American ExpressAmerican ExpressAmerican ExpressAmerican ExpressAmerican Express
United StatesChange Country

Biometric Systems Move into Payment Services and Mobile Commerce

By Bill Camarda

A growing number of payment services and corporate treasurers are considering biometric systems as a way of potentially offering greater security and convenience than traditional password authentication.

Biometric authentication relies on physical characteristics believed virtually unique to each individual. Biometric systems that work reliably should enable customers to avoid cumbersome authentication methods such as memorizing and properly entering passwords. When working well, biometrics can reduce inconvenient "friction" in mobile transactions and promote growth of innovative payment services.


Fingerprint-Based Biometric Systems Grow in Payment Services


Fingerprints, one of the most familiar biometric systems, are quickly gaining consumer acceptance in payment services and other applications. According to one September 2017 report, 42 percent of smartphone users surveyed in the U.S., U.K., China, and India had access to fingerprint authentication. Of those, 82 percent chose to use it – a higher percentage than those preferring traditional passwords.1


Worldwide, Counterpoint Research estimates that over one billion smartphones will ship with fingerprint sensors in 2018. Growth in fingerprint-enabled devices is occurring as hardware costs decline, fingerprint support moves into low-to-midrange smartphones, and rising demand is driven by growth in digital payment services, mobile banking, and other applications requiring secure authentication.2


Early fingerprint sensors have been susceptible to spoofing, in which an unauthorized individual gains access through a fake fingerprint, experts say. Fakes might be created from the latent prints that people leave behind inadvertently as they touch objects in day-to-day life, or from "masterprints" that simulate enough common characteristics of a fingerprint to fool the sensor.3,4


But fingerprint-based authentication is one biometric system that is improving quickly. Sensors are becoming larger to capture more of a user's fingerprint, and these larger sensors can be placed beneath the display, supporting modern edge-to-edge displays.5,6 New techniques are growing more capable of distinguishing a live human finger from an inkjet printout or a glove bearing a fake fingerprint.7 And some new biometric systems are using ultrasonic technology to build 3D fingerprint images that are harder to fool.8


Smartphone-Based Iris Scanning


However, fingerprints are only one of many biometric authentication solutions for payment services. For example, the Samsung S8 smartphone incorporates iris scanning, based on the scientific recognition that elements within the eye's iris are shaped both by genetics and early development – meaning that even identical twins can be distinguished. A creator of an iris scanning biometric system says its chances of delivering a false positive are roughly 1 in 1.1 million when one eye is scanned and 1 in 1.4 trillion when both eyes are scanned.9


In its recently released high-end S9, Samsung's "Intelligent Scan" feature linked iris scanning with facial recognition to support phone unlocking. When iris scanning fails, the phone attempts facial recognition. If that fails, it makes a third attempt based on a combination of the two methods. However, while Samsung has enabled iris and fingerprint scanning for mobile payment services via Samsung Pay, it hasn't yet enabled facial recognition or the combined Intelligent Scan feature.10


Facial Recognition


Apple's introduction of Face ID in the iPhone X in November 2017 represented a milestone in bringing secure face recognition to the marketplace. In contrast to earlier face-scanning biometric systems, Apple's Face ID creates a 3D scan utilizing an infrared camera, depth sensor, and dot projector, mapping 30,000 invisible points to create an image designed to resist spoofing using 2D fakes such as printed photographs as well as 3D replica face masks.11


According to Apple, Face ID "automatically adapts to changes in your appearance, such as wearing cosmetic makeup or growing facial hair," and works with hats, scarves, glasses, contact lenses, and many sunglasses, in virtually all lighting conditions. If users change their appearance substantially, Face ID requests them to confirm their identity with a passcode, and then updates their face data for future authentication. Face ID is designed to work indoors, outdoors, and even in total darkness.12


Apple's biometric system can be used not just for unlocking a phone, but also for authorizing payments using the Apple Pay payment service. Apple enables third-party app developers to use it for login; and if an app already supports Apple's fingerprint authentication, it can automatically support Face ID, too.13


Large-Scale Systems Combine Multiple Biometric Identifiers


As sensors become cheaper and more ubiquitous, and devices increasingly contain more of them, large organizations are moving towards relying on systems that combine multiple biometric identifiers, sometimes in combination with other non-sensor-based identifiers capturing information about each user's inimitably individual behavior.


For example, U.S. health insurer Aetna is conducting a three-phase initiative to eliminate passwords for its mobile app and web access. Phase 1 supported fingerprints.14 Phase 2 integrates "browser fingerprinting," in which Aetna tracks a wide variety of attributes associated with the user's hardware, browser, and software. Browser fingerprinting techniques, already used extensively by marketers, capture detailed information for linking a user's device with his or her identity.15 Phase 3 will add a layer of behavioral authentication, which transparently and continuously tracks 30-60 user behaviors, such as location, time of access, thumbprint, keystroke style, and even how they hold their phone.16,17


Aetna says that all of these are being integrated into a complete biometric system for risk-based authentication, which continually assesses the likelihood that users are who they say they are. Based on these dynamic risk scores, the company can decide exactly how much private information will be made available to them as a session progresses. Biometric data is stored on the user's authenticating device, protected by cryptography – thereby safeguarding users from theft of centralized data.18


Perhaps the largest-scale system of biometric authentication for payments and other services is operated by the government of India. The program, called Aadhaar, has issued unique identifiers based on fingerprints and iris scans to nearly 1.2 billion citizens, enabling many to participate in the financial system even if they don't have birth certificates or other official papers.19


Originally focused primarily on delivery of public services, the program now supports a range of innovative mobile and digital payment services. For example, micro ATM machines resembling point-of-sale devices support Aadhaar ID biometric identification, permitting cashless payments at neighborhood retailers and other merchant locations, as well as bank deposits, withdrawals, transfers, and balance inquiries. So, too, the Aadhaar Pay App enables merchants to accept digital payments authenticated by Aadhaar ID via fingerprint-enabled smartphone, with no other hardware.20


As Aadhaar's applications have widened, its use has increasingly been mandated for a variety of functions. This has led to controversy, and to privacy lawsuits currently before the nation's highest court.21,22



Biometric systems are gaining reliability as they come down in cost, making them more viable for payment services, mobile commerce, and other applications where authentication must be highly reliable, fast, and scalable.

Bill Camarda - The Author

The Author

Bill Camarda

Bill Camarda is a professional writer with more than 30 years’ experience focusing on business and technology. He is author or co-author of 19 books on information technology and has written for clients including American Express Private Bank, Ernst & Young, Financial Times Knowledge and IBM.


1. “Fingerprint is now the main ID method on mobile, as consumers turn their back to PINs & Passwords,” Fingerprints/Kantar TMS;
2. “More Than One Billion Smartphones with Fingerprint Sensors Will Be Shipped In 2018,” Counterpoint Research;
3. “Fingerprints are not fit for secure device unlocking,” Security Research Labs;
4. “That Fingerprint Sensor on Your Phone Is Not as Safe as You Think,” The New York Times;
5. “Survey: Under display fingerprint sensing opens up for larger sensor sizes and improved user convenience,” Precise Biometrics;
6. “Qualcomm's New Fingerprint Sensors Go Through Metal, Glass And Displays,” Forbes;
7. “Live finger detection for secure mobile payments,“ Precise Biometrics;
8. “Researchers claim new ultrasonic fingerprint scanner is unhackable,” Fanatical Futurist;
9. “The Company Behind the Samsung Galaxy S8 Iris Scanner,” IEEE Spectrum;
10. “Galaxy S9 Intelligent Scan favors unlocking ease over security,” CNET;
11. Ibid.
12. Ibid.
13. “About Face ID advanced technology,” Apple;
14. “2017 State of Authentication Report,” Javelin Research;
15. “Browser Fingerprints, Zombie Cookies, & the Death of Privacy,” Privacy Policies;
16. “Aetna’s Next Generation Authentication,” Aetna;
17. “Aetna rolls out FIDO, behavioral authentication for healthcare data security,”;
18. “FIDO promotes device-based unified authentication standards,” SC Media UK;
19. “Why Biometrics Are About to Put an End to Password-only Authentication,” Symantec;
20. “How Aadhaar is Powering Digital Payments in India,” Razorpay;
21. “The Privacy Battle Over the World's Largest Biometric Database,” The Atlantic;
22. “Aadhaar, India’s Biometric ID System, Gets Its Day in Court,” IEEE Spectrum;

Related Articles

Existing FX International Payments customers log in here