Mobile Biometrics versus Online Passwords

    Take On Payments
AboutTake On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Disclaimer
 Subscribe by E-mail 
 Subscribe by RSS
Comment Standards:

Comments are moderated and will not appear until the moderator has approved them.

Please submit appropriate comments. Inappropriate comments include content that is abusive, harassing, or threatening; obscene, vulgar, or profane; an attack of a personal nature; or overtly political.

In addition, no off-topic remarks or spam is permitted.

March 14, 2022
Thumbs Up: Smartphone Apps versus Websites
    
Sitting in front of my computer, I recently picked up my smartphone and unlocked my banking app with my thumbprint to see if a check I had written had cleared my account. Before going any further, let me acknowledge that, yes, this payment professional still writes checks every now and again! I learned the check had cleared, logged off the app, and resumed my day in front of my computer. This got me thinking about a change in my behavior that has occurred over time. Even when I am right in front of my computer, I find myself using my smartphone apps almost exclusively instead of visiting the full-function websites from my laptop or desk computer. Why?

The answer is simple: ease of access. I can get to my information through apps on my smartphone using just my thumbprint but accessing that same information from my computer through a website requires me to remember and type in my username and password. In fact, every app on my smartphone that requires a log-in allows me to authenticate using my thumbprint. Truthfully, I’m not so good at remembering my passwords even using the methods I teach others to use: create difficult yet supposedly easy-to-remember passwords. Perhaps this is why password managers remain so popular. I continue to hold out from using a password manager with hopes that biometric authentication will become more common on websites and remembering passwords will be a thing of the past (except when biometric authentication fails). If smartphone apps authenticate me with my fingerprint or face, then why don’t websites do that when my laptop has a fingerprint reader and camera just as smartphones do?

While the same biometric functionality is currently available on my computer, the main barrier is that websites struggle to support and accept biometric validation due to different implementations across various web browsers and operating systems. Several organizations and standards bodies are considering this issue. The FIDO (Fast Identity Online) Alliance was formed in 2013 to produce stronger authentication standards and reduce password reliance. The FIDO2 Project, a joint effort between FIDO and the World Wide Web Consortium (W3C), released specifications in 2019 for W3C’s Web Authentication (WebAuthn) product that allows a website to use the FIDO authentication through a standard API implemented in a browser using public key cryptography and biometric authentication. Unfortunately, its uptake has been slow primarily because of the inconsistent user experience from website to website.

I should note that biometric authentication for apps on phones has not necessarily eliminated passwords, though it certainly feels like it, at least until the biometric authentication fails. Rather, biometrics serve as an alternative method of accessing the app’s username and password combination. The fingerprint and facial recognition is a template algorithm stored in a highly secure location on our phones. When an app requests my thumbprint and the stored algorithm confirms a match, the equivalent of a password manager opens on my phone and I am authenticated.

Is the end drawing any closer for manually entering online passwords, and are you looking forward to that day? Taking it further, will the day ever come when passwords are eliminated? Personally, I hope so and am very much looking forward to that day. If it doesn’t happen, then, based on my own habits, the days of visiting my financial institution’s website and others’ sites might be altogether forgotten.
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed

March 14, 2022 in authentication
mobile
payments
Permalink
Comments

Take On Payments Search

    Keywords
    
Recent Posts

Receiving Banks and Authorized Push Payment Fraud: Somebody Else's Problem?

Financial Judgment Decline: An Early Sign of Dementia

A Fertile Environment for Scams

Number of Card Payments Spike in 2021 after 2020 Decline

Payments Study Reports Unprecedented Growth in ACH Payments Value

Fifty Years On: A Personal Payments Retrospective

Reports to FBI of Internet Fraud Surged in 2022

Fighting First-Party Fraud

Post-COVID, Canadian Merchants Stay Committed to Cash

The Ransomware Battleground in 2022

Categories

        account takeovers
ACH
AML/KYC
ATM
authentication
cards
cash
checks
contactless
cybersecurity
data security
digital currency
EMV
financial inclusion
fintech
identity theft
mobile
P2P
payments
payments risk
payments studies/research
privacy
remittances
TOP payments inclusion
supervision and regulation
tokenization
workforce development