Authentication in a HeartbeatMasterCard Testing Biometric Wristband
Better authentication may be just a heartbeat away. MasterCard has revealed that it's launching a test of a biometric wristband that authenticates an individual's identity for payment card transactions by monitoring their heartbeat. In the wake of recent card data breaches, this innovative approach has the potential to catch on, some experts, say, but only if security controls are properly vetted.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
MasterCard is working with Bionym, a Toronto-based technology firm, to test the Nymi Band that authenticates a user's identity through their electrocardiogram, or recording of their heartbeat.
"I see biometrics as ultimately more of a convenience feature than a security feature," says Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation. "The Nymi wristband looks very convenient, because as a wearable device the user can basically forget about its security function until he or she needs to use it," he says. And when a transaction occurs, the authentication can take place with a minimum amount of bother to both cardholder and merchant, he says.
"Looking at it through this lens, as long as it works as intended, and as long as strong compensating security controls have been implemented in the product, the wristband could work out very well," Wills says.
Another reason the payment wristband could be successful is that consumers already are adopting similar fitness-oriented wristbands, says John Buzzard, manager for products and fraud operations at FICO Card Alert Service.
But the amount of "noise" surrounding payments technology now could also add significant confusion for consumers "who may be already struggling to understand the implications of EMV adoption," Buzzard says. "All of these new products ... can be really confusing as to how they are all going to fit into the market."
The Pilot Project
Bionym has partnered with MasterCard and the Royal Bank of Canada, along with other issuing banks, to launch a Canadian payment pilot later this year, the company says in a blog post.
The trial will use a prototype Nymi Band that contains a MasterCard credit card number for payment, says Kurt Bartlett, a Bionym spokesman. Customers selected for the pilot will be able to use their wristband to make payments anywhere they currently use their contactless MasterCard, utilizing NFC technology. A customer would merely place their wristband near a contactless payment terminal to conduct the transaction, Bartlett says.
For authentication, Nymi's algorithms observe the shape of an ECG waveform, extracting unique and consistent features that are a result of a user's physiology, the company says.
"[The customer] can be sure that the payment can only be completed when the Nymi Band is on their wrist and authenticated using their unique cardiac rhythm," Bartlett says.
Moving Away from Cards
Consumers are looking at ways to make their experience more secure "[and] they're also exploring different form factors besides the card itself," Stephane Wyper, vice president of MasterCard Labs, tells Information Security Media Group.
"The trial we're working on with Bionym is interesting to us because it combines a lot of those considerations into one experience - safe, simple and smart payments, within a wearable device, that can also be used for other consumer needs," Wyper says. "We're looking forward to the results from the trial, and how this space will continue to evolve."
The current method of using a contactless payment card carries risk because there's no authentication step, says Bionym CEO Karl Martin. "What we're trying to do is build a higher level of trust, so that in the long term, you can reduce fees and make contactless payment a more trusted transaction," he says.
"Technology for payment security, and authentication in particular, is going through an extremely active period of innovation right now," says Wills of Ontrack Advisory. That activity is fueled by the number of payment card breaches this year, which is spurring interest in breach prevention. Other catalysts for innovation, Wills says, include the evolution of mobility and cloud computing, the general dissatisfaction with passwords, and the entry of new payments players, such as Apple with its Apple Pay mobile offering, he says (see: How Will Apple Pay Impact U.S. EMV?).
"While there's a high 'noise level' in the market right now with all this activity, it's eventually going to settle down and result in more consistent, secure and convenient ways to pay than are available to the majority of people today," Wills says.