Customer authentication (i.e., confirming the identity of the customer) is critical for most financial transactions such as purchases with payment cards and automated teller machine (ATM) withdrawals.
Conventional customer authentication schemes typically rely on one or both of two authentication factors: a possession factor and a knowledge factor. The possession factor refers to “something only the customer has,” such as a unique debit card, credit card, smart card, or token device (e.g., Exxon® Speedpass™). The knowledge factor refers to “something only the customer knows,” such as a password or personal identification number (PIN).
FIG. 1 illustrates typical prior methods of customer authentication for payment card based transactions. For example, in most card-present credit card purchases, the cardholders become authenticated simply by swiping their credit cards, which is a type of single-factor authentication based on the possession factor. In contrast, online purchases are typically card-not-present (CNP) transactions where the authentication also relies heavily on the knowledge factor: the customer has to supply both payment card information (e.g., cardholder name, card number and expiration date, which is presumably only known to the person possessing the physical card) and billing information (e.g., billing address and telephone number associated with the card, which is presumably only known to the legitimate cardholder). A typical ATM transaction utilizes a two-factor authentication where the cardholder not only has to insert or swipe a credit or debit card (something only the cardholder is supposed to have) but also has to enter a correct PIN code (something only the cardholder is supposed to know).
However, a number of deficiencies still exist with the conventional customer authentication and checkout processes. While the single-factor authentication in card-present transactions seems straightforward, that approach is both insecure (as a payment card can be lost or stolen and then subject to unauthorized uses, or the card swiped could be a counterfeit card—an exact replica of the authentic card) and inconvenient (since the cardholder must carry the card and present it at the point of sale). As to the two-factor authentication approaches, the cardholder is required to either carry the card (e.g., in an ATM transaction) or at least memorize the card information (e.g., for online purchases), and the additional information supplied for authentication purpose may be too hard for the cardholder to memorize (in the case of unique PINs or passwords) or too easy for others to obtain (in the case of addresses, telephone numbers, or re-used PINs or passwords), not to mention the inconvenience of having to supply the additional information for each transaction. In general, there has been a trade-off between security and convenience/efficiency: the more secure an authentication method, the more information the cardholder is required to supply, or figuratively speaking, the more hoops the customer has to jump through.
One notable prior authentication approach is the one adopted by Europay, MasterCard and Visa (EMV) which implemented a global standard for inter-operation of integrated circuit cards (IC cards, a.k.a. “smart cards” or “chip cards”) and IC-card-capable POS terminals and ATMs for authenticating credit and debit card transactions. For customer authentication, the EMV standard requires the reading of a smart card and the correct entry of a PIN passcode, which is essentially a two-factor authentication scheme similar to traditional ATM transactions. Apparently, the EMV standard is only useful for card present transactions (thus inapplicable to online purchases) and also not free from some of the deficiencies described above.
By focusing on the knowledge factor and/or the possession factor, the prior authentication methods often fail to take advantage of a more powerful authentication factor, the inherence factor, which basically refers to and takes advantage of “something only the user is” such as biometric characteristics (e.g., fingerprint, voice signature, and retinal pattern). Fundamentally, the inherence factor such as biometric characteristics should more reliably confirm the identity of a person than the knowledge factor and/or possession factor. Biometric techniques such as fingerprint scanning have existed for a while now, but they have not been widely or effectively applied to customer authentication in the context of card transactions or personal banking.
Also, the heavy reliance upon the knowledge factor tends to impose a significant burden upon cardholders during checkout processes. Although some online stores such as Amazon.com have promoted “1-Click Ordering” processes, those are not true or ideal one-click checkout experience as the customers still have to go through a two-factor authentication (by entering a username and a password) which has some known security defects.
Another problem with conventional checkout processes is that they are monolithic and inflexible. Prior systems typically apply authentication policies that do not differentiate between types of transactions, accounts, or account holders, thereby failing to account for potential risk levels of different transactions. As a result, the same authentication policy is uniformly applied regardless of the type of interaction or channel, even though some interactions are much riskier than others. For example, the same procedure of card-swiping and/or PIN-entry could be followed whether the purchase is for a $1 chewing gum or a $5,000 plasma TV. Nor do the customers typically have any say in the authentication method during checkout.
Furthermore, there is a wealth of other types of information (e.g., location, behavioral history) that can supplement and/or enhance the effectiveness of customer authentication but have not been fully exploited.
Other problems and drawbacks also exist in prior customer authentication and checkout methods.