I came across an article that was heavily critical of using facial biometrics for payments, and makes the point that financial transactions in the EU are going to need 2-factor authentication for anything over 50 euros. Multi-factor authentication basically means you pick 2 (or 3) from the following list:
- Something you are (biometrics)
- Something you have (phone, card)
Something you know (PIN, password)
We are all familiar with online data breaches that exploit the single-factor of a password. Some online database gets hacked and maybe they can reverse some of the password hashes. Now some hacker in Estonia can pretend to be you and cause you all kinds of problems. That’s the weakness of single-factor authentication – it has a single point of failure. With the second factor (e.g. a text message from your bank to your phone) you have significant additional protection because a hacker would have to compromise your password and the thing you have in your possession (phone). That’s a whole lot harder.
In the payments space, a typical single factor would typically be a merchant accepting a card without a PIN. In the US this isn’t unusual for small purchases (< $25).
The reasoning goes something like this:
The vast majority of the customers are not using fraudulent cards.
A fraudulent purchase is a real cost to the merchant of between $0 and $25 (but quite often less than $5)
Requiring PINs from every customer also has a cost because the merchant may not be able to handle as many customers, or maybe customers will just get annoyed and go some place that doesn’t require a PIN. That has a cost too, and it could easily be a lot higher than $5.
A good merchant will look at these cost trade-offs and make a rational decision about balancing security against customer satisfaction. They aren’t trying to get the cost of fraud and charge backs to $0 – they are trying to minimize those costs while keeping customers happy and transaction speed high. Note that since the US went to mandatory chip cards, this example has become much more secure. In the “old days” it wasn’t hard to make a fake card using a magnetic stripe, so hackers could download 100,000 stolen card numbers and make 100,000 fake cards. With chip cards, they are essentially impossible to counterfeit, so the only way someone could use a card fraudulently is if they find it or steal it.
A payment system based upon single-factor biometrics would involve similar trade-off analysis. On a properly tuned biometric system, the chance of a false match would be very low, and in line with the risk of not using a PIN on a chip card. But the key point is that any identification process is probabilistic. Second factor authentication is not guaranteed to be safe, and single factor authentication is not inherently risky. Each situation has to be looked at and analyzed differently in context.
Something you are (biometrics)
Something you have (phone, card)
Something you know (PIN, password).