When you’re making a purchase in-person (rather than online), you’re probably using a payment card. And when you’re verifying that you actually mean to make the purchase, you’re probably not signing a receipt at this point – instead, it’s likely that you’re entering a PIN. Everyone used to verify their payments with a signature, and now everyone understands that a PIN is just as good, if not better.
If you’re paying for something online, however, using a relatively new smartphone, there’s a good chance you’re not entering a payment card number and a PIN, but instead using your phone’s biometric authentication mechanism – Face ID, for example, or a fingerprint scan. Everyone used to shop in person and enter a PIN, and now sometimes people shop online and confirm their purchases with biometrics, and everyone understands that most smartphone-based biometrics are just as good as a PIN, if not better.
And if you’ve gone the next step in payment innovation and loaded a virtual version of your payment card onto your phone, and now you’re using your phone to pay for things in-person, you’re probably using biometric authentication to verify the purchase there, too. Because the phone’s biometric authentication is just as good as a PIN (if not better), everyone understands that there’s no need to require a physical payment card and a PIN for in-store payments. A face or fingerprint-scanning phone is just as good, if not better.
To some, the next logical step from here is obvious: if your biometrics are now linked to your payment card, why should you even need your phone? A few years ago, this would have struck a lot of people as a radical concept – that you might pay for something with just a biometric scan, and no physical token of any kind, other than your own biometrics. But innovation in these kinds of biometric payments – also known as ‘naked payments’ – has been rapid, and 2022 has delivered some indications that this nascent payment technology may be on the cusp of going mainstream.
Amazon Blazes a Trail
One of the most high-profile pioneers of biometric payments so far has been Amazon, which has been gradually rolling out a Point-of-Sale system designed to scan a customer’s palm biometrics – the pitch being that you can make a purchase with a wave of the hand. The company officially unveiled its Amazon One system in September of 2020, and went on to announce that it would be deployed at select Whole Foods stores in Seattle the following spring.
Since then, Amazon One has been implemented in Whole Foods stores in New York City, Los Angeles, and Austin, as well as in certain Amazon Fresh, Go, and Style stores. And this past August, Amazon announced that it would roll out the biometric payments system across 65 Whole Foods locations in California.
Amazon hasn’t disclosed how popular (or unpopular) its naked payments system is. But the expanding rollout suggests that Amazon has detected a certain appetite for this kind of innovation. It’s also worth noting Amazon’s focus on introducing the system in high-profile, trend-setting urban centers like Seattle, Los Angeles, New York City, and Austin. The company’s leadership may be banking on ripple effects from early adopters.
Of course, Amazon is itself an early adopter of this technology, and that’s by its nature. The company is a disruptor, and has been unafraid to “move fast and break things”, as the Silicon Valley motto goes. So this year’s other major development in the emerging naked payments sector is all the more noteworthy for coming from a relatively conservative institution.
A Payments Giant Surveys the Frontier
Mastercard announced its Biometric Checkout Program in May of this year. It was a tentative yet bold step: the global payments giant had not yet settled on any one particular approach, but was partnering with a number of FinTech innovators to experiment with the technology in various markets.
First up would be Payface, a Brazil-based startup specializing in linking consumers’ face biometrics to their payment accounts, which would deploy its solution across five stores belonging to the St Marche supermarket chain. But at the Biometric Checkout Program’s outset, Mastercard revealed that it had also partnered with NEC, Aurus, Fujitsu Limited, PaybyFace, and the growing Silicon Valley startup PopID.
Setting aside Aurus, which handles payment processing, three of Mastercard’s other four biometrics partners specialize in face-based technologies. PopID and PaybyFace have built naked payments solutions around face biometrics, and NEC is renowned for its highly accurate NeoFace solution, which offers applications in a number of areas including naked payments. Fujitsu stands out for its historical focus on a different modality, palm vein biometrics; but the company’s more recent efforts to explore naked payments combined that technology with facial recognition, a new area of interest for Fujitsu. All of which suggests that Mastercard is strongly leaning toward face biometrics as the modality of choice for biometric payments.
It makes sense. Selfie-based authentication is probably the most popular means of biometric authentication on smartphones today, and a large cohort of consumers are now used to confirming mobile-based transactions with a face scan. It’s convenient, contactless, and does not necessarily require any particular action from the consumer at the Point of Sale other than facing a self-service kiosk.
You Can’t Cancel Your Face
The problem is that it might be too convenient. If all that is needed for a payment to be authorized is an image of the buyer’s face, all sorts of fraudulent and criminal shenanigans become conceivable, and maybe even expected. Hypothetically, someone could make a purchase using a printout of a registered consumer’s face; maybe they could even download a retail store’s mobile app and aim their phone’s camera at a customer in order to put a payment through.
None of this is necessarily likely, but it’s conceivable, and its plausibility depends on the quality of the biometric technology being used. In the world of mobile payments, for example, Apple doesn’t need to worry about letting users authorize payments with a selfie at least in part because its $1000+ smartphones feature highly sophisticated laser grid technology that creates a three-dimensional map of the user’s face. It is very difficult to spoof. Google, on the other hand, is pointedly refusing to let users of its new Pixel 7 use its facial recognition technology for online payments, presumably because the company is not confident that its new face scanning system is as resilient against spoofing attacks as its fingerprint authentication mechanism.
For naked payments, the facial recognition technology that Mastercard deploys will probably need to be sophisticated enough to spot a 2D printout when it sees one, if it’s going to successfully persuade a sizeable chunk of consumers to give it a try. And that will probably entail convincing merchants to install new hardware that is fit for purpose. Amazon, meanwhile, doesn’t need to convince merchants of anything: the company is deploying its palm scanning solution at its own stores, from the top down.
But both companies will have to convince consumers to opt into their systems, and that will require addressing the security of their biometrics. If your payment card gets stolen – or if your phone gets stolen, and your card is on it – you can call your bank and cancel it; you cannot cancel your face or palm. Ultimately, both Amazon and Mastercard – and the many other, smaller players that are busy pioneering the biometric payments frontier – will need to persuade customers that their systems are both convenient and safe, with no risk of having their biometric payment credentials permanently compromised. If they can do that, there may come a time when everyone understands that for in-store payments, your biometrics are just as good as a payment card or a phone, if not better.
November 10, 2022 – by Alex Perala