The marginal benefit of biometric auth in experience over PIN / OTP, issuer banks lethargy, 3rd party orchestration sign-offs and government repository challenges may restrict it to a "cool concept"
Biometric Authentication itself has a lot of attendant risks.. There are false fingers, there are video replays, and many other means of attacks. PAD certifications are very important and these need even more "integrity" as the world of AI creeps in ! Happy to get into a more detailed discussion !
Id love you know your view in depth on palm readers. I think just having them at retail outlets would be a step backward definitely as a lot of transactions are taking place online. But imagine thumb/face authentication without any OTP, password - would that solve some issues or just create more?
My reservations are both in terms of implementation and what need this is solving. To do any sort of biometric authentication, you need to first set up the biometric cred. There are two ways to do this:
1. You set it up locally in the device - like how I talked about in the article, how Minkasu Pay & MC Passkey work. The biometric cred acts as a cred layer which unlocks the private key, and signs the challenge. That won't work in offline, because an end customer is not going to set it up on every POS device
2. The other way to do it then is to use some central repository of biometric data. So in real time, the palm scanner is taking the biometric creds of the end user, and comparing against the biometric creds stored in the repository. So there is only one time set up in the repository. This can be two ways: it can be mastercard / visa or some other private 3rd party, OR it can be a government database such as UIDAI. Now, in India, only UIDAI can store this data. So private entities are out.
3. The problem with UIDAI is the problem with every government database out there - very high latency, and very low success rates. So its a broken experience. And no customer is going to get on an experience where it's not atleast on par with current methods (unless something else is being solved for, such as credit)
4. Another issue I'm seeing is that merchants are moving away from more expensive devices. Palm scanners are way more expensive than QR. And for a customer who is at the register and is paying, this is not a customer that is going away. So in terms of business impact, for the merchant, adding a biometric scanner is not doing much
5. So for the end user to use this it has to 1) be atleast on par in terms of experience wrt current methods, which I don't see happening and 2) it has to move the needle for businesses, so that they invest in this. Pine / Ezetap scaled because they solved a need for merchants. What needle is the palm scanner moving?
From both a end customer & a merchant backward perspective, I feel there are too many existing challenges, and it'll only scale once those are solved.
Biometric Authentication itself has a lot of attendant risks.. There are false fingers, there are video replays, and many other means of attacks. PAD certifications are very important and these need even more "integrity" as the world of AI creeps in ! Happy to get into a more detailed discussion !
Insightful and extremely informative thank you.
Thank you for reading!
Id love you know your view in depth on palm readers. I think just having them at retail outlets would be a step backward definitely as a lot of transactions are taking place online. But imagine thumb/face authentication without any OTP, password - would that solve some issues or just create more?
My reservations are both in terms of implementation and what need this is solving. To do any sort of biometric authentication, you need to first set up the biometric cred. There are two ways to do this:
1. You set it up locally in the device - like how I talked about in the article, how Minkasu Pay & MC Passkey work. The biometric cred acts as a cred layer which unlocks the private key, and signs the challenge. That won't work in offline, because an end customer is not going to set it up on every POS device
2. The other way to do it then is to use some central repository of biometric data. So in real time, the palm scanner is taking the biometric creds of the end user, and comparing against the biometric creds stored in the repository. So there is only one time set up in the repository. This can be two ways: it can be mastercard / visa or some other private 3rd party, OR it can be a government database such as UIDAI. Now, in India, only UIDAI can store this data. So private entities are out.
3. The problem with UIDAI is the problem with every government database out there - very high latency, and very low success rates. So its a broken experience. And no customer is going to get on an experience where it's not atleast on par with current methods (unless something else is being solved for, such as credit)
4. Another issue I'm seeing is that merchants are moving away from more expensive devices. Palm scanners are way more expensive than QR. And for a customer who is at the register and is paying, this is not a customer that is going away. So in terms of business impact, for the merchant, adding a biometric scanner is not doing much
5. So for the end user to use this it has to 1) be atleast on par in terms of experience wrt current methods, which I don't see happening and 2) it has to move the needle for businesses, so that they invest in this. Pine / Ezetap scaled because they solved a need for merchants. What needle is the palm scanner moving?
From both a end customer & a merchant backward perspective, I feel there are too many existing challenges, and it'll only scale once those are solved.