MasterCard unveils more details about 'selfie pay' phone authentication

If you could verify your purchase for that food processor on Amazon with a wink and a nod instead of a traditional password, would you?

That's what BMO Financial Group and MasterCard are banking on, as they revealed new details Wednesday about their biometricauthentication program, colloquially known as "selfie pay."

The program, called MasterCard Identity Check, requires users to upload either their fingerprint data or a photo of their facewhen creating a profile.

• MasterCard to bring facial recognition payment software to Canada
• Face-reading tech could make shopping more convenient and creepier
• How facial recognition technology is creeping into daily life

When you make a purchase online with a card that uses MasterCard's SecureCode features, you'll receive a notification on yourphone to check your ID against your fingerprint or face profile.

Checking the fingerprint will use a fingerprint scanner already available on the iPhone and some Android phones. If you chooseto use your face, you look into the phone's camera and blink the last part makes sure someone isn't just holding up aphotograph of your face.

Once verified, the program will return you to the online merchant's site to complete the purchase.

Passwords are bad. Are biometrics better?

CatherineMurchie, a senior vice president atMasterCard, says the new biometricmeasures are designed to be both more secure and easier to use than traditional password security.

Fingerprint information is stored locally on the user'ssmartphone. Facial information, however, is stored onMasterCard'sservers. Both are hashed and encrypted before being stored.

"The security that passwords are meant to provide is compromised by the very nature of the fact that we have so many of them to remember,"Murchiesaid on Wednesday. But with biometrics like face and fingerprint data, "the person is now becoming the password."

Annual lists of the "worst passwords" regularly report that people often use easy-to-remember passwords like "12345678" and "password," making them easy prey for cybercriminals.

Steve Pederson, vice president and head of NorthAmerican corporate card products at BMO, stressed that ease of use was as critical to the "selfie pay" system as much as security.

"We're not trying to force everybody to take it, obviously. There's always going to be some apprehension," he said.

Murchie said that in the limited pilots for Identity Check in the Netherlands and at a credit union in the U.S., users generally preferred the fingerprint scanner option over the selfie option.

She suggested that younger users will be more amenable to "selfie pay" but didn't have age-differentiated data for the existing pilot projects.

Soft launch starts now, rolling out to public in summer

MasterCardwill begin a soft launch of the program, issuing BMO employees with corporate credit cards that have the IdentityCheck functionality. The plan is to roll it out to the general public by thissummer. MasterCard plans to replace the traditional password-protectedSecureCodefeature entirely with Identity Check, though no timeline for that has been released yet.

Users can choose to verify their purchaseseither with a fingerprint scan or aselfiecheck. However, not everyone gets choice. While most moderniPhoneshave a fingerprint reader as standard, not every Android phone has one.

Face scanning technology can also present some unique challenges.Murchiesaid the selfiecheckcan run intoproblems with people wearing glasses, since the lenses can interfere with your camera's ability to tell if you're blinking.

Statistically rare cases like identical twins can also give the app trouble, in which caseMurchierecommendedthe fingerprint scan instead.