Thanks to the FinTech revolution, mobile payments are growing rapidly in popularity. Gartner predicts that 50 percent of consumers in mature markets will use smartphones or wearables for mobile payments by 2018. Making payments directly from a mobile device can certainly make life easier, but what happens when a hacker is able to infiltrate your credit details and seize financial data using that same mobile payment feature? As this trend continues to see substantial growth, it is increasingly important that consumers don’t trade security for convenience. Implementing strong authentication methods is the key for them to have the best of both worlds.
In this post, we’ll explore multiple forms of authentication that can enhance the security of mobile payments. Authentication can be broken down into three categories:
- Possession: Something a person has, such as a key, card, token, or mobile device.
- Knowledge: Something a person knows, such as a password, PIN, or security question.
- Inherence: Something a person is or does, such as fingerprints, face, iris, or behavioral biometrics.
In the financial industry, bank cards are a traditional form of authentication. However, possession does not always correlate to identity. It is relatively simple for cybercriminals to steal payment card information, either using a skimming machine attached to an ATM or credit card terminal, or through a data breach. They can then use this stolen information to create fake payment cards and make fraudulent purchases.
The whole point of mobile payments is not needing another object (like a payment card) in order to make a purchase. Therefore, authentication based on possession isn’t plausible in this scenario. As the world continues to transition from physical to digital, authentication based on possession becomes increasingly archaic.
Today, most mobile payment applications rely on knowledge-based authentication. User credentials like usernames and passwords have long been used to represent identity, but are easily shared or stolen. A recent survey from LastPass revealed that 59 percent of people reuse passwords on multiple sites. This makes it even easier for cybercriminals to access your data without your permission.
On a less malicious note, can you remember a time when you willingly shared a password or with a friend or family member? Perhaps one for Netflix or your PIN for an ATM transaction. If so, you’re not the only one. LastPass also found that 95 percent of Americans share between one and six passwords with friends or family members. No matter how the login credentials are obtained, there is no guarantee that the person using them is truly who they say they are.
The most reliable form of authentication is biometrics, because it is infinitely more difficult for hackers to steal or replicate your fingerprints, face, iris or voice biometrics. Instead of asking “what you have” or “what you know,” mobile payment applications should be asking “who you are” to authenticate identity. This is the next evolution of authentication, as Juniper Research predicts there will be nearly 700 million biometric authentication apps downloaded by 2019. Mobile devices are the most cost-effective means for this method, because most smartphones are already embedded with the necessary technology (like Apple’s Touch ID and Samsung’s new iris scanner). By combining mobile payments with mobile biometric authentication, consumers will never have to choose between security and convenience.