The Death of the PIN

Personal identification numbers (PINs) are everywhere. These numeric versions of the password have been at the heart of data security for decades, but time moves on and it is becoming evident that the PIN is no longer fit for purpose. It is too insecure and is leaving consumers exposed to fraud. 

Why bin the PIN?

In a world that is increasingly reliant on technology to complete even the most security-sensitive tasks, PIN usage is ludicrously insecure. People do silly things with their PINs; they write them down (often on the back of the very card they are supposed to protect), share them and use predictable number combinations (such as birth or wedding dates) that can easily be discovered via social media or other means. And this is entirely understandable: PINs must be both memorable and obscure, unforgettable to the owner but difficult for others to work out. This puts PIN users — all of us, basically — between the proverbial rock and a hard place.

Previous research has shown that when people were asked about their bank card usage, more than half (53%) shared their PIN with another person, 34% of those who used a PIN for more than one application used the same PIN for all of them and more than a third (34%) of respondents used their banking PIN for unrelated purposes, such as voicemail codes and internet passwords, as well. In the same study, not only survey respondents but also leaked and aggregated PIN data from other sources revealed that the use of dates as PINs is astonishingly common¹.

But if the PIN has had its day, what are we going to replace it with?

Biometrics

Biometrics may seem to be the obvious response to this problem: fingerprint sensors, iris recognition and voice recognition have all been rolled out in various contexts, including financial services, over the past decade or so and have worked extremely well. In fact, wherever security is absolutely crucial, you are almost certain to find a biometric sensor — passports, government ID and telephone banking are all applications in which biometric authentication has proven highly successful.

However, PINs are used to authenticate any credit or debit card transaction, and therein lies the problem. For biometric authentication to work, there has to be a correct (reference) version of the voice, iris or fingerprint stored, and this requires a sensor.

It is one thing to build a sensor into a smartphone or door lock, but quite another to attach it to a flexible plastic payment card. Add to that the fact that cards are routinely left in handbags or pockets and used day in and day out, and it becomes clear why the search for a flexible, lightweight, but resilient, fingerprint sensor that is also straightforward enough for the general public to use, has been the holy grail of payment card security for quite some time.

Another key advantage of fingerprint sensors for payment cards is that the security data is much less easy to hack, particularly from remote locations, than is the case with PINs. Not only are fingerprints very difficult to forge, once registered they are only recorded on the card and not kept in a central data repository in the way that PINs often are – making them inaccessible to anyone who is not physically present with the card. In short, they cannot be ‘hacked’.

Your newly flexible friend

Fortunately, the long-held ambition to add biometrics to cashless transactions has now been achieved, with the production and trials of an extremely thin, flexible and durable fingerprint sensor suitable for use with payment cards. The level of technology that has been developed behind the sensor makes it very straightforward for the user to record their fingerprint; the reference fingerprint can easily be uploaded to the card by the user, at home, and once that is done they can use the card over existing secure payment infrastructures — including both chip and ID and contactless card readers — in the usual way.

Once it is registered and in use, the resolution of the sensor and the quality of image handling is so great that it can recognise prints from wet or dry fingers and knows the difference between the fingerprint and image ‘noise’ (smears, smudging etc.) that is often found alongside fingerprints. The result is a very flexible, durable sensor that provides fast and accurate authentication.

The PIN is dead, long live the sensor

Trials of payment cards using fingerprint sensor technology are now complete or underway in multiple markets, including Bulgaria, the US, Mexico, Cyprus, Japan, the Middle East and South Africa. Financial giants including Visa and Mastercard have already expressed their commitment to biometric cards with fingerprint sensors, and some are set to begin roll-out from the latter half of2018. Mastercard, in particular, has specified remote enrollment as a ‘must have’ on its biometric cards, not only for user convenience but also as means to ensure that biometrics replace the PIN swiftly, easily and in large volumes².

And so, with the biometric card revolution now well underway, it is time to say farewell to the PIN (if customers can still remember it t, that is) and look forward to an upsurge in biometric payment card adoption in the very near future. Our financial futures, it seems, are at our fingertips.

By Dave Orme, SVP, IDEX Biometrics

References

1 Bonneau J, Preibusch S and Anderson R. A birthday present every eleven wallets? The security of customer-chosen banking PINs: https://www.cl.cam.ac.uk/~rja14/Papers/BPA12-FC-banking_pin_security.pdf

2 Mastercard announces remote enrolment on biometric credit cards: https://mobileidworld.com/mastercard-remote-enrollment-biometric-credit-cards-905021/