BBC News

MWC 2016: Mastercard rolls out selfie ID checks

By Leo Kelion
Technology desk editor

image copyrightMastercard
image captionUsers will have to blink while using the Identity Check app's selfie feature

Credit card firm Mastercard has confirmed it will accept selfie photos and fingerprints as an alternative to passwords when verifying IDs for online payments.

It follows a trial of the software carried out in the US and Netherlands last year.

The company told the BBC that 92% of its test subjects preferred the new system to passwords.

One expert said that such biometric checks had the potential to cut fraud.

However, some security researchers have questioned how easy it might be to spoof the system.

image copyrightMastercard
image captionA notification will tell users when they need to verify their ID after using a shopping website

Blink test

Mastercard announced the move at the Mobile World Congress tech show in Barcelona.

It said the rollout this summer would involve the UK, US, Canada, Netherlands, Belgium, Spain, Italy, France, Germany, Switzerland, Norway, Sweden, Finland and Denmark.

It explained that members of the public would have to download an application to their PC, tablet or smartphone to use the system.

image copyrightMastercard
image captionUsers will be given the option of using a fingerprint instead of a selfie

When they make an online purchase, they will still need to provide their credit card details as normal.

But if a further authentication check is required, they will be asked to look at their phone's camera or use its fingerprint sensor rather than be told to type in selected letters from their password, as is the case at the moment.

If the user opts for a selfie, they will have to blink into the camera to prove they are not just holding up a photo.

image copyrightMastercard
image captionThe device on which the purchase is made confirms the ID check after it is carried out on a phone

"Consumers hate passwords," declared Ajay Bhalla, chief of the firm's safety and security division.

"We know the most commonly used password is 123456, so they are not secure, and people also use the same passwords for multiple sites. If one site gets hacked all the places that you use the same password get compromised - they are a big pain.

"In the modern world everyone has a mobile phone and there is internet connectivity everywhere. So, we should be able to use biometrics [instead] to authenticate ourselves."

Compromised checks

Mastercard is far from the only firm experimenting with facial scans as authentication tools.

China's e-commerce giant Alibaba recently demoed a pay-with-your-face system of its own.

And both Microsoft's Windows 10 and Google's Android operating systems already allow users to unlock devices by looking at their cameras.

image copyrightMicrosoft
image captionMicrosoft's Windows Hello software can also use iris scans as a biometric test

Security researchers have pointed out that both facial scans and fingerprint sensors can be compromised.

Even so, Mastercard insists its other security mechanisms should be able to prevent or at least detect suspicious behaviour.

In addition, it says the facial scans and fingerprint data will not be transmitted in a form that could be intercepted, stolen or used by scammers.

Battling fraud

Smart wallet systems including Apple Pay, Samsung Pay and Android Pay have already introduced consumers to the concept of using their fingerprints to authorise payments.

Many Japanese bank ATMs also have a reader that scans the vein patterns beneath customers' fingers to let them withdraw cash.

One expert said other biometric tests could soon become the norm.

"Having one or more required authentication factors tied to who you are rather than what you know is going to become critical," said Windsor Holden from the tech consultancy Juniper Research.

"The problem with online payments has always been that the card doesn't need to be present, hence the credit card companies have charged more for the transactions to cover the costs of fraud.

"If they can introduce a mechanism that makes the system more secure than merely asking for a password, then the hope would be that fraud levels decrease and the savings can be passed back onto merchants, and perhaps consumers too."

Follow all the BBC's MWC coverage via the "Mobile World Congress 2016" tag in our news app.

You can also keep track of our technology correspondent Rory Cellan-Jones and the rest of the team covering the Barcelona event via a dedicated Twitter list.

Related Topics

  • Credit cards
  • Cyber-security
  • Apps

More on this story

  • HSBC offers voice and fingerprint ID system to customers

  • Pay for goods 'with your face': PayPal launches new app