Science

MasterCard unveils more details about 'selfie pay' phone authentication

If you could verify your purchase for that food processor on Amazon with a wink and a nod instead of a traditional password, would you?

Biometrics could be more secure and easier to use than traditional password security

A MasterCard user authenticates an online purchase with a selfie check. (MasterCard)

If you could verify your purchase for that food processor on Amazon with a wink and a nod instead of a traditional password, would you?

That's what BMO Financial Group and MasterCard are banking on, as they revealed new details Wednesday about their biometric authentication program, colloquially known as "selfie pay."

The program, called MasterCard Identity Check, requires users to upload either their fingerprint data or a photo of their face when creating a profile.

When you make a purchase online with a card that uses MasterCard's SecureCode features, you'll receive a notification on your phone to check your ID against your fingerprint or face profile.

Checking the fingerprint will use a fingerprint scanner already available on the iPhone and some Android phones. If you choose to use your face, you look into the phone's camera and blink — the last part makes sure someone isn't just holding up a photograph of your face.

Once verified, the program will return you to the online merchant's site to complete the purchase.

Passwords are bad. Are biometrics better?

Catherine Murchie, a senior vice president at MasterCard, says the new biometric measures are designed to be both more secure and easier to use than traditional password security.

Fingerprint information is stored locally on the user's smartphone. Facial information, however, is stored on MasterCard's servers. Both are hashed and encrypted before being stored.

"The security that passwords are meant to provide is compromised by the very nature of the fact that we have so many of them to remember," Murchie said on Wednesday. But with biometrics like face and fingerprint data, "the person is now becoming the password."

Annual lists of the "worst passwords" regularly report that people often use easy-to-remember passwords like "12345678" and "password," making them easy prey for cybercriminals.

Steve Pederson, vice president and head of North American corporate card products at BMO, stressed that ease of use was as critical to the "selfie pay" system as much as security. 

"We're not trying to force everybody to take it, obviously. There's always going to be some apprehension," he said. 

Murchie said that in the limited pilots for Identity Check in the Netherlands and at a credit union in the U.S., users generally preferred the fingerprint scanner option over the selfie option.

She suggested that younger users will be more amenable to "selfie pay" but didn't have age-differentiated data for the existing pilot projects.

Soft launch starts now, rolling out to public in summer

MasterCard will begin a soft launch of the program, issuing BMO employees with corporate credit cards that have the Identity Check functionality. The plan is to roll it out to the general public by this summer. MasterCard plans to replace the traditional password-protected SecureCode feature entirely with Identity Check, though no timeline for that has been released yet.

Users can choose to verify their purchases either with a fingerprint scan or a selfie check. However, not everyone gets choice. While most modern iPhones have a fingerprint reader as standard, not every Android phone has one. 

Face scanning technology can also present some unique challenges. Murchie said the selfie check can run into problems with people wearing glasses, since the lenses can interfere with your camera's ability to tell if you're blinking.

Statistically rare cases like identical twins can also give the app trouble, in which case Murchie recommended the fingerprint scan instead.