech Content
8 minutes

Biometrics, which includes fingerprint, retina, and vein scanners as well as facial recognition and voice verification, is steadily gaining popularity as a way to unlock smartphones or access sensitive apps. As shown in the chart from BI Intelligence, it’s also becoming popular as a way to verify payments, because it secures data without inconveniencing consumers.

While biometric data is generally more secure, if hackers do access biometric data, it would be hard for the victim to avoid future fraud because they wouldn’t have the option to simply reset a password or change a pin code. Very few consumers feel that this security risk is worth it — only 19% of respondents felt the benefits outweighed the security risks of using biometric data to authorize a payment.

Biometrics and Mobile

The number of biometrics-enabled smartphones in the U.S. has risen rapidly since Apple launched the iPhone 5S in late 2013. Fingerprint scanners were one of the first biometrics features introduced for security purposes, and they are now widely used to unlock mobile and other devices.

In fact, fingerprint identification is by far the most common biometrics authentication method used today. Integrated into iOS and Android devices, a number of mobile apps rely on it to verify and secure various processes, including in-store and in-app purchases made via mobile wallets. BI Intelligence report projects that 99 percent of the smartphones sold in the U.S. will be fingerprint scanner-equipped by 2021.

Specific Payment Platforms

The Apple Pay platform gives iPhone and iPad owners the option to authenticate payments with a fingerprint at select online retailers and stores. On Android devices with built-in fingerprint sensors, such as Samsung’s smartphones and tablets, users can use Android Pay or Samsung Pay to make payments. All of these platforms already work with the MasterCard payment system.

Other Forms of Authentication

According to BI Intelligence, “other forms of biometric authentication are lagging but could see greater adoption as they’re increasingly introduced to consumers.” For example, Samsung Pay now includes iris scanning and, in late 2016, MasterCard’s Selfie Pay was introduced in some European countries.

A Mini-Case Study: Securing Prepaid cards with Biometrics

Softjourn recently completed a fingerprint authentication project for a prepaid card innovator and leader in expense and spend management. Our experience with this client has demonstrated how fingerprint verification can dramatically improve the look and feel and effectiveness of a mobile application.

Background

The prepaid card service provider wanted to take advantage of new technology and give their customers additional means to ensure the identity of those requesting funds to be added to their expense cards.

The Solution

Users of both Android and iPhone apps can now quickly and easily authenticate themselves through their fingerprint rather than a password.

During the first-time login process, users enter their passwords and set up touch ID, eliminating the need to remember an alphanumeric password every time they want to use the app. Note that with this particular solution, touch ID does not automatically allow users to complete transactions such as purchases—thereby offering an additional level of security to clients.

Both cardholders and administrators can access the same mobile app, as an administrator may have a dual role; have their own expense card to monitor and function as an administrator for other cardholders. When they need to function as an administrator, for example, in order to approve a request for funds, they must enter an alphanumeric password (if they previously used Touch ID to login to the app) in order to access the full administrator functionality.

The “Nuts and Bolts” of Biometric Tokens

The solution Softjourn developed uses a biometric token, which imposes server-side limitations. That is, when a user logs in with a username and password, systems typically generate a token, which allows access to all functionality. When a user logs in via their fingerprint, however, biometric token limits access to financial operations functionality. When a user wants to transfer money, for example, two-step verification is activated. First, the user clicks the appropriate button, and the app verifies the type of authorization used. Second, the app will ask for a password to be entered in order to complete the functionality. As was described above in the scenario of approving funds for a cardholder request.

On the security side of things—this solution is similar to the defense against an man-in-the-middle attack (MITM)—a hacker will not be able to benefit from hacking the biometric token.

Time to develop

It doesn’t take long to upgrade an existing mobile app to include fingerprint login. Approximately 3 to 5 days to develop this feature for both Android and iOS platforms, depending on the app, could be enough. Additional time will be needed to work with the backend, in the case that separate authentication would be needed.

Softjourn Accredited Company on DesignRush