Will biometrics be the future of payments?

In the mid-2000s, when biometrics in payments was still a mysterious notion, a company called Solidus Networks developed a finger-reader for payments that was trotted out at grocery chains such as Jewel-Osco.

It allowed shoppers to pay at a Pay By Touch terminal with the touch of a finger. That payment method – which arrived a decade prior to a similar product, TouchID on Apple iPhones – failed to gain traction, and Solidus filed for bankruptcy in 2007.

“At that point in time, biometrics was just really an alien concept,” said Thad Peterson, a strategic adviser with consulting firm Aite-Novarica.

While biometrics was too early to market then, payments consultants and executives say now is the moment for the technology. The FIDO Alliance, which seeks to eliminate passwords and advance biometrics for authentication, is one of several actors pushing payments in that direction. In the U.S., the retail sector is expected to generate $5.5 trillion by 2027 and Aite-Novarica estimates fraud losses just for card-not-present transactions will reach $9.2 billion next year, so there’s strong appeal in making payments simpler and more secure.

Tech companies Apple and Google – major influencers of consumer behavior – have done the heavy-lifting when it comes to biometrics acceptance. Their tech tools and ubiquitous smartphones have primed consumers to use their fingerprints or faces to access their devices.

In addition, user IDs, PINs and passwords have become a friction-filled headache for many. Consumers who’ve grown weary of the need for unique passwords may increasingly view biometrics as a welcome change.

Those two factors have set the wheels in motion on biometrics in payments, said Peterson, who focuses on emerging payment technologies and digital wallets.

As the pandemic prompted a shift toward contactless, payments players want to make transactions as frictionless and quick as possible, both to increase volumes and please customers. Tapping biometrics takes that a step further, proponents say, with ease of use and security both necessities in the digital age. By combining biometrics with Near Field Communication (NFC) and EMVCo standards, “you get to a really secure transaction,” Peterson said.

Reducing fraud is crucial to payments companies, and brands want to be seen as modern, seamless organizations, said Andrew Shikiar, FIDO Alliance’s executive director, during a June interview.

There’s plenty of buzz around biometrics, but a number of questions remain regarding adoption and security. Paying by face has been around for at least five years in China, but privacy concerns are more of an issue in the U.S. than in that country, payments consultants and executives said. Additionally, the U.S. financial system is far more diverse and American consumers tend to be slower to use new technologies.

U.S. adoption will come faster if biometric payment methods take off in Europe, where regulations are more stringent, Alessandro Chiarini, senior vice president of enterprise authentication for biometric software company Aware, said during a May interview.

As more companies turn to biometrics and collect consumer data, however, the odds of a major breach occurring increase. “You see one high-profile breach, and maybe consumer appetite and concerns completely change from what they were,” said Greg Szewczyk, partner and co-chair of the privacy and data security group at law firm Ballard Spahr.

Until the security of such systems has been tested further, biometric payment methods are unlikely to unseat other payment options, some professors and consultants said.

Biometrics in payments is “no silver bullet,” said Dave Lott, a payments risk expert at the Federal Reserve Bank of Atlanta, during an August interview. He noted the Federal Reserve has always maintained “a technology agnostic position.”

In payments, “there are applications that lend themselves to various forms of biometrics, and there’s others that don’t,” Lott said. “If I’m paying cash, there’s no biometrics involved in that.”

New payment methods emerge

Since the days of Pay By Touch, a crop of new biometric technologies have emerged: Methods asking users to hover or wave their palm over a scanner are factoring in unique features like the shape of the hand and the veins running through it.

Face-pay tools ask users to look into a camera as their image is captured and compared against facial scans; methods involving the eye can scan the retina or iris to authenticate payment.

People tend to be less comfortable with a biometric that involves the eye than a fingerprint, scholars said. In geographic regions of the world that have already turned to biometrics, like China, face-pay is more popular than palm-pay.

Consultants said biometric payment methods are far more likely to gain traction if they are geared to consumers using their smartphones, as opposed to requiring merchants to acquire and install in-store technology.

“I think absolutely people are ready for it, and they’re already using it,” Peterson said. As long as it’s device-dependent, “the merchant is kind of out of the equation,” he added.

Big names pursue biometrics

Consumers tend to be most familiar with the biometric method that employs a one-to-one comparison. That’s typical with phones using biometric sensors to verify users with a fingerprint or facial identification, said Anil Jain, a professor in the computer science and engineering department at Michigan State University.

“The advantage is that your template, or your reference biometric, is always stored in the phone, which is with you,” which is highly secure, Jain said.

That’s the approach that FIDO Alliance, a consortium of technology companies, has tapped in its effort to eliminate passwords. FIDO stands for fast identity online and the consortium is spearheading that change.

Pairing biometrics with cryptography allows a person to prove his or her identity to a device and then allow that device to provide proof to an approved third party, like a bank app, said Stephanie Schuckers, a professor at Clarkson University and director of the Center for Identification Technology Research. She was involved in the biometric certification process for FIDO.

Stephanie Schuckers, Clarkson University professor

Permission granted by Stephanie Schuckers

PayPal, Bank of America, Wells Fargo and large retailers Best Buy, Wayfair and eBay are among those already accepting FIDO for log-in, said Megan Shamas, FIDO’s senior marketing director. It’s gained traction in online payments in Europe, because it’s easier for consumers than a one-time password or multi-factor authentication, Shamas said.

Products like Amazon’s palm-pay, called Amazon One, are different: Consumers enroll at a store and link their payment information. In a system like Amazon One, it’s a one-to-many comparison, with “one” being the customer paying and the “many” being the pool of Amazon customers who’ve opted into recognition by their palm, Jain said. This method can be highly convenient, but involves biometric data being stored in a central database.

“There is always a worry that somebody may either break into the central storage or, during the transmission of the data from the point-of-sale to the cloud, somebody may intercept your data,” Jain said. That’s why Amazon and other large companies ensure biometric data is encrypted, so even if it’s intercepted, it’s secure, he said.

The e-commerce giant opted for the palm biometric because it was important to the company to choose a method that doesn’t reveal a person’s physical identity, said Dilip Kumar, Amazon’s vice president of physical retail and technology.

“Unlike face or even your voice, which can give you clues about the person’s identity, a picture of your palm doesn’t give you a clue as to who the person is,” he said in an Amazon News video published in July.

Amazon also opted for “a very intentional gesture,” Kumar said in the video. Customers are accustomed to holding their phones over devices, so hovering their hand over a scanner would seem similarly active, said Kumar, who the company said wasn't available for an interview.

Amazon uses sophisticated cameras and computer vision technology to capture the details of the palm and subsurface images of veins, Kumar said. The company incorporated “liveness detection” to bolster accuracy and ensure hands being held over devices are real.

Beyond some of the company’s Fresh, Go and Whole Foods stores, the technology also is being used in some U.S. airport stores and stadiums, an Amazon spokesperson said.

Other biometric uses are popping up in payments: Companies like Samsung are embedding fingerprint sensing, which eliminates the need for a PIN, into physical cards. Pasadena, California-based PopID has partnered with Visa and Mastercard to bring its face-pay technology beyond southern California to other regions of the world.

Mastercard’s biometric checkout program launched earlier this year with a pilot program in Brazil. The company also plans to test biometric payment methods in the Middle East, Asia and the U.S., although Nili Klenoff, senior vice president and head of authentication solutions at Mastercard, wouldn’t say when the program will arrive in the U.S.

The card network’s program lays out standards for how biometric service providers, digital players and merchants should develop their biometric tools and tests them to ensure the tools meet the company’s privacy and security standards, Klenoff said during a May interview.

Nili Klenoff, senior vice president of acceptance solutions at Mastercard

Permission granted by Mastercard

“Ultimately, that’s the key to unlocking scale,” Klenoff said. “Our goal is to create an open environment that empowers different channel providers to play.”

Privacy, security concerns

No two people in the world have the exact same biometric traits – and that plays into the hands of those trying to reduce fraud and enhance security in payments.

Consumers are still coming around to the idea, however. About half of U.S. adults favor the use of facial recognition technology for security purposes, such as enhanced security with a credit card payment, Pew Research Center determined in March.

When it comes to checkout, 74% of U.S. adults expressed privacy concerns about their biometric data, like fingerprints or retina scans, being stored by a marketer, according to data from an upcoming issue of Ipsos' strategic foresight magazine, What the Future. Respondents were polled in late August.

Consumers tend to view biometric checkout technology as reliable and trustworthy, but the next hurdle “is the security piece of it,” said Oscar Yuan, CEO of Ipsos Strategy3. The security factor is “particularly challenging” because it’s not just biometric data security that impacts consumers’ nervousness, “it’s general data security that’s giving people pause,” Yuan said.

Mastercard’s data from June also indicate about two-thirds of global consumers say biometrics is more secure than a PIN or password, but 71% are concerned about which parties have access to their biometric data.

From FIDO Alliance’s perspective, it’s critical that all biometric data remain in the device, not in a central database, Shikiar said. That’s a comfort to consumers who are trusting that their biometric information is being handled responsibly. FIDO’s user testing showed that “once they understood that the data was on their device, they loved it,” Shamas said.

Still, consumer advocates worry there’s a false hope the new systems being touted are more secure, when that might not be the case.

“My sense is that consumers are not going to wholeheartedly embrace all of this biometric stuff that’s being sold to them,” said Ed Mierzwinski, senior director of the federal consumer program at advocacy organization Public Interest Research Group. Consumers “are very concerned about databases containing their information that could then be misused.”

Of FIDO’s locally stored approach, Mierzwinski said: “I’m not endorsing it, but I’m saying it’s better.”

Others suspect consumers aren’t thinking about the different approaches to data storage. “I don’t think there’s that divide in their mind, that, oh, this one’s saved on my phone, so this one’s safer,” Yuan said. “They think in terms of, ‘OK, they have my data and I want it to be secure, whether that’s the device that stores it, whether that’s Amazon that stores it, whether that’s Apple that stores it, whether that’s AT&T that stores it.’”

With sensitive data in play, it’s incumbent upon companies to be transparent. Those capturing biometric information need to “be really clear about what’s being captured, how it’s being used and how it’s being protected,” said Adam Pressman, a managing director in the retail practice at consulting firm AlixPartners.

Among U.S. states, Illinois, Texas and Washington have biometric identifier laws, requiring specific consent from consumers before companies can collect biometric data. But all 50 states have breach notification laws, and most of those include biometric information, Szewczyk said.

If the biometric method used is something consumers are familiar with, it’s less likely to raise concern on the consumer front, Szewczyk said.

The usability factor

A handful of different biometric methods are being pursued in payments, but certain types have greater usability than others, depending on the setting.

“There are a whole bunch of biometrics,” Jain said. “The question is, what makes most sense in a given scenario?”

Anil Jain, Michigan State University professor

Permission granted by Anil Jain

Background noise in a crowded store may interfere with the use of a voice biometric at a kiosk. Paying by face could be particularly useful at drive-thru restaurants. Merchants will assess biometric technologies and pick the right tool for their business, Klenoff said.

For in-store payments, FIDO has been working with EMVCo on allowing the FIDO biometric credential to be used to authenticate at the point of sale, erasing the need for another verification method like PIN or a signature. Mobile payment providers like Apple and Android are beginning to implement that credential, Shamas said.

But if the biometric payment method involves the merchant obtaining and installing new technology – like a kiosk with a camera that scans a customer’s face – envisioning that is harder, consultants said.

That approach could be costly for merchants, requiring added hardware or software at each store, and customers would have to be taught how to use it, said Jeff Fortney, a senior associate with payments consulting firm The Strawhecker Group, in June.

The path to broad adoption

The pace at which biometrics in payments could take off in the U.S. remains unclear.

Some payments professionals pointed to the persistence of cash or the arduous adoption of chip cards. The latter were rolled out in 2015, and gas pumps just reached compliance this year. QR codes were used to make payments in India in the mid-2000s, but it took the pandemic to get consumers to use QR codes in the U.S.

Jeff Fortney, The Strawhecker Group consultant

Permission granted by Jeff Fortney

“I’ve seen a lot of new technology that I thought would just be a game-changer, but it either didn’t have financial support or merchants weren’t going to do it,” Fortney said. “It’s going to be a 10-year cycle, in my opinion, before [biometrics] really makes an appearance.”

Klenoff pointed to greater adoption of tap-to-pay during the pandemic, predicting biometrics will follow a similar trend. “We’ve taught consumers to swipe, then to dip, then to tap and now, biometrics,” she said. “With any of those experiences, it takes the consumer a couple of times to experience the technology, try it out and become comfortable with it before it becomes a habit.”

The older the technology is, the more consumers trust it. In the earlier days of the internet, people were afraid to use their credit cards online to pay. At that point, “we were looking at the same thing – 75 percent -80 percent of people were nervous,” Ipsos’ Yuan said.

Over time, technology improved and the convenience factor outweighed concerns, causing that percentage to shrink, Yuan said. He suspects consumer comfort with biometric payment methods will follow a similar path.

There’s still work to be done in biometrics on the technology side, in terms of improving accuracy. Shikiar noted false rejections can be an issue in biometrics, particularly for Black users. That’s something the industry continues to address, “to make sure that bias goes away through stronger testing, improvements in algorithms, things like that,” he said.

As Apple, Android and Windows products roll out new operating systems in the coming months that support FIDO credentials, Shamas expects that will be the spark that fuels further adoption on the part of financial institutions and merchants.

Rather than having shoppers input payment details such as card security code at each site, merchants want to move toward a process that has customers “form fill your credential in the browser, and then you authorize it with your biometric,” Shamas said. “I think we’re going to see these things come together in the next couple years or so.”

Looking ahead, consultants envision the use of biometrics to unlock a mobile device being applied to authorize a payment made shortly thereafter, without having to re-authenticate, Peterson said.

For his part, Lott expects to continue to see a “buffet of payment choices.”

“Ultimately, it is the consumer that’s going to make the decision as to what method of payment they prefer to use,” Lott said. “If a merchant doesn’t support that particular method of payment, it’s highly likely that consumer [is] going to find a merchant that does.”