The future of ... authentication

Biometrics will soon replace passwords once and for all

January 24, 2024 | By Dorothy Pomerantz

In a divided world, there’s one thing that almost everyone can agree on — passwords are the worst. While passwords are crucial for keeping our personal data safe from hackers and fraudsters, nearly seven out of ten consumers report feeling overwhelmed by the number of passwords they must remember and feel anxious about whether their passwords are strong enough.  

Multi-factor authentication can help. Confirming your identity by entering a code either texted or emailed to you can significantly cut down on fraud by essentially requiring two keys to open a lock instead of just one. But it’s not a security slam dunk — and it adds friction to the consumer experience, whether you're logging in or making a payment. 

“Roughly 80% of confirmed data breaches are related to weak or stolen passwords,” says Dennis Gamiello, an executive vice president who leads Identity Products and Innovation at Mastercard. “The vulnerability of passwords, including one-time passwords used in multi-factor authentication, only increases as we move to a more digital world. That’s why we need to replace the password with the person. We are working with our partners around the globe to replace passwords once and for all by accelerating the transition to more seamless and secure authentication, including biometrics.” 

Biometrics are already transforming digital interactions. Thanks to artificial intelligence and the proliferation of smart devices, biometrics have become a powerful authentication tool — using your unique fingerprint, iris or face to confirm your identity and secure your data. Now Mastercard is making it easy for businesses to integrate biometrics when logging into apps or websites and making purchases online by launching the new Mastercard Biometric Authentication Service, which helps resolve the friction and vulnerability that endless passwords and multi-factor authentication prompts can create. It’s a move that not only makes digital experiences more secure, but also easier and faster. 

The company has long recognized the need for a new standard for authentication and joined a tech-industry initiative called the Fast Identity Online, or FIDO, Alliance shortly after its founding in 2012. FIDO standards create an encrypted key pair, or a passkey, that is stored on your phone. Only your biometrics, like your fingerprint or face, can unlock that passkey, giving you access to the application or website you are using — making it just as convenient as it is secure. Passkeys can be used across devices (your phone, tablet and laptop, for example), for seamless authentication anywhere.  

The Mastercard Biometric Authentication Service is based on the latest FIDO standards and has been designed to replace traditional authentication methods, making all digital interactions — from logging into your favorite apps to buying a new pair of winter boots — seamless and secure. 

Using security standards and biometrics technology already built into personal devices like phones, laptops and tablets, the service streamlines every customer touchpoint from account logins and account changes to frictionless flows at payment. Authentication can happen within the browser or mobile app with a consumer’s preferred biometric such as FaceID or fingerprint, enabling effortless digital experiences without needing to toggle between multiple apps or devices. The service supports all card brands and other forms of payments beyond cards. For merchants and financial institutions, it means reduced operational costs and a better experience for consumers.   

That’s increasingly important, as more people expect to seamlessly log in and check out, but more apps and websites are requiring multi-factor authentication to combat fraud or data theft. That means people must use at least two methods of proving they are who they say they are, which could include passwords, knowledge questions, CAPTCHA challenges to distinguish humans from bots, and one-time (and often time-based, so hurry!) codes texted or emailed to you.   

In some countries, like those in the European Economic Area and the U.K., strong customer authentication is required for online payments. But even in countries without such rules, like the U.S., multi-factor authentication is used to establish trusted online payments.   

For example, if you get a new puppy and spend $300 at an online pet store when you’ve never made pet-related purchases before, the purchase may be flagged by your bank and require multi-factor authentication to make sure your card hasn’t been stolen. If your bank uses the Mastercard service, you could be asked to confirm the purchase simply by using your face or your fingerprint. If it matches what’s already stored on your phone, you’re ready to go. A merchant may also use the service on everyday online purchases to enhance security without adding unnecessary friction for the consumer. 

Tokenization, the process of protecting a payment credential to ensure it cannot be copied or reused, is another important layer of security for payments. Tokenization can be used in conjunction with the Mastercard Biometric Authentication Service to secure online purchases. 

“The Mastercard Biometric Authentication Service is extra secure because all of your data stays on your personal device,” Gamiello says. “You don’t have to share any secrets, like your password or answers to security questions, which significantly reduces the risk of hacks or identity theft.” 

FIDO passkeys are also highly resistant to phishing because there’s no sharing of passwords or codes, and it’s interoperable, meaning it can work on different devices in different parts of the world. Passkeys are discoverable by browsers or housed within apps for passwordless authentication.  

It’s estimated that more than 4 billion smart devices are FIDO passkey-ready. That means passkey-based security applications for uses beyond payments, such as opening a new account or app or web login and even open banking are at your fingertips — or in this case, fingerprints.


Media contact: Christine Bennett, Mastercard Global Communications,  christine.bennett@mastercard.com

cybersecurity

A new era of authentication

Mastercard has launched a biometric-based authentication service to make digital interactions as simple as they are secure. The Mastercard Biometric Authentication Service is available globally with pilots underway in each region. 

Learn more

 

Dorothy Pomerantz, Contributor