Biometrics has arrived. A consumer with a Samsung S5 smartphone and PayPal account can check out with just a swipe of her finger on any m-commerce site that accepts PayPal. And a handful of top retailers soon will release biometric checkout in their apps.
Bill Siwicki , Editor, Mobile
At long last, what may be the ultimate in secure and speedy mobile checkout has hit Internet retailing: biometrics. PayPal has begun enabling consumers with the new Samsung Galaxy S5 smartphone to pay at any retailer that accepts PayPal on its mobile commerce web site with just the swipe of a finger.
When a Samsung user links her fingerprint to her PayPal account, the Samsung device scans the fingerprint and generates a unique number based on three identifying factors: the fingerprint, the device and an encryption key from PayPal. This unique number is stored in a secure area on the device and provided to PayPal each time a user swipes her finger at a merchant that accepts PayPal. The fingerprint never leaves the device and no biometric data is ever transmitted.
Samsung uses biometrics hardware from Synaptics Inc. and biometrics software from Nok Nok Labs Inc. PayPal built in additional security precautions, which it declines to discuss.
Once a Samsung S5 user links her fingerprint to her PayPal account, PayPal will authorize a biometric-enabled transaction only if the encrypted number sent from a device matches what PayPal has stored for that consumer. And the only way to send that number is by that individual consumer pressing her finger to her smartphone.
For these consumers, checkout on m-commerce sites is now as simple as pressing Pay With PayPal then swiping their fingers where indicated. PayPal displays a Review Order page where consumers press OK. That’s it. No typing a user name and password or shipping or payment information, all of which is stored by PayPal. Nothing but a long and encrypted number is transmitted.
PayPal also has just updated its mobile software development kit, or SDK, to include checkout secured and enabled by biometrics, so now, retailers can use the SDK to bake biometrics into their Android apps. (While the Apple iPhone 5s offers biometric fingerprint scanning, Apple has yet to include this function in its SDK, so developers cannot yet enable biometrics with Apple devices.)
Biometrics is the latest step in the evolution of mobile security and mobile checkout. In fact, a handful of the nation’s top retailers will in May and June debut new versions of their apps that include fingerprint scanning for security and one-touch checkout, a vendor executive who has worked on the mobile security technology behind these retailers’ apps tells Internet Retailer on condition of anonymity.
PayPal is luring consumers to mobile biometrics and the expensive devices that currently enable this potentially game-changing technology by offering special deals at numerous retailers, including Abercrombie & Fitch, Foot Locker, Target Corp. and Toms Shoes.
“We’ve spent a lot of time over the years building trust with retailers and building a better mobile checkout experience for retailers,” Joel Yarbrough, PayPal’s senior director of global product solutions who led the biometrics team, tells Internet Retailer. “The fingerprint scanning feature addresses both of those things, providing a super-secure experience and a delightful buying experience that will increase retailers' conversion rate on smartphones, where conversion has been lower than on tablets and desktop computers.”
The retailer with the fastest mobile checkout remains Amazon.com Inc. Amazon enables true so-called 1-click checkout. An Amazon customer links his individual smartphone to Amazon in a one-time, multi-step authentication process. From then on, the customer simply touches Buy Now on a product page and an order is placed, paid for and shipped using default information, all with just the single touch.
While PayPal's biometric checkout may indeed be three touches—one for the Pay With PayPal button, one to swipe a finger on the biometric display, and one to OK the Review Order page—it has the distinction of allowing only that particular customer, the one with the registered finger, to make purchases. If a thief (or even a customer's child) got hold of an unprotected phone with Amazon 1-click, they could create havoc for that customer by touching Buy Now, though such orders would be shipped to the legitimate customer's default shipping address.
Follow Bill Siwicki, managing editor, mobile commerce, at Internet Retailer, at @IRmcommerce.