Biometrics are already mainstream on phones, and their use is quickly growing in the fields of fingerprint and facial and iris recognition. This is good news for users and service providers both: the use of biometric authentication options improves the security and usability of devices and the services used with them.

“The time is ripe for biometrics to make their final breakthrough in payment authentication”, says Qvik CEO Lari Tuominen. “Not only is biometric authentication supported by hardware and familiar to users, PSD2 payment legislation is also pushing service providers to adopt biometric authentication methods.”

Both digital and physical transactions already make use of biometrics. Mobile payments can be authenticated with fingerprint or facial recognition at store counters, and these methods are increasingly used for payment verification and authentication by mobile banks as well.

Following upcoming amendments to legislation, even more applications and mobile and online stores will probably include biometrics in their authentication chain.

Authentication is never simple when there’s money involved

Let’s do a quick review of the key terminology related to banking authentication in Finland, followed by a look at where we stand with each of them in the field of biometric authentication.

Strong authentication. If a service requires strong authentication, the authentication chains must involve an element that enables the service provider to verify the identity of the user with absolute certainty. In Finland, strong authentication has been implemented with the login codes of online banks, Mobile ID or an electronic identity card. So far, the banking codes are the most common method by a huge margin.

Strong initial identification. Strong authentication is only possible after a strong initial identification. In most cases, this means that the user must physically go somewhere and present ID. In Finland, for example, Tupas authentication has fulfilled these criteria, since everyone has to go to the bank and prove their identity when they open a bank account.

Two-factor authentication involves a two-stage login process. Authentication can be based on a biometric characteristic of the user, something the user knows (e.g. a username and password) or something only the user can access, like a phone or e-mail account. A strong authentication element is not required in the chain: the service provider can establish with reasonable certainty that the person logging in is the same individual as, say, the holder of the e-mail address, even though it cannot be sure of the identity of this individual.  

Everything comes down to PSD2, the payment services directive, which will soon require service providers to identify users with two-factor authentication. The directive’s interpretation is ambiguous, however, and the final implementation remains unclear. To add to the confusion, the regulation says that the extra authentication requirement can be waived if the user has been promised frictionless flow, or a smooth user experience.

The amendment is nevertheless on its way and will apply not just to banks, but to anyone selling anything on the internet.

Biometric authentication is stepping into the ring because of user experience. Even though the legal criteria for authentication are being tightened, service providers still want to make the process as painless as possible for the user: the two-factor requirement risks degrading the customer experience. The ease of online shopping and logging in is vital to service providers, so convenience is not something to be taken lightly.

“For the user, the easiest way to implement legal payment processes is to implement biometric authentication”, Tuominen says.

Sweden has implemented strong authentication with BankID – Finland is still on the fence

In Sweden, strong authentication is managed by the BankID system maintained by the biggest banks. The phone’s biometric ID can be linked to the BankID application, after which the user can use facial or other biometric recognition to confirm payments.

“The applications of banks like Nordea and OP work the same way in Finland, but Sweden’s BankID solution is more uniform and accessible – it’s available to all users who have an account at any Swedish bank”, says Jesse Vartiainen, Qvik’s Head of Technology, Sweden.

Vartiainen is currently based in Stockholm and was able to adopt the BankID service after getting a personal identity code from the local tax office and taking it to the bank. Opening the service requires the user to visit a bank to prove their identity before getting the activation code from the clerk.

”BankID can be integrated with any service that requires strong authentication, from online banks to government services and mobile apps.”

In Finland, the surveys of authentication solutions for e-services and payments are still ongoing, and there have been some changes of plan along the way. Earlier this autumn, the banks’ Tupas credentials were still being ditched on a tight schedule. But now, the Population Register Centre has announced that the login codes of all banks will still be accepted for public e-services in 2019–2020, and strong authentication options are being charted.

“Finnish banks are also developing services that offer strong authentication with biometrics, specifically tailored to the mobile channel”, Vartiainen says. “Some banks are redeveloping their applications into general authentication services, and soon the availability of these will probably be more diverse in Finland too.”

Illustration: Aija Malmioja