The Death of the PIN
Personal identification numbers (PINs) are everywhere. These numeric versions of the password have been at the heart of data security for decades, but time moves on and according to Dave Orme, SVP at IDEX Biometrics, it is becoming evident that the PIN is no longer fit for purpose. It is too insecure and leaving consumers […]
Personal identification numbers (PINs) are everywhere. These numeric versions of the password have been at the heart of data security for decades, but time moves on and according to Dave Orme, SVP at IDEX Biometrics, it is becoming evident that the PIN is no longer fit for purpose. It is too insecure and leaving consumers exposed to fraud.
Why bin the PIN?
In a world that is increasingly reliant on technology to complete even the most security-sensitive tasks, PIN usage is ludicrously insecure. People do silly things with their PINs; they write them down, share them and use predictable number combinations that can easily be discovered via social media or other means. And this is entirely understandable: PINs must be both memorable and obscure, unforgettable to the owner but difficult for others to work out. Previous research has shown that when people were asked about their bank card usage, more than half (53%) shared their PIN with another person, 34% of those who used a PIN for more than one application used the same PIN for all of them and more than a third (34%) of respondents used their banking PIN for unrelated purposes, such as voicemail codes and internet passwords, as well. In the same study, not only survey respondents but also leaked and aggregated PIN data from other sources revealed that the use of dates as PINs is astonishingly common1.
But if the PIN has had its day, what are we going to replace it with?
Biometrics may seem to be the obvious response to this problem: fingerprint sensors, iris recognition and voice recognition have already been trialled in various contexts, including financial services. In fact, wherever security is absolutely crucial, you are almost certain to find a biometric sensor — passports, government ID and telephone banking are all applications in which biometric authentication has proven highly successful.
For biometric authentication to work, there has to be a correct (reference) version of the voice, iris or fingerprint stored, and this requires a sensor. The search for a flexible, lightweight, but resilient, fingerprint sensor that is also straightforward for the general public to use, has been the holy grail of payment card security for quite some time.
It is one thing to build a sensor into a smartphone or door lock, but quite another to attach it to a flexible plastic payment card. A major advantage of fingerprint sensors for payment cards is that the security data is much more difficult to hack.
Not only are fingerprints very difficult to forge, once registered they are only recorded on the card and not kept in a central data repository in the way that PINs often are – making them inaccessible to anyone who is not physically present with the card.
Your newly flexible friend
Fortunately, the impossible has now been achieved. The level of technology that has been developed behind the sensor makes it simple for the user to enrol their fingerprint at home, and once that is done they can use the card over existing secure payment infrastructures.
Once it is registered and in use, it can recognise prints from wet or dry fingers and knows the difference between the fingerprint and image ‘noise’ (smears, smudging etc.) that is often found alongside fingerprints. The result is a very flexible, durable sensor that provides fast and accurate authentication.
The PIN is dead, long live the sensor
Trials of payment cards using fingerprint sensor technology are now complete or under way in multiple markets, including the US, Mexico, Cyprus, Japan, the Middle East and South Africa. Financial giants including Visa and Mastercard have already expressed their commitment to biometric cards with fingerprint sensors, and some are set to begin roll-out from the latter half of 2018. Mastercard, in particular, has specified remote enrolment as a ‘must have’ on its biometric cards, not only for user convenience but also as means to ensure that biometrics replace the PIN swiftly, easily and in large volumes2.
With the biometric card revolution now well under way, it’s time to say farewell to the PIN and look forward to an upsurge in biometric payment card adoption in the very near future.
1 Bonneau J, Preibusch S and Anderson R. A birthday present every eleven wallets? The security of customer-chosen banking PINs: https://www.cl.cam.ac.uk/~rja14/Papers/BPA12-FC-banking_pin_security.pdf 2 Mastercard announces remote enrolment on biometric credit cards: https://mobileidworld.com/mastercard-remote-enrollment-biometric-credit-cards-905021/