Mastercard plans to authenticate transactions using selfies

Mastercard plans to authenticate transactions using selfies and thumb-prints, in a bid to move away from traditional username and password authentication, and make the payment process as frictionless as possible.

The famous selfie monkey.
The famous selfie monkey.

Mastercard has announced a rollout of its new app named Identity Check Mobile, which will allow consumers to confirm their identity by using their mobiles fingerprint scanner and taking a selfie.

Mastercard has said they felt the need to implement new authentication technologies as it is seeing users move away from traditional credit cards to other payment methods, such as Apple and Android Pay.

It hoped that the technology behind the app should allow for speedier payment processing and authentication.

The technology has been trialled in the US, Canada and the Netherlands, and is now being rolled out to a further 12 countries, including the UK. Mastercard anticipates more countries will follow suit next year.

In user trials, Mastercard said 92 percent of its testers preferred the selfie system to passwords. Given the recent recent spate of mega-breaches, the move away from passwords could be argued to be highly logical.

Pointing out the issue with the rise in use of biometrics for authentication, Robert Page, lead penetration tester at Redscan said, “These systems, whilst typically more secure, can pose their own set of issues. For instance, if biometric information is captured and used by an attacker, it's not possible for a user to change his or her imprint as they would a password.”

Page added, “Mastercard's implementation of facial recognition requiring a user to blink appears to be a novel solution to prevent others from taking a picture of a user. The effectiveness of its implementation is yet to stand the test of time.”

Mastercard said the same study showed that 41 percent of UK consumers now view their mobile phone as their preferred alternative to a traditional credit card.

Identity Check Mobile uses a combination of a user's fingerprints and facial recognition to authorise payments instead of passwords and memorable data.

Upon downloading the app, users will be asked for a reference selfie, which will be stored on Mastercard's servers. This will be used the next time a user takes a photo of themselves to confirm their identity.

Mastercard has said it will ask users to blink, to confirm they are human, and prevent a malicious actor from simply holding up a picture of a user's face in front of the camera.

Mastercard have yet to announce which UK banks will offer the service.

Speaking at Mobile World Congress 2016, Ajay Bhalla, president of enterprise risk and security at Mastercard, said shopping had been "revolutionised" by contactless cards, mobile payments and wearable tech.

Bhalla said, “Approval rates are a huge problem, one in six transaction get declined, and a number of these declines are false declines. So if we can improve the accuracy of our systems, then we can change the user experience and approve more transactions.”

“We are relentlessly focused on making the online payment experience near frictionless, without making any compromises on safety and security," he added.

Several industry experts spoke with SCMagazineUK.com and expressed their skepticism with such efforts.

Javvad Malik, security advocate at AlienVault, said, “The use of a selfie as an authentication mechanism may seem like something that a millennial cooked up whilst browsing Instagram one night. However, payments have always been about risk management. Banks have typically been good about walking the line between convenience and security. From a security viewpoint, financial fraud will never be completely eradicated, and increasing security too much will inconvenience users - so for banks it's a fool's errand. The issues that are present are similar to any of the issues that exist with any biometric technology, in that there will be a number of questions users and privacy advocates will be asking. Such as how will the pictures be used; will they be saved? Will the data be shared with advertisers, or other online channels?”

Paco Garcia, CTO at Yoti, said, “The key challenge for any of these selfie authentication solutions is ensuring the right live person is in front of their phone requesting payment, and not a fraudster using a photo or video of another person. It is important for companies to take the time to find a level of security that suits them and their customers."

Sign up to our newsletters