Mastercard rolls out pay-by-selfie across Europe

Analysis MasterCard’s "selfie pay" will be coming to Europe next year after trials in the US, Canada and the Netherlands.

The financial services firm  is rolling out biometric technologies that will allow European consumers to authenticate their identity without a password, but with a selfie, in order to provide customers with a more convenient method to sign in and a faster checkout process. Security firms view the development as another sign of the mainstream availability of biometric authentication, comparing it to the introduction of TouchID fingerprint authentication technology in the iPhone.

Javvad Malik, security advocate at enterprise security tools firm AlienVault, said that “selfie pay” is seemingly an attempt to bridge the gap between a fully authenticated method, such as chip and PIN – and unauthenticated payments methods such as contactless.

“The use of a selfie as an authentication mechanism may seem like something that a millennial cooked up whilst browsing Instagram one night,” Malik said, “however, payments have always been about risk management. Banks have typically been good about walking the line between convenience and security.”

He added: “From a security viewpoint, financial fraud will never be completely eradicated, and increasing security too much will inconvenience users - so for banks it’s a fool’s errand. Rather, the controls needed should be sufficient to keep fraud within tolerances whilst providing customers with a convenient experience,” he added.

Robert Page, lead penetration tester at Redscan struck a more cautious note.

“User passwords are typically the easiest point of attack in computer systems and this is driving increased adoption of biometric authentication systems,” Page said. “These systems, whilst typically more secure, can pose their own set of issues however. For instance, if biometric information is captured and used by an attacker, it's not possible for a user to change his or her imprint as they would a password.”

Mastercard’s implementation of facial recognition requiring a user to blink appears to be a novel solution to prevent others from taking a picture of a user. The effectiveness of its implementation is yet to stand the test of time, however,” he added. David Meyer, VP of product at OneLogin, said that facial recognition offers the potential to finally displace passwords as an authentication technology in enterprises.

Biometrics have been an interest for enterprise IT for some time,” Meyer said. “They haven't become mainstream yet, lacking both reliability and ubiquity. For example, options like fingerprints are not available on all devices, and even fewer computers, without additional hardware. Voice recognition has the benefit of near-ubiquity in some companies, where the majority of people have a phone, but has proven unreliable, unable to authenticate when there is background noise.

“Passwords remain very common because they always work, but of course can be stolen or discovered. For this reason most enterprises imply multiple factors of authentication, perhaps a password together with a single-use code,” he added.

Meyer argued that facial recognition technologies could finally spearhead the widespread use of biometric technologies in the enterprises.

“Over the coming years we will see biometrics become more common in the enterprise and facial recognition is the likely core, seeing as cameras are becoming ubiquitous and the recognition software is becoming very reliable. Our customers are already discussing these biometric factors with us and how they can be best applied.”

“Multiple passive factors can be combined for added security. Phone apps can detect your heart rate by the pulsing flush of your skin; keyboard clacking patterns can distinguish you just like your fingerprint.  Combined with whether your location is 'typical' or changes too quickly, identity systems can flag suspicious behaviour and prevent unwarranted access while it is happening,” he concluded. ®