Through a special arrangement, what follows is a summary of an article from Retail Paradox, RSR Research's weekly analysis on emerging issues facing retailers, presented here for discussion.
FIDO (Fast IDentity Online) recently announced plans to release a framework and set of standards to make it easy for systems to support two-factor authentication. If someone wants to combine an NFC payment with a PIN, or later change that to fingerprint ID, this framework will make that simple. Theoretically, it makes it easy to incorporate more types of authentication into a security strategy.
Why is this important? Along with all the usual stuff about preventing breaches, security has to be balanced against access. The tighter the security measure — requiring complex passwords, for example — the more difficult it is for people to access their stuff. It's the old joke: I'm supposed to have a unique password for every site, and each password is supposed to be made up of a random jumble of letters and numbers, some caps and some symbols. And I'm not supposed to write them down anywhere. And I'm supposed to remember them all. Yeah, right.
The FIDO announcement comes as companies call for some kind of two-factor authentication across all modes of payment with the continuing challenge of online fraud and mobile payments arrival.
Chip & PIN, the basis of EMV, only works when there is a payment terminal, like in stores, but it doesn't do a good job at preventing online fraud, where the chip part is missing.
But this framework for authentication got me thinking about all the various ways you can implement two factors, and my fingerprint reader on my iPhone. I've downloaded free apps from the iTunes store using my thumbprint with no issues. As a member of Clear, I cut through lines at certain U.S. airports with a chip-embedded card and my fingerprint.
Which reminded me of PayByTouch and a couple other fingerprint payment schemes that emerged in the late '90s and the '00s. I always thought that the hang-up around their usage was that granting access to money with just a fingerprint felt vulnerable. But two-factor authentication — with a card — may ease those concerns.
With biometrics increasingly used as an authentication factor in non-financial transactions, increasing trust may arrive for financial ones if combined with familiar form factors like plastic cards, whether embedded with a chip or just a mag stripe. FIDO seems like it's helping that along.
Ultimately, the argument may not be NFC vs. chip & PIN vs. chip & signature. If companies are flexible in the supporting infrastructure, the answer may be "as long as it's two factors." If we can get consumers used to that, then everybody wins.
Which combinations of authentication do you think have the most potential in retail?