One use of biometrics is for payment authentication.

Biometrics can be used on mobile devices

to authenticate payments, removing the need for purchasers to remember a PIN or password.
Will PIN numbers and/or passwords become a thing of the past? New developments in
biometrics suggest this may be the case. At one time, the use of biometrics was reserved for
high-security applications, but it is now moving into the mainstream.

A recent study from Juniper Research predicts that mobile biometrics will authenticate $2 trillion
in remote and in-store payments in 2023, up from an estimated $124 billion in 2018. The study
also estimates that over 80% of smartphones will have some form of biometric hardware by
2023.

High Security
The main advantage of biometrics is that they allow you to prove your identity using
characteristics that make you unique. Since the data is “something you are,” it’s much less likely
to be forgotten, stolen or forged, in contrast to using something you possess (like a document or
card) or something you know (like a password or secret phrase).

Improved Customer Experience

Biometrics provide a lower level of friction in payments than passwords. Using biometric
authentication for payments is quick and convenient. Users don’t have to remember passwords
and PINs

Competitive Edge for Businesses

Using biometrics in payments provides better security. Better security helps increase customer
trust in a business, leading to improved business opportunity. Security and security threats are
always evolving and it is important to stay ahead of new trends emerging in order to keep up
with or advance before your competitors.

Disadvantages of Biometrics in Payments

Concerns over Personal Data
One potential issue is that biometric data is arguably the most personal and private data that
anyone has, and in the case of physiological data, the individual can’t readily change it. If it is
compromised, it cannot be reset like a password or PIN can. Consider the possibility of one’s
fingerprint being stolen and then fraudulently used, for example. Another possibility is that
biometric data might ultimately be used for purposes other than it was originally intended - by
third parties, for instance - another major risk to security and privacy.

Fear of the Unknown

This perhaps explains why only 46% of 12,000 consumers surveyed for HSBC’s “Trust in
Technology” report (2017) said they trust fingerprint recognition to replace passwords, and just
26% trust iris recognition to do the same. On the other hand, “trust in biometrics tripled after a
simple explanation,” notes the report. At any rate, it’s clear that establishing trust in biometrics
will be the key to successful adoption.
The move towards biometric payment cards - not to mention other biometric-related innovations
- is being driven by banks, merchants, and consumers alike, all of whom are seeking
improvements over the current password/PIN system.

For some, the future can’t get here soon enough. In fact, according to Visa’s recent survey of
1,000 adult Americans who use at least one credit or debit card and/or mobile pay, consumers
are really looking forward to the widespread adoption of this technology. Sixty-seven percent
say they are interested in making payments using fingerprint technology in the future, and more
than 50% advised that they would switch away from a card network or bank that didn’t offer
biometric authentication at some point down the road.

It looks like the future may just be a step . . . or rather, a fingerprint away.

https://www.globalpaymentsintegrated.com/en-us/blog/2020/06/30/biometrics-the-future-of-
payments
Biometric authentication involves using some part of your physical makeup to authenticate you.
This could be a fingerprint, an iris scan, a retina scan, or some other physical characteristic. A
single characteristic or multiple characteristics could be used. It all depends on the infrastructure
and the level of security desired. With biometric authentication, the physical characteristic being
examined is usually mapped to a username. This username is used to make decisions after the
person has been authenticated. In some cases, the user must enter the username when
attempting to authenticate; in others, a lookup is done on the biometric sample in order to
determine the username.

Biometric authentication is performed by doing a comparison of the physical aspect you present
for authentication against a copy that has been stored. For example, you would place your
finger on a fingerprint reader for comparison against the stored sample. If your fingerprint
matches the stored sample, then the authentication is considered to be successful.

In order to set up biometric authentication the appropriate infrastructure must be in place. Once
the infrastructure is set up we register users. Some products allow users to register directly
while others require a registration agent to perform the registration for the user. Let’s take the
example of fingerprint-based authentication. During the registration process, the system will ask
the user to submit a sample, in actual fact it will create multiple samples. The user places their
finger on the fingerprint reader. The system will record images of the user’s fingerprint. The
system will use the multiple images to determine a point pattern to identify the user’s fingerprint.
These points are basically dots placed on different areas of the fingerprint. These dots are used
to denote the pattern made by the fingerprint. Once a sufficient number of samples have been
taken to form a consistent point pattern, the pattern is stored and used as the basis for later
comparison during authentication.

Biometric authentication is a fairly solid method of authentication and is in use by many

organizations today but, it is not without its issues or drawbacks. One of the problems with
biometric authentication is that it usually requires special hardware such as a fingerprint reader,
retina scanner, and so on. The hardware has to be installed and configured on each system (or
endpoint) that will be used for login. This limits the overall usability of the solution. You can’t just
walk up to any system and expect to use it to authenticate. It can be especially problematic
when you are external to your organization (i.e., working remotely or on the road), as you need
a system that has the necessary hardware installed and configured per the corporate policy. In
addition, cost can also be an issue with biometrics. The specialized hardware required for
biometric authentication can be expensive and has to be purchased for all authentication
endpoints. Therefore, the initial investment required for a biometric solution can be quite
sizeable.

A second potential concern with biometrics is security. Part of setting up a biometric solution
includes configuring the sensitivity level for the sample. The sensitivity level determines how
close a match you need for authentication to be successful. Configuring the sensitivity level can
be somewhat tricky. If it’s set too low, one recorded sample could potentially match multiple
physical samples. If it’s set too high, you could block access to someone who is legitimately
authorized to access the system.

There have also been cases where people have been able to break biometric authentication.
The main issue here is that in many cases, biometric authentication relies only on the image
presented during authentication, so it can be tricked by a forged image (we see plenty of
examples of this in modern-day spy films). In order to combat this, some biometric
manufacturers have been adding other requirements to their biometric authentication solution.
For example, a fingerprint reader may also check the temperature of the finger used to supply
the fingerprint. If the temperature is not within a normal range for the human body, the system
assumes the fingerprint is being supplied by some bogus method and the authentication fails.

For these reasons, we do not see a lot of Internet-based applications using biometric
authentication. We see it more in corporate settings and, many times, it’s used just for certain
applications or under special circumstances.

Biometric Authentication
Biometric authentication devices rely on physical characteristics such as a fingerprint, facial
patterns, or iris or retinal patterns to verify user identity. Biometric authentication is becoming
popular for many purposes, including network logon. A biometric template or identifier (a sample
known to be from the authorized user) must be stored in a database for the device to compare
to a new sample given during the logon process. Biometrics is often used in conjunction with
smart cards in high-security environments. The most popular types of biometric devices are the
following:

▪
Fingerprint scanners These are widely available for both desktop and portable computers from a
variety of vendors, connecting via a Universal Serial Bus (USB) or PCMCIA (PC Card) interface.

▪
Facial pattern recognition devices These devices use facial geometry analysis to verify identity.

▪
Hand geometry recognition devices These are similar to facial pattern devices but analyze hand
geometry.

▪
Iris scan identification devices Iris scanners analyze the trabecular meshwork tissue in the iris,
which is permanently formed during the eighth month of human gestation.

▪
Retinal scan identification devices Retina scanners analyze the patterns of blood vessels on the
retina.
A large number of physiological characteristics can be used as identifiers, and devices have
been developed that verify identity based on knee scans, ear geometry, vein pattern
recognition, and even body odor recognition. In addition, some devices analyze and compare
behavioral traits using methods such as voice pattern recognition, signature verification,
keystroke pattern recognition, breathing pattern recognition, gait pattern recognition, and even
brainwave pattern recognition, although many of these are only in experimental stages.
Biometrics is considered to be among the most reliable authentication methods possible.

On the Scene

Defeating “Foolproof” Authentication Mechanisms

In 2000, a French engineer/hacker named Serge Humpich (and known as “the Count of Monte
Crypto”) was able to defeat the 640-bit encryption key used by smart cards issued by banks in
France, which millions of French consumers used for purchasing items. The equipment he used
to break the encryption key cost only $250.

Even supposedly “foolproof” biometric methods aren't foolproof. This is because the biometric
data must be analyzed by a software program, and everyone who has worked with computers
knows that there is no such thing as a software program that works perfectly. Thus, the vendors
of biometric solutions establish fault-tolerance limits that are based on a certain level of false
rejection and false acceptance rates (called FRRs and FARs, respectively). False rejection
occurs when an authorized user is rejected by the system, and false acceptance occurs when
an unauthorized user is “passed” by the software and is allowed access. In fact, fingerprint
scanners have been defeated by such simple methods as blowing on the sensor surface to
reactivate a fingerprint previously left there or by dusting a latent fingerprint on the sensor with
graphite and then applying adhesive film to the surface and pressing on it gently. These
techniques are examples of latent image reactivation. In a well-publicized case in May 2002, a
cryptographer in Japan was able to create a phony fingerprint using gelatin, which he claimed
fooled fingerprint scanners approximately 80 out of 100 times.

https://www.sciencedirect.com/topics/computer-science/biometric-authentication