Biometric authentication: online payment security


Security is the highest priority when paying online. In the third quarter of 2019, online transactions will be subject to even stricter regulations. The second Payment Services Directive, the so-called PSD2 (Payment Service Directive 2), will make it mandatory to carry out two-step authentication for any online transaction over 30€. This is reason enough for online merchants to take a closer look at this issue. The following sections will tell you which authentication methods are available, and what the new directive is all about.

What exactly are biometric authentication methods, anyway?

The most commonly used biometric authentication method is fingerprinting. Users usually have little or no inhibitions when using this method, because of its ubiquitous presence: when unlocking a smartphone or purchasing an app, using your thumb is now standard procedure.

However, there are numerous other methods of biometric authentication:

  • Face recognition: Even more secure than the fingerprint, image analysis methods are used to recognize the face and the exact position of the eyes. On a technical level, the Elastic Bunch Graph Matching method is usually used for this method. By means of a grid, points of the face which do not change even with changing facial expressions are marked. Face recognition is mainly in companies for employee access when particularly sensitive data is to be retrieved.
  • Iris recognition: This form of biometric authentication is regarded as the method with the lowest susceptibility to errors. The user simply looks into the camera to identify the iris. The human iris is so unique that a copy is almost impossible. Visual aids such as glasses or contact lenses do not falsify the image.
  • Speech recognition: Only acoustic aspects play a role here. The respective user is identified by the sound vibrations during the pronunciation of a word or sentence. Compared with visual methods, speech recognition is relatively susceptible to interference. Connection problems or background noise can significantly slow down authentication. Nevertheless, it holds importance because it’s the only way to recognise a virtual reality user.

There are many other possibilities in addition to these most common variants, for example, the human gait or stroke biometrics are increasingly used as authentication features.

The advantages of biometric authentication

For companies, the implementation of biometric systems is still associated with a high-cost factor. However, thanks to forward-looking technology, this is a long-term design, so the costs are relatively low in view of the duration of use.

In comparison to a password, where misuse occurs relatively often, biometric procedures are connected with very high security, copies are almost impossible. In addition, passwords are not particularly user-friendly: it is not uncommon for passwords to be forgotten and new ones to be requested. In addition to the associated security risk, it is above all the complicated user experience that is eliminated by the use of biometric features.

The advantages of biometric systems at a glance:

  • For long-term use, the costs are quite low.
  • Biometric methods are very safe.
  • There are usually no changes in biometric characteristics.
  • It is not possible to lose biometric features or pass them on to third parties.

Why is it important to deal with biometric authentication?

Even those who are not yet convinced of biometric authentication or who have failed to implement them for cost reasons cannot escape from this new technology. From 14th September 2019, the EU Directive PSD2 will introduce an even stricter form of customer authentication for online payments than was previously the case. Due to numerous cases of fraud, the security of online transactions and customer account access will be significantly increased by two-stage authentication. Online merchants who offer credit card payments must implement this new procedure on their websites.

It is no longer sufficient to simply enter a password from this point on, with a few precisely defined exceptions. A password must be combined with another characteristic. In concrete terms, this means that all payment systems affected by the regulation must query at least two of the following factors:

  • Something you know (e.g. password)
  • Something you are (biometric features)
  • Something you own (e.g. smartphone)

The new 3-D Secure 2.0 protocol developed by MasterCard and the EMVCo industry association, provides the guidelines and simplifies the process for the consumer. The aim is to reduce the number of fraud cases. The introduction of the new protocol has already begun and works both for payment via apps and in the web version. From September, all payments made without the 3-D Secure 2.0 protocol will be rigorously rejected. Online merchants are therefore strongly advised to start implementing the security protocol in good time so that payment cancellations can be avoided.

Biometric authentication methods are advanced technologies that solve two problems at once: they address the increasing security risk of using passwords alone and are much more user-friendly than the often forgotten password. It can be assumed that these methods will become even more popular in the future: Apple Pay and Google Pay are simply the pioneers.

Learn more about real2business (DE).

Image: Pixabay (geralt)

Sybille Schäftner

Sybille Schäftner is an online editor at In addition to writing texts for one of Germany's largest online shopping portals, she also manages the company's own real2business blog, which focuses on current developments in e-commerce.

Your e-commerce library

4 Top Tips for Selling on Marketplaces (Home and Garden)

Learn more

Marketplace Horror Stories

Learn more

Master Intelligent Google Campaigns

Learn more

Sign up for our newsletter

By submitting this form you authorize Lengow to process your data for the purpose of sending you Lengow newsletters . You have the right to access, rectify and delete this data, to oppose its processing, to limit its use, to render it portable and to define the guidelines relating to its fate in the event of death. You can exercise these rights at any time by writing to