By Theodore Lloyd1
1Innovation Consultant, , Axis Corporate
Amazon Go represents a step change in how payments are handled at point of sale, and provides a revolutionary customer experience. You can enter the store, pick up any product and leave, knowing your account will be charged. No need to fumble with cash or cards. The payment is entirely invisible. Invisible payments as a business model are expected to be worth $78 billion by 2022,1 but to achieve this – and to truly impact the payments market – the key issue of security needs to be overcome. Customers’ primary concern when making payments is ease of use (the reduction of friction) as we have witnessed by the rapid increase in contactless payments. Security is certainly a major concern, but it consistently comes afterwards. It is the payments providers that face the regulatory burdens, thus bearing responsibility to maintain security. Truly frictionless payments require advanced security systems, systems that can authenticate a customer and their payment method without causing friction in their customer journey. This requires a fundamental rethink in how we authenticate and secure payments, moving from static to dynamic data, and from event-based authorization to continuous assessment.
Security systems for payments are built around the concept of multifactor authentication. The user needs to combine two of the following: “what I know”, i.e. password or PIN; “what I possess”, i.e. card or device; “who I am”, i.e. biometrics; and, increasingly, “where I am”. There are, of course, exceptions to this rule. Contactless card payments, which rely solely on “what I possess”, represent a risk, as a stolen card could be used by anyone. To mitigate this risk, contactless payments are capped.
Card payments above the contactless threshold are secured through PIN numbers – the card is “what I possess”, the PIN “what I know”. While this offers more security than traditional card signatures, it is a point of friction. The customer must present their card, insert their PIN and wait for their payment to process. The PIN number must be memorized, and it is vulnerable to fraud and theft by over-the-shoulder attacks.
E-wallets have been mooted as a means of reducing friction in a secure way. Contactless payments can be made with a device that is secured by biometrics. While this would in theory speed up the payment journey, in practice e-wallets are still limited by contactless payment limits. Furthermore, biometrics are vulnerable, as they use static data which can be stolen or mimicked. Moreover, static data requires a specific “authorization event” – a customer looks into a facial scanner, or touches a fingerprint reader. This still inserts significant friction into the process – for example, consider how frustrating e-passport gates are, or unlocking a phone with a wet finger.
Ultimately, biometrics are little different to using passwords – secure, but not foolproof, and still cause friction in the payment journey – with one additional caveat, and that is that we cannot change our biometrics should they become compromised.
So, how do we create secure and frictionless payments channels? The answer lies in dynamic authentication, the best example of which is behavioural biometrics.
Behavioural biometrics is the measurement and use of human behavioural patterns as a means of identification and authorization. This can take many different forms, from gait to typing style. This data is dynamic – detection of pressure across a screen over time, as opposed to an image of a fingerprint; or looking at angles made by a leg while someone walks, as opposed to a facial image.
The strength of behavioural biometrics comes from the continuous analysis of vast amounts of behavioural metadata. The number of parameters measured is limited only by the sensors used, and the sophistication of the algorithms that learn from and decipher this data. This complexity in the data sets underpinning behavioural biometrics makes it extremely difficult for an outside agent to compromise – the patterns identified in data sets with so many dimensions are impossible for a human to identify, and there is no way to train a working algorithm without access to the specific user’s metadata.
It is only through machine learning that we can unlock the possibilities of behavioural biometrics. The algorithms used are complex, as they cannot be pre-trained to identify patterns: to identify a specific user, they must analyse that user specifically. As such, behavioural biometric algorithms must continuously train on the same data they are using for identification.
A simple example of how a behavioural algorithm can work might look like this:
As this simple model shows, there are multiple algorithms working, each underpinned by different machine learning methods. First, a user profile is created – this is a form of unsupervised learning, taking the relevant user meta-data, identifying patterns, and building a profile. The type of unsupervised algorithm best suited will vary depending on the behaviour being analysed, as different behavioural metadata can vary significantly in terms of type and relationship. This profile can be trained continuously, and as such the more the user interacts with the relevant device, the more precise the user profile can become. Secondly, current usage data is analysed – this is still through unsupervised learning, but differs from user profile generation in that the data is time-limited. Patterns must be identified from current usage data – which means that these will never have the degree of precision of the user profile. Thirdly, a similarity measure is applied – this means analysing both the user profile and the current usage data to determine a functioning margin of error. Just as the patterns within the metadata are complex and vary significantly from individual to individual, so also does the margin of error. As such this must also be generated dynamically for each user. Finally, the user profile is analysed against current usage data to authenticate the current user. This algorithm takes into account the margin of error that has been determined to create a probability of the user being correct. This probability is used to determine whether an alert should be generated.
The strength of this model is continuous assessment of a user, both in terms of authenticating based on current device usage/sensor exposure, and also in terms of refinement of the user profile authenticated against. This happens entirely in the background and requires no authentication event to interrupt the user’s purchase journey.
While it takes time to generate a precise user profile – requiring other security measures in the interim – once a precise enough user profile is available, behavioural biometrics offers a means of authentication that is invisible (it requires no authorization event), is precise (very low likelihood of false positives), and is highly robust (an almost negligible likelihood of false negatives – i.e. security breaches).
Unlocking secure frictionless payments requires a rethink in how we approach authentication. Static authentication introduces friction and insecurity. Passwords, PINs and fingerprints will need to give way to constant analysis. Security based on limited parameters that can be mimicked (physically or digitally) must be replaced with complex data sets that generate highly individual and complex relationship groupings. This requires the utilization of extensive behavioural metadata created by the devices and sensors we constantly interact with.
Not all static security measures will be rendered obsolete – devices, or non-intrusive biometrics (e.g. facial recognition) will be key to spotting which user is to be identified by the behavioural algorithm. And even passwords, PINs and fingerprints will have their place, albeit relegated to a secondary measure, used if the dynamic authentication algorithm cannot make a positive match within the accepted margin of error.
Frictionless payments are still far from becoming the norm. Before they can be rolled out extensively we will need significantly more connected devices that can collect the requisite metadata. The area where behavioural biometrics currently operates is principally in device security, where it is already possible to collect extensive usage data. However, with precipitously declining sensor costs, and the rapid growth in IoT devices, the next decade will see an exponential increase in access to behavioural metadata.
Dynamic authentication use cases now show that truly frictionless payments are not a question of if, but when.