MasterCard unveils more details about 'selfie pay' phone authentication
Jonathan Ore | CBC News | Posted: March 23, 2016 9:19 PM | Last Updated: March 23, 2016
Biometrics could be more secure and easier to use than traditional password security
If you could verify your purchase for that food processor on Amazon with a wink and a nod instead of a traditional password, would you?
That's what BMO Financial Group and MasterCard are banking on, as they revealed new details Wednesday about their biometric authentication program, colloquially known as "selfie pay."
The program, called MasterCard Identity Check, requires users to upload either their fingerprint data or a photo of their face when creating a profile.
- MasterCard to bring facial recognition payment software to Canada
- Face-reading tech could make shopping more convenient — and creepier
- How facial recognition technology is creeping into daily life
When you make a purchase online with a card that uses MasterCard's SecureCode features, you'll receive a notification on your phone to check your ID against your fingerprint or face profile.
Checking the fingerprint will use a fingerprint scanner already available on the iPhone and some Android phones. If you choose to use your face, you look into the phone's camera and blink — the last part makes sure someone isn't just holding up a photograph of your face.
Once verified, the program will return you to the online merchant's site to complete the purchase.
Passwords are bad. Are biometrics better?
Catherine Murchie, a senior vice president at MasterCard, says the new biometric measures are designed to be both more secure and easier to use than traditional password security.
Fingerprint information is stored locally on the user's smartphone. Facial information, however, is stored on MasterCard's servers. Both are hashed and encrypted before being stored.
"The security that passwords are meant to provide is compromised by the very nature of the fact that we have so many of them to remember," Murchie said on Wednesday. But with biometrics like face and fingerprint data, "the person is now becoming the password."
Annual lists of the "worst passwords" regularly report that people often use easy-to-remember passwords like "12345678" and "password," making them easy prey for cybercriminals.
Steve Pederson, vice president and head of North American corporate card products at BMO, stressed that ease of use was as critical to the "selfie pay" system as much as security.
"We're not trying to force everybody to take it, obviously. There's always going to be some apprehension," he said.
Murchie said that in the limited pilots for Identity Check in the Netherlands and at a credit union in the U.S., users generally preferred the fingerprint scanner option over the selfie option.
She suggested that younger users will be more amenable to "selfie pay" but didn't have age-differentiated data for the existing pilot projects.
Soft launch starts now, rolling out to public in summer
MasterCard will begin a soft launch of the program, issuing BMO employees with corporate credit cards that have the Identity Check functionality. The plan is to roll it out to the general public by this summer. MasterCard plans to replace the traditional password-protected SecureCode feature entirely with Identity Check, though no timeline for that has been released yet.
Users can choose to verify their purchases either with a fingerprint scan or a selfie check. However, not everyone gets choice. While most modern iPhones have a fingerprint reader as standard, not every Android phone has one.
Face scanning technology can also present some unique challenges. Murchie said the selfie check can run into problems with people wearing glasses, since the lenses can interfere with your camera's ability to tell if you're blinking.
Statistically rare cases like identical twins can also give the app trouble, in which case Murchie recommended the fingerprint scan instead.